Developments in the area of cybersecurity requirements

Not later than 17 October, 2024, Bulgaria was supposed to introduce the requirements of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). To that end, it is necessary to amend the Cybersecurity Act, in which the requirements of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union are transposed.
The new Directive, whose requirements are yet to be reflected in the Cybersecurity Act, provides for a different approach to determining the range of persons and entities having obligations with respect to the assurance of network and information security.
Listed in Annex I to Directive 2022/2555 are a number of sectors of a high level of criticality for the functioning of the member states, such as energy, transport, the banking sector, health care, while Annex II lists other critical sectors such as postal services, waste management, industrial production, food processing and distribution. Within these sectors, the entities are divided into essential and important, with different obligations provided for each of these types.
Essential are entities active in one of the sectors listed in Annex I that exceed the ceilings for medium-sized enterprises as per Article 2(1) of the Annex to Recommendation 2003/361/ЕC, as well as qualified trust service providers, top-level domain name registries and DNS service providers. Also belonging to this category are providers of public electronic communications networks or of publicly available electronic communications services which qualify as medium-sized enterprises under Article 2(1) of the Annex to Recommendation 2003/361/ЕC. Also included are public administration entities at central level and other service providers deemed essential by the member state under one procedure or another – e.g., in accordance with Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC, or in accordance with the now repealed Directive 2016/1148.
Any other entities active in the sectors as per Annex I and Annex II are defined as important entities.
With regard to the entities in the two groups, essential and important, they are assigned obligations to maintain network and information security, as well as to report within 24 hours any incidents as may lead to disruption of the services provided, to financial loss, or may affect other individuals or legal entities.
With regard to essential entities, Directive 2022/2555 provides for ex-ante supervision, as well as for control in the course of performance of their business activity, and with regard to important entities, solely for control during such performance. In view of the varying assessments of the entities’ significance, a range of sanctions are provided for breach of the requirements of the directive. Personal liability is introduced for the management bodies of both groups of entities, in addition to them being obligated to undergo regular trainings in network and information security.
While it is yet to be determined how these requirements are to be transposed in the Cybersecurity Act, essential and important entities will be expected to bring their operation in compliance with the requirements of Directive 2022/2555, even if it has not yet been transposed.