The European Union’s Network and Information Systems Directive (NIS2) was introduced to enhance cybersecurity across the EU, aiming to protect critical infrastructure and essential services such as energy, transportation, and healthcare. NIS2 sets a high bar for all EU Member States, requiring them to improve their cybersecurity resilience, implement strong risk management practices, and report incidents within strict timelines. Yet, despite these clear guidelines, Bulgaria, like many other EU countries, has been slow to adopt the necessary changes and was unable to meet the deadline for transposing NIS2 (i.e., the 17th of October this year). The delay has left Bulgaria facing several legal and operational challenges, compounded by the absence of a functioning Parliament.
While many EU countries are struggling with the complexities of implementing NIS2, Bulgaria’s situation is particularly dire because of its current political vacuum. The country has been without a stable government for months, leaving it unable to pass new laws, including the transposition of NIS2. Without a Parliament to debate and approve the necessary legislative changes, Bulgaria finds itself unable to comply with EU requirements for cybersecurity, although the draft law is already presented to the public.
The lack of a clear national cybersecurity framework due to the delay in adopting NIS2 has created uncertainty for businesses and government agencies in Bulgaria. Sectors like energy, transport, and finance, which are directly impacted by NIS2, have found themselves in a legal gray area. In the absence of the required national laws, these sectors are unsure of what specific obligations they must meet. Furthermore, Bulgaria’s lack of legal clarity could lead to inconsistencies in how different companies interpret the need to comply with NIS2, further complicating the overall cybersecurity landscape.
The delay also places Bulgaria in violation of EU law. NIS2 is legally binding for all Member States, and failure to comply with it has already led to open criminal proceedings against Bulgaria and 22 other EU countries for failing to implement European cybersecurity rules fully. The lack of progress has sparked concerns about the country’s commitment to EU-wide cybersecurity efforts. Non-compliance with such a key legislative text not only risks legal action but also damages Bulgaria’s reputation within the EU and could, in turn, discourage foreign investment and collaboration, especially in industries like technology, where cybersecurity is a top priority.
Bulgaria’s political crisis exacerbates the situation. While this is a unique challenge for Bulgaria, it is not entirely uncommon across the EU. Many Member States have faced delays in meeting the NIS2 deadline, fighting with bureaucracy, political inertia, or simply lacking the necessary expertise in cybersecurity to implement the new requirements. But Bulgaria’s political deadlock presents a more immediate and severe challenge.
The situation also highlights a wider challenge within the EU: while cybersecurity is becoming an ever more critical priority, the complexity of implementing NIS2 has left many Member States grappling to stay on track. The wide-ranging requirements—covering everything from risk management to incident reporting—demand significant changes in national laws and regulatory practices.
Looking ahead, Bulgaria must prioritize resolving its political crisis and forming a stable government to move forward with NIS2 transposition. Once a government is in place, swift action will be needed to draft and pass the necessary laws, establish a national cybersecurity strategy, and ensure that critical sectors are fully compliant with NIS2. While the delay is unfortunate, it also presents an opportunity for Bulgaria to reassess its cybersecurity infrastructure and ensure that it is better prepared to address future challenges.
On a side note, despite the delays, there is a silver lining for Bulgaria’s cybersecurity future. The draft law for transposing NIS2 is already on the table and, in an ambitious twist, it actually proposes some stricter requirements than NIS2 itself. This demonstrates Bulgaria’s commitment to not just meeting the EU’s expectations but exceeding them in the effort to strengthen its cybersecurity framework. We don't know, of course, whether this will not be seen as yet another over-regulation for the business. Looks like there are many unknowns on the threshold of 2025, and like every year we can only wish everyone involved "Keep calm and tighten your seatbelts!".
By Irena Georgieva, Managing Partner, PPG Lawyers
