The Directive, to be transformed into local law in Bulgaria by 17 October 2024, provides new obligations for companies and organizations.
On 16 January 2023, a revised EU cybersecurity directive entered into force – Directive (EU) 2022/2555 (known as the Network and Information Security Directive – NIS2) which establishes modernized and more harmonized cybersecurity framework for organizations within the European Union. NIS 2 expands its scope to cover a total of 18 sectors divided in two categories. What is important for all the companies and organizations that will be affected – and there are not a few – is that the directive is to be introduced in Bulgaria no later than 17 October 2024, and the size of the sanctions under it is similar to those under the GDPR.
A. Sectors of high criticality such as:
B. Other critical sectors such as:
Any medium and large-sized entity in these sectors fall within the scope of NIS 2 (i.e. companies with more than 50 employees or more than EUR 10 million annual turnover).
In practice, this means that any company in the explicitly listed sectors with more than 50 employees will have to comply with a set of technical, operational and organisational measures that are not typical of its day-to-day business activities. For example, courier service providers, banks, medical institutions/healthcare facilities, transport sector companies (air carriers), food producers (vegetables, canned goods, confectionery, infants and young children, etc.), water suppliers and distributors, software providers and many others would fall within the scope of NIS 2. All these companies will have to bring their operations into line with the requirements of the new rules.
In addition, certain companies will be subject to the new rules regardless of their size, for example: telecom operators, trust providers, DNS providers and others. Member States will have the right to designate other entities (if their activities are particularly essential), even if they do not fall into these categories, and will also be able to automatically designate operators of essential services (as already defined in Bulgaria under NIS 1) as essential entities.
Based on the sector and their importance entities (companies) will be classified as either:
a) essential entities (e.g. entities in the sector of high criticality, telecoms, cloud providers, etc.)
or
b) important entities – these should include all other entities covered by NIS 2 but not classified as essential. In general, this should cover the entities in the critical sector (although exceptions may apply) – postal and courier services, chemicals and food, manufacturers, digital providers, etc.
The major differentiation between the two categories will be in terms of the supervisory and enforcement measures, and the fines that will be applicable to them.
It is important as NIS 2 introduces a number of new obligations, huge penalties and a minimum set of measures that companies will have to ensure, for example:
Companies will face a new multi-step process for reporting of significant incidents to the national computer security incident response team (CSIRT). It consists of:
It is important to point out that an incident might be treated as significant even if it is only likely capable of resulting in/causing disruption to the entity’s services or affect other natural or legal persons by causing considerable material or non-material damage. That is, sometimes reporting will be required even if no damaged has occurred.
Considering the GDPR-like fines this would be very important to note and take into consideration (see below for more detail) as even seemingly minor incidents can turn out to be significant ones subject to reporting (see below for more details on fines).
The Directive also introduces a number of novelties, which we will only mention briefly:
For this purpose, by 17 January 2025 these entities will be obliged to provide certain set of information to the competent authority (e.g. IP ranges, where regulated services are provided, contact data, etc.).
NIS 2 provides that coordinated security risk assessments of critical ICT services, products, systems supply chains may be carried out at EU level. These assessments will have to take into account a range of factors, including non-technical risk factors, which, as the preamble to the act clarifies, include factors such as “undue influence of a third country on suppliers and service providers”.
Therefore, a new EU-level toolbox on supply chain security can be expected in the near future. Member States will also need to promote the use of European and international standards and will even be able to require the use of ICT products, services and processes certified under European cyber security certification schemes.
Essential entities (e.g. energy, telecoms, cloud providers) will be subject to both ex ante and ex post supervision by the competent authorities, because they carry out activities which reflect a higher level of criticality. Important entities (e.g. postal and courier, chemicals and food, manufacturers) will be subject to ex post supervision only.
In Bulgaria, this body is expected to be the Ministry of e-Government, as it is now under NIS 1, and it will now have much more serious powers to control compliance. For example: it will be able to carry out on-site inspections, remote inspections, request access to information and documents, carry out targeted security audits, etc.
As a rule, essential and important entities would fall under the jurisdiction of the Member States where they are established. If established in more than one Member State, they will fall under the jurisdiction of each of them.
There will be exceptions, however, for some entities for which the NIS 2 (at least upon the first read.) seems to establish a one stop shop mechanism, for example:
Cross-border providers that offer services within the EU, but are not established there, must designate a representative in the EU who should be established in one of the countries where the services are offered (similar to GDPR). In the absence of a representative in the EU any Member State in which the entity provides services may take legal actions against the entity.
Management bodies/natural persons of essential and important entities may be held personally liable for non-compliance with NIS 2. This is explicitly provided as a tool for executives in companies to be highly motivated to implement all new measures appropriately. For this purpose, management bodies of the entities will also be required to follow special training, while companies will be encouraged to offer similar training to their employees on a regular basis.
NIS 2 is backed up with GDPR-like fines:
Member States will have the right the impose a higher maximum at their own discretion.
Among other things, authorities will also have powers to:
NIS 2 should be turned into local law in Bulgaria by 17 October 2024 at the latest.
NIS 2 will require amendments to the Bulgarian Cybersecurity Act and the respective secondary legislation, and new regulations will need to be issued. In addition, revision of the Electronic Communications Act and the Rules on minimum security requirements for public electronic communications networks and services is expected. Other sectoral legislation will also need to be amended.
Entities need to start internal processes to evaluate their products, services, supply chain, etc. and identify if and which of their services fall under the scope of the new rules, including to: