2018 was an eventful year from a compliance perspective, with data privacy, cyber security, and anti-money laundering among the key areas. Like other countries in the EU, Bulgaria has made steps to harmonize its legislation and follow the major legal trends in Europe.
Some of the new provisions extend the protections for vulnerable consumers; others concern companies’ overall approaches to risk management. Along with the positive aspects of increased focus and protection, businesses faced and continue to face many challenges in adapting to the new legal requirements.
2018 will definitely be remembered by compliance officers as the year in which Regulation 2016/679 (the GDPR) became operational.
Starting from 2016, when no one paid much attention to the GDPR, then in 2017 and in the first quarter of 2018, businesses in Bulgaria struggled to properly understand the new rules, identify their gaps, and comply with the GDPR. A February 2018 survey conducted of its members by the Bulgarian Chamber of Commerce and Industry showed that four months before the GDPR’s May 25, 2018 applicability date only 14% of the businesses were even somewhat ready to meet its requirements.
Most of the companies reported that the principle of accountability was one of the biggest challenges. This principle required that a large amount of policies be prepared and implemented, data subjects be notified, and projects be planned from a GDPR perspective, all of which involved significant costs. Another challenge was the IT angle of each GDPR project. The requirements for “appropriate technical and organizational measures” involved improving mechanisms for physical, technical, and software protection, and data breach registration, reporting, and remedial actions.
Today, GDPR awareness among business has risen, but many companies still have a long way to go to ensure compliance.
On January 24, 2019, the Bulgarian parliament voted to amend and supplement the Personal Data Protection Act to transpose and localize, where possible, the GDPR rules. It is yet to be seen how the sub-legislative acts and the practice will shape the implementation of the new rules in Bulgaria.
The New Cybersecurity Act
On November 13, 2018, the Bulgarian Cybersecurity Act (CSA) entered into force to implement the NIS Directive (EU Directive 2016/1148).
The new requirements apply to the administrative authorities and providers of public services online; operators of essential services that rely heavily on network and information systems in key sectors such as energy, water, transport, banking, and healthcare; and digital service operators such as e-commerce platforms, online search engines, and cloud computing services.
The CSA imposes new cybersecurity standards on those affected businesses that use network and information systems in their activity and where a cyber incident may significantly affect the provision of their services. As with the GDPR, compliance is time- and resource-consuming, as affected entities must deploy state-of-the-art technologies, policies, and processes in order to mitigate the risk of incidents and to be able to report them.
The full implementation of the CSA by authorities and businesses is pending the adoption of sub-legislative acts to further detail the requirements.
New Anti-Money Laundering Approach
In March 2018, the Bulgarian parliament adopted a new AML Act which transposes the EU’s 4th AMLD and introduces some major changes, including a new risk-based approach, enhanced customer due diligence, establishment of ultimate beneficial owner register, definition of politically exposed persons, etc. This was followed by a new AML Regulation at the end of 2018 providing further guidance and specifics.
Bulgaria is also in the process of performing the comprehensive national risk assessment envisaged by the 4th AMLD to identify the AML/CFT risks at a national level, which will be used as a basis for risk assessments for the different sectors and individually for the obliged entities.
There are 35 categories of obliged entities, including private businesses, authorities, and political parties, that are required to apply the AML measures, which include customer due diligence (including the identification of clients, beneficial owners, and origins of funds), the collection of data and documents, assessment of money laundering risks, and reporting obligations with regard to any doubtful transactions and customers.
Obliged entities under the AML Act will need to register their ultimate beneficial owners before the end of May 2019 in the Bulgarian Commercial Register and Register of NPLE.
By Nevena Radlova, Head of IP and Competition, and Tatyana Yosifova, Junior Associate, CMS Sofia
This Article was originally published in Issue 6.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.