The Parliament passed on second reading amendments to the Cyber Security Act, adapting Bulgarian legislation to European requirements. These include improved procedures for risk assessment and reporting of cyber incidents, as well as measures to limit the use of risky technologies.
The new provisions introduce the NIS 2 Directive, which aims to increase the overall level of cybersecurity, protecting network and information systems. The law covers public and private entities, including providers of certification services, educational institutions, and the judiciary, divided into essential and important categories.
The bill expands the scope of the sectors subject to control, from 8 to 18, including space, wastewater, ICT services, as well as critical sectors such as postal services, waste management, food and chemicals production, and others. Important and essential entities will have to notify SERIX of significant incidents within 24 hours of their discovery, and provide detailed information within 72 hours.
The Council of Ministers (CM) will have the right to require entities to use specific ICT products and services certified within European schemes. The Cyber Security Council will prepare proposals to limit the use of technologies or supply chains from non-EU countries. Entities will have a three-year period to discontinue the use of prohibited technologies, with a shorter period possible in case of high risk.
Opposition proposals for the recommendatory nature of the CM's regulations and an extension of the compliance deadline were not accepted. MPs expressed concerns about excessive regulation and lobbying interests related to the potential exclusion of Chinese telecommunications companies.