Bulgaria adopts new Cyber Security Act

Bulgaria

On 31 October 2018, the Bulgarian parliament passed the Cyber Security Act after a second reading, paving the way for this law's enforcement within the next couple of weeks. The Law implements EU Directive 2016/1148 (or the “NIS Directive”) for sustaining a high level of security for networks and information systems across the EU, the new law addresses:

  • the organisation, management and control of cyber security, including all cyber defence activities aimed at ensuring a high common level of security for networks and information systems, and for countering cybercrime;
  • the designation of national and specialised authorities for cyber security, and outlines their powers and functions;
  • the security and notification requirements for operators of essential services, digital service providers and competent administrative bodies, as well as persons performing public functions and organisations providing on-line administrative services.

New authorities and new the powers of existing authorities 

The Council of Ministers, assisted by the newly established Cyber Security Council and the National Cyber Security Coordinator, are responsible for the development of the National Cyber Security Strategy and National Network and Information Security Strategy. These bodies will also manage and organise the national cyber security system on a strategic level.

On an operational level, Bulgaria's administrative bodies have special powers and competences. The “National Security” State Agency is mandated to protect strategic communication and information systems from potential cyber security incidents, and to create a Monitoring and Incident Reaction Centre. The General Directorate for Combating Organised Crime is to establish a Center for investigation, and fight cyber security crimes on a national level.

The “Electronic Governance” State Agency (or the “E-Governance Agency”) as a national competent authority is empowered to:

  • monitor, coordinate and facilitate the compliance of all administrative bodies to network and information security requirements;
  • maintain a register of essential services operators, digital service providers and competent authorities on network and information security, and oversee a register of essential services;
  • establish a National Single Point of Contact responsible for coordination of network and information security issues, and cross-border cooperation issues with the relevant authorities of other EU member states;
  • establish a national Computer Security Incident Response Team (CSIRT). Currently, a Bulgarian CSIRT center exists (https://govcert.bg), which assists in reducing the risks of information security incidents, and resolving such incidents if they have already occurred.  Computer Security Incident Response teams are to be established within competent local authorities in the various sectors (i.e. energy, transport, banking, financial market infrastructures, health, and digital) and will coordinate their activities with the national CSIRT.

New responsibilities 

Operators of essential services, digital service providers, competent administrative bodies, persons responsible for performing public functions and organisations providing on-line administrative services are obliged to:

  • ensure that adequate technical and organisational measures are in place to respond to any risks or threats to the security of network and information systems;
  • notify the competent authorities within two hours of becoming aware of a cyber-security incident;
  • provide any and all information requested by the competent authorities.

Sanctions

If any of the responsible bodies or agencies fails to make a timely notification about a cyber-security incident, they could be fined between EUR 500 and EUR 5,000 or receive a pecuniary sanction of between EUR 700 and 7,500. In the case of repeated violations, fines of between EUR 1,000 and EUR 10,000 or pecuniary sanctions of between EUR 2,500 and EUR 13,000 could be imposed.

If a violation is conducted by an official, he could receive a fine of between EUR 500 and EUR 5,000, unless the act constitutes a crime. Repeated violations by an official could lead to a fine of between EUR 700 and 7,500.

For more information, please contact: Maya Alexandrova and Tatyana Yosifova.