The changes to the Cybersecurity Act are a fact: What should businesses do?
New legal requirements, expanded scope of entities and compliance strategies under the NIS2 Directive
With the promulgation of the amendments to the Cybersecurity Act (CSA) on 13 February 2026, Bulgaria officially aligns its cybersecurity legislation with the European Network and Information Security Directive NIS2/NIS2. The new texts in the Cyber Resilience Act introduce a legal obligation at the management level, setting new, higher standards for the protection of the country’s digital infrastructure. At the same time, the changes reflect the increasing complexity of cyber threats and the need for a coordinated response to protect critical infrastructure and economic sectors of strategic importance.
Obliged entities and expanded scope of regulations
The scope of obligated entities (sectors and subsectors) is significantly expanded, and they are divided into two categories: “essential” and “important”.
- Essential: Energy, Transport, Banking, Financial Market Infrastructures, Healthcare, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management, Public Administration, Space.
- Important: Postal and Courier Services, Waste Management, Production, Preparation and Distribution of Chemicals, Production, Processing and Distribution of Food, Production of Medical Devices, Computers, Electrical Equipment, Machinery, Motor Vehicles, Transport Equipment, etc., Digital Service Providers, Scientific Research.
- Expanded scope: The regulation affects all medium and large enterprises in the specified sectors and subsectors, and in certain cases - also small enterprises.
- Supply chain: Even if a company does not fall directly within the scope, if it is a supplier to a regulated organization, it must also meet certain requirements.
The amendments to the Act oblige companies to implement a comprehensive management system, encompassing periodic risk assessments, strict access controls and recovery plans. A strict reporting regime is introduced, requiring early warning of incidents within 24 hours and detailed notification within 72 hours. Organizations are now also responsible for the security of the supply chain through precise selection and contractual protection clauses. A key emphasis is also placed on employee training and crisis response preparedness, with the requirements being generally applicable to all entities. Failure to implement these measures may result in financial sanctions, including personal liability for management bodies.
Expert support from Paraflow
At Paraflow, we are ready to support organizations with services and solutions that fully comply with the requirements of the Law:
- IT infrastructure assessment, analysis, verification of the degree of compliance with the regulatory framework.
- Technology solutions from leading manufacturers, including Cisco, Palo Alto, Check Point, Fortinet, Rapid7, Microsoft, Broadcom, etc.: Next Generation Firewall, Endpoint Protection with EDR, SOC – Security Operation Center, Backup and Recovery solutions, etc.
- Cybersecurity training
- A full set of compliance documents.
Contact us for further information or consultation!
Mora news
CCNP Security Certification Strengthens Paraflow’s Cybersecurity Expertise
Our colleague Nikolay Mladenov is now officially certified as a Cisco Certified Network Professional (CCNP) Security
Paraflow Communications and the Happy restaurant chain – an excellent example of successful cooperation
For the complete modernization of its communication infrastructure, the Happy restaurant chain trusted Paraflow Communications
Paraflow won a public procurement contract for the modernization of the Unified Electronic Communications Network
New level of connectivity and cyber resilience!