CONTACT US
Contact information.
Directive NIS2 - Balkan Services

NIS 2: What does Bulgarian business need to know?

As technology evolves and cyber threats increase, protecting information systems is becoming a key priority for European businesses and the public sector.

With Directive (EU) 2022/2555, known as NIS 2, coming into force on 18 October 2024, organisations in Bulgaria and across the European Union will need to meet new, more stringent cyber security requirements.

In Bulgaria, the process of transposing the directive into national law is ongoing. On 6 February 2025, the eGovernment Committee adopted at first reading amendments to the Cybersecurity Act that introduce the NIS 2 requirements.

This article will introduce you to the main aspects of the Directive and what it means for business in Bulgaria.

What is NIS 2?

NIS 2 is the second version of the Network and Information Security (NIS) Directive, which aims to harmonise cybersecurity standards across EU Member States. Coming into force in January 2023, it replaces the previous NIS Directive from 2016, expanding the scope and introducing new requirements for organisations operating in key economic sectors.

The main objectives of NIS 2 are:

  • Increase resilience to cyber threats through enhanced security measures.
  • Extending the scope of the Directive to more industries and companies.
  • Reinforcing controls and introducing strong sanctions for non-compliance.
  • Improve international cooperation on cyber security.

Who is affected by NIS 2?

Whereas the previous NIS Directive focused on a limited range of ‘essential services’, NIS 2 covers significantly more sectors and extends the requirements to businesses and sectors of impact, namely:

  • Energy:
  • Electricity;
  • District heating and cooling;
  • Oil;
  • Natural Gas;
  • Hydrogen.
  • Transport:
  • Air;
  • Transport, Air, Rail;
  • Water;
  • Road.
  • Banking Sector
  • Financial Market Infrastructures
  • Healthcare
  • Drinking water
  • Digital Infrastructure
  • ICT service management (business-to-business)
  • Space

Other critical sectors:

  • Postal and courier services
  • Waste management
  • Manufacture, preparation and distribution of chemicals
  • Food production, processing and distribution
  •  Manufacturing:
  • Manufacture of medical devices and in vitro diagnostic medical devices
  • Manufacture of computers, electronic and optical products
  • Manufacture of electrical equipment
  • Manufacture of machinery and equipment n.e.c.
  • Manufacture of motor vehicles, trailers and semi-trailers
  • Manufacture of other transport equipment
  • Digital service providers

  • Scientific research

What are the new requirements?

NIS 2 requires affected organisations to take steps to improve their cyber security. Key obligations include:

  1. Risk management:
    • Cyber risk analysis and assessment.
    • Develop security policies and incident response plans.
  2. Technical measures:
    • Use of multi-factor authentication (MFA).
    • Encryption of sensitive information.
    • Continuous monitoring of networks and systems.
  3. Supply chain security:
    • Risk assessment related to suppliers and partners.
    • Introduce security requirements in contracts with third parties.
  4. Incident reporting:
    • Reporting security breaches within 24 hours of detection.
  5. Training and awareness:
    • Conduct training for employees on good data protection practices.

What are the penalties for non-compliance?

One of the most significant changes in NIS 2 is the more severe penalties for non-compliance.

The fines can reach:
€10 million or 2% of annual global turnover for material entities.
7 million or 1.4% of turnover for significant entities.

Sanctions also include administrative inspections and suspension of executives for serious violations.

Looking for business software?

Our team is here to listen carefully and offer the right solution for you.

Schedule a free consultation >

How to prepare for NIS 2?

Businesses and organisations in Bulgaria should start preparing immediately to avoid risks and penalties. Here are some key steps:

  1. Analyze the current situation:
    • Check whether your organisation is covered by the directive.
    • Identify cybersecurity vulnerabilities.
  2. Implement international standards:
    • Follow best practices such as ISO/IEC 27001 for information security management.
  3. Train staff:
    • Conduct regular training for employees and management.
  4. Build response plans:
    • Prepare incident management and data recovery strategies.
  5. Work with experts:
    • Consult with cybersecurity specialists to ensure you meet all requirements.

Why is NIS 2 important?

The directive aims not only to protect individual companies, but also to improve society’s overall resilience to cyber attacks. As the popular saying goes, “A chain is only as strong as its weakest link.”

In this context, NIS 2 ensures that every organisation, regardless of size or sector, will contribute to the security of the digital environment.

Conclusion

NIS 2 is a significant step forward in EU cyber security regulation. It is an opportunity for Bulgarian businesses to improve their protection systems, reduce the risk of financial loss and strengthen the trust of their customers and partners. Preparing for the directive is not just a legal requirement but a strategic investment in your organisation’s future.

Contact us to find out how the Balkan Services team can help you achieve NIS 2 compliance and protect your business from cyber threats!

If you’re looking for professional advice on securing your company’s IT data, our IT experts are here to help.

Contact us >

Balkan Services has been implementing business software solutions and providing comprehensive IT support since 2006, with over 720 projects completed.

Balkan Services
Balkan Services

Balkan Services has been implementing software solutions for businesses since 2006 and has completed more than 720 business software implementation projects and building complete IT infrastructure for 390+ companies. We follow a proven implementation methodology with clear steps and best practice know-how.