For a significant period of time, cybersecurity was a rather abstract concept, a formal requirement, or merely a technological issue for most organizations in Bulgaria. With the updates in the Cybersecurity Act of 13.02.2026, however, circumstances are fundamentally changing. The transposition of the European NIS2 Directive not only supplements the old rules, but sets a new standard of responsibility, requiring companies to prove they manage their risks and protect their data, systems, and clients.
Which sectors fall under the new NIS2 requirements?
The scope of the law is becoming much broader, and it is no longer just about banks and telecommunications. The new rules divide companies into “essential” and “important” entities, as follows:
- Essential entities (with a high degree of criticality): Energy, Transport, Banking sector, Financial market infrastructures, Healthcare, Drinking water, Wastewater, Digital infrastructure, ICT services, Public administration, Space sector.
- Important entities: Postal and courier services, Waste management, Manufacture and distribution of chemicals, Manufacture and processing of food, Production of important industrial products (medical devices, computers and electronics, electrical equipment, engineering, automotive and transport equipment), Digital service providers (online platforms, cloud services, etc.), Research and development activities.
Even if your company is not directly listed above, if you work with partners from these industries, you will also need to meet the high security standards to remain part of their supply chain.
What do you need to change immediately?
The law no longer considers cybersecurity as a set of installed programs or security certificates. It becomes a continuous cycle of processes with the following mandatory elements:
Active risk and asset management
You must prove that you search for, identify, and eliminate vulnerabilities in your processes through:
- Regular assessments and audits
- Access control and cryptography
- Backups and recovery of protected archives
New reporting regime for cyber incidents:
It is now mandatory to notify authorities in case of a breach, and concealment is a legal offense. Deadlines are critical:
- within 24 hours: Early warning to the competent authorities upon identifying a significant incident.
- within 72 hours: Detailed notification with an initial assessment of the scope and impact.
- within 30 days: Final report with a detailed analysis of the causes and measures taken.
Supply chain security:
Your security now also depends on your partners. The law requires:
- Assessment of your IT partners and cloud service/application providers
- Implementation of specific cybersecurity requirements in third-party commercial agreements.
People and processes:
Technology is useless without well-trained teams and clear procedures. That is why the amendments to the law provide for:
- Written crisis mode steps so that the business does not stop work during technical failures.
- Staff training
- Regular cybersecurity audits and ensured business continuity in the event of disasters and incidents
Hefty fines if you do not comply with the changes
The updated law provides for fines that can seriously undermine the stability of any business:
- Up to €10 million (or 2% of turnover) for essential entities.
- Up to €7 million (or 1.4% of turnover) for important entities.
- Personal liability for managers: Fines from €500 to €5000 for managers who have not introduced the necessary cybersecurity policies into work processes.
Until June 2026, there is a grace period during which fines for offenders are halved, but you should prepare now.
How can a certified high-class data center help?
The changes in the Cybersecurity Act are not aimed at creating new administrative burdens, but represent a step toward a more secure business environment for clients and users. However, for many companies, the question is still about the necessary investments and the optimal way to apply the regulation to their business.
Instead of risking penalties or investing on your own in equipment, premises, and security, you can rely on a certified high-class data center with a professional approach and an environment designed for maximum protection of your server equipment and data.
AbsCloud Data Center (AC☁DC) offers:
- Physical and infrastructural security of your servers, compliant with ISO/IEC 27001:2022, 20000-1:2018, and 9001:2015
- Uninterrupted services and disaster recovery solutions
- Controlled environment with backup power supply, cooling, and network connections
- Consultations regarding the infrastructure part of NIS2 requirements
If you want your servers to be located in a protected and certified environment, contact the AbsCloud Data Center team – we will provide a stable foundation on which your business and systems can operate calmly and securely.
See also more on the topic:
AC☁DC with ISO/IEC 27001:2022, 20000-1:2018, and 9001:2015 certificates
The human factor in data security
How does the data center protect your business from unpredictable events?
Свържете се с нас
Интересувате се от колокация на сървъри или други услуги? Свържете се с екипа ни още сега.
19 February, 2026
5 February, 2026
3 February, 2026
27 January, 2026
20 January, 2026
13 January, 2026
8 January, 2026
4 January, 2026
22 December, 2025
17 December, 2025
10 December, 2025
4 December, 2025
26 November, 2025
17 November, 2025
11 November, 2025
4 November, 2025
27 October, 2025
20 October, 2025
8 October, 2025
5 October, 2025
30 September, 2025
19 September, 2025
15 September, 2025
4 September, 2025
29 August, 2025
23 August, 2025
16 August, 2025
12 August, 2025
6 August, 2025
28 July, 2025
22 July, 2025
15 July, 2025
11 July, 2025
3 July, 2025
19 June, 2025
3 June, 2025
27 May, 2025
21 May, 2025
14 May, 2025
7 May, 2025
29 April, 2025
23 April, 2025
14 April, 2025
8 April, 2025
27 March, 2025
