LEGAL ALERT, NOVEMBER 2018 – THE NEW BULGARIAN CYBERSECURITY ACT

 

1. Introduction

Bulgarian State Gazette No. 94 of 13.11.2018 introduced a new legislative act – the Cybersecurity Act, implementing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

The new legislation is focused mainly on creating obligations for public administrative bodies regarding provision of high level of cybersecurity. However, some private entities also fall within its scope.

II. Obliged persons from the private sector

The following groups of private legal entities are to comply with the new Cybersecurity Act:

1. Operators of essential services in the following sectors: energy (including oil and gas), transportation, banking, financial market infrastructures, health sector, drinking water supply/distribution and digital infrastructure;

2. Digital service providers;

3. Organizations providing electronic administrative public services. This third group covers a large number of legal entities and it is expected more the business activities meeting this criteria to be further clarified.

III. Obligations

The new Cybersecurity Act provides for two main groups of obligations for compliance:

1. Implementation of cybersecurity measures

Basically, the obliged persons are to ensure proper measures for:

  • technical and organisational security risk management of their networks and information systems used on the territory of the Republic of Bulgaria; and
  • measures for prevention and minimisation of security breaches.

The matters regarding accountability and compliance with this requirement are expected to be additionally specified with the issuance of a new order by the Council of Ministers by the middle of May 2019 (if the term remains unchanged).

2. Notification of incidents

The persons per Item II above are obliged to notify the respective authorities competent for the specific business activity in case of cyber security incident. These competent authorities (computer security incident response teams or ‘CSIRTs’) will be established within 4 months as of the entry into force of the Cybersecurity Act, i.e. in March 2019.

The Cybersecurity Act provides for very short terms for security incidents notification, namely:

  • initial notification within two hours from the ascertainment of the incident; and
  • provision of the full information regarding the incident – within five business days.

III. Sanctions under the Cybersecurity Act

The new legislation provides for fines (for individuals) and monetary sanctions (for legal entities) in the range from BGN 1,000 to 15,000 (for first infringement) and from BGN 2,000 to 25,000 (for second infringement).

The sanctions are to be imposed in the following cases:

1. Non-compliance with the notification requirements;

2. Non-provision of information or non-compliance with given instructions; and

3. Other infringements of the Cybersecurity Act.

In order to download the article, please click here.

Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Legal & Privacy".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Legal & Privacy Cookies Policy

Dear Partners,

In the recent hours third parties have copied the logo and details of Dinova Rusev and Partners law office and have send a number of spam or phishing emails from gmail.com. Our mails are with domain drp-legal.com. DRP does not use gmail.com and does not send mails to third parties outside contacts with clients. The information in these emails does not come from our law firm and has no relation to the law office.

We have notified the authorities and relevant authorities and officers in Google on this malicious activity and taken all possible measures for suspension of these activities.

 

 

Уважаеми Партньори,

през последните часове трети лица са копирали логото на дружеството и изпращат фишинг и спам мейли от gmail.com от името на дружеството. Официално бихме искали да ви уведомим, че тези зловредни мейли се изпращат от трети лица, които не са и нямат нищо общо с дружеството. Мейлите на дружеството са с домейн drp-legal.com. Адв. Др-во Динова Русев и Съдружници не изпраща мейли от gmail.com и не изпраща мейли извън контакти с клиенти на дружеството. Информацията в подобна комуникация не произхожда и няма нищо общо с дружеството. Уведомили сме съответните власти и служители в Гугъл за тези зловредни действия и сме предприели всички възможни мерки за прекратяване на тези действия.