site.btaUPDATED Parliament Adopts Conclusive Amendments to Cybersecurity Act to Align with Updated EU Standards

On Thursday, Parliament passed on second reading amendments to the Cybersecurity Act introducing enhanced European requirements related to risk assessment and incident reporting. The changes also include provisions aimed at restricting the use of high-risk technologies.

With the amendments to national legislation, Bulgaria transposes provisions of the EU Directive on measures for a high common level of cybersecurity, which covers the protection of network and information systems (NIS), known as the NIS 2 Directive.

The scope of the legislation is expanded to include public and private entities, providers of qualified trust services and domain name registries, educational institutions when they carry out research activities of critical importance, and the bodies of the judicial system.

The bill expands the sectors covered from eight to eighteen. Newly included sectors include space, wastewater, and the management of information and communication technology (ICT) services between enterprises, as well as critical sectors such as postal and courier services, waste management, the production and distribution of chemicals and food, manufacturing (of medical devices, computers, electronic and optical products, machinery and equipment, motor vehicles, trailers and semi-trailers), providers of digital services, and scientific research.

Essential and important entities must notify their sectoral Computer Security Incident Response Team (CSIRT) of any significant incident within 24 hours of its detection. Within 72 hours, the information must be updated and an initial assessment provided, including the severity and impact of the incident, as well as technical details. For trust service providers, the deadline for updating the information is 24 hours. A final report must be submitted no later than one month after the updated notification.

The Council of Ministers, on a proposal from the Cybersecurity Council, may establish requirements obliging essential and important entities to use specific ICT products, ICT services, and ICT procedures that are proven to be appropriate from an operational and economic standpoint, whether developed by the entities themselves or acquired from third parties, and certified under European cybersecurity certification schemes, the MPs decided.

Based on information provided on the results of a risk assessment coordinated at the level of the European Union regarding the security of critical supply chains, the Cybersecurity Council prepares a reasoned proposal to the Council of Ministers for the adoption of a decree to restrict the use by entities covered by the law of specific technologies or of critical supply chains for ICT services and/or ICT products originating from countries outside the EU.

If entities covered by the law are already using a technology that is restricted by a decree of the Council of Ministers, they must discontinue its use within three years of the adoption of the decree. In cases of high risk to national security, the decree shall set a shorter deadline, the MPs decided.

MP Angel Slavchev of Vazrazhdane said that the bill represents overregulation for businesses and is unnecessary. According to him, it obliges not only state-owned enterprises but also private businesses and dictates which technologies they must use. These restrictions would be proposed by the Cybersecurity Council, while the Council of Ministers would issue the decree, he explained. He also claimed that the US Embassy had “put pressure” on the governing majority to adopt the bill as soon as possible.

Fellow MP Tsoncho Ganev said that a lobbyist law was being debated “late at night,” with a single goal - to drive all Chinese telecommunications equipment companies out of Bulgaria. According to him, this serves the interests of Nokia and Ericsson, which would most likely take the place of the Chinese companies.

Krasimira Katincharova of Velichie said that the framework of the directive had been excessively expanded, turning the bill into an instrument for administrative pressure.

“With today’s decision, the National Assembly has taken an important step toward strengthening our national cybersecurity,” said Outgoing Minister of E-Governance, Valentin Mundrov from the parliamentary rostrum, regarding the amendments to the Cybersecurity Act adopted at second reading. The changes provide for the introduction of enhanced European requirements related to risk assessment and incident reporting.