The amendments to the Cybersecurity Act, transposing Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS 2 Directive”) into Bulgarian law, were adopted by the Bulgarian Parliament in the late evening of 5^th February 2026. The amendments will enter into force three days after their promulgation in the State Gazette.

The NIS Directive, the EU’s first cybersecurity legislation, established the baseline security and incident-reporting obligations for operators of essential services and digital service providers.  The NIS Directive has now been replaced by the NIS 2 Directive, which broadens the scope of the sectors covered, strengthens regulatory requirements, and enhances enforcement mechanisms. Under the new framework, in-scope entities are subject to more stringent cybersecurity, governance, and incident-reporting obligations, together with extensive supervisory and enforcement powers.

The amended Cybersecurity Act will also have a significant impact on ICT procurement and M&A activities, increasing the need for robust cyber due diligence and effective risk management.

If you need more information, please contact DGKV's Partner Violetta Kunze and DGKV's Senior Associate Georgi Sulev.