# 13 First law in the field of cyber security was adopted in Bulgaria

The first Bulgarian act entirely on cyber security is already a fact.

The new Cyber Security Act (CA/the Act) was promulgated on November 13, 2018. The Act was adopted in compliance with the obligation to transpose Directive (EU) 2016/1148 of 6 July 2016 of the European Parliament and the Council concerning measures for a high common level of security of network and information systems across the Union.

The adoption of the Act is of key importance to ensuring an adequate level of security when using digital technologies and the successful counteraction to deliberate harmful attacks, since there was no such instrument for resolving cyber security issues until now, just separate rules in a number of special Acts (e.g., The Counter-Terrorism Act, the Electronic Governance Act, the Electronic Communications Act, the Criminal Code, the Ordinance on the Common Requirements for Network and Information Security, etc.).

Which authorities are going to be responsible for the cyber security?

The new Act creates new competent authorities and structures in the cybersecurity area:

  • Cyber ​​Security Council;
  • National Single Point of Contact for Cyber Security Issues;
  • National Cyber ​​Security Coordinator;
  • National Competent Authorities for Network and Information Security with administrative authorities, determined by the Council of Ministers;
  • National Response Team for Computer Security Incidents;
  • Sector Response Teams for Computer Security Incidents;
  • Cyber crime Center within the Chief Directorate “Combating Organized Crime” of the Ministry of Interior will be set up to carry out activities concerning the detection, investigation and documentation of computer crimes at national level;

The new Act regulates the powers in this matter of authorities such as:

  • the Chairman of the State Agency for Electronic Governance;
  • the Minister of Defense;
  • the Minister of Interior;
  • the Chairman of State Agency Of National Security;

Who is affected by the new requirements?

CA contains rules addressed to several different categories of liable entities (public and private):

  • administrative authorities;
  • operators of essential services operating in the following sectors:
    – energy;
    – transport;
    – banking;
    – financial market infrastructures;
    – health sector;
    – drinking water supply and distribution;
    – digital infrastructure. Essential service providers may be both public and private entities of those categories that meet each of the following criteria: 1) they provide essential service; (2) the provision of the essential service should depend on networks and information systems; and 3) network and information security incidents should have a significant disruptive effect on the provision of the service. The operators of essential services will be designated by the competent administrative authorities according to these criteria and in accordance with a methodology adopted by the Council of Ministers. In this regard, the Chairman of the State Agency for Electronic Governance has to make a list of the essential services, which list will not be public though;
  • digital service providers providing any of the following services:
    – online marketplace;
    – online search engine;
    – cloud computing services;
  • organisations providing public services that are not designated as essential service providers or digital service providers when these organisations provide administrative services by electronic means. Public services are services in relation to provision of which administrative services may be provided, namely:
    – educational;
    – health care;
    – water supply;
    – sewage;
    – heat supply;
    – electricity supply;
    – gas supply;
    – telecommunications;
    – postal;
    – banking;
    – financial;
    – trust services within the meaning of Regulation (EU) 910/2014; and
    – other similar services provided in order to satisfy public needs, including services provided as a commercial activity;
  • persons exercising public functions, which are not designated as essential service providers, when providing administrative services by electronic means.

Obviously, the new Act has a potentially very wide range of addressees which justifies the need to know it so that the respective obligated persons can comply with it.

In order to avoid the imposing of a disproportionate financial and administrative burden, enterprises that are micro and small digital service providers, within the meaning of the Micro and Small Enterprises Act, are among the entities, that are excluded from the scope of the new Act.

How does this affect the private sector?

As already emphasized, besides public sector entities, a number of companies from the private sector shall have obligations under this Act as well. Some of the key requirements can be outlined depending on the addressee:

  • Administrative authorities:
    – take appropriate and proportionate measures to ensure network and information security;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security, in order to ensure the continuity of their activities;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of their activities;
    – take minimum measures for achieving network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
  • Persons exercising public functions and organisations providing public services;
    – provide and are responsible for their network and information security when providing administrative services by electronic means;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of the administrative services they provide electronically;
  • Essential service providers:
    – take appropriate and proportionate measures to ensure a level of network and information security, corresponding to the existing risk;
    – take appropriate measures to prevent and minimize the impact of incidents affecting their network and information security, in order to ensure the continuity of the essential services they provide;
    – notify the sector response teams for computer security incidents for incidents that have an impact on the continuity of the essential services they provide;
    – notify the digital service provider in case of an incident that may have a significant detrimental effect on the continuity of the provided essential service and affects the digital service provider, when the essential service provider relies on a digital service provider to provide a given essential service;
    – take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months of entering into force of the CA. The network and information security requirements provided for by the Act must be applied by essential service providers only in respect to the provided essential services;
  • Digital service providers:
    – take appropriate and proportionate technical and organisational measures to manage the risks to the security of the networks and their information systems, used for providing digital services within the territory of Bulgaria;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security;
    – notify the sector response teams for computer security incidents of incidents that have a significant impact on the continuity of the digital services they provide.

A number of criteria are taken into account in determining the impact of an incident;
– take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
– a digital service provider that is not established in a EU Member State but offers any of the above-mentioned services within the EU, the digital service provider must designate a representative in the EU that must be established in a Member State where the services are offered;
– in certain occasions, it may be necessary for the public to be notified of incidents that have occurred.

It should also be noted that the Act expressly states that where it is provided for in a EU legal act or a sector-specific or service-specific act, the operators of essential services or the digital service providers are required either to ensure the security of their network and information systems or to notify of incidents, those acts apply, provided that their requirements are at least equivalent in effect to the obligations laid down in CA.

  • Persons not expressly designated as obligated persons under the Act:
    – Except for persons, expressly mentioned in the Act, other persons may notify on a voluntary basis the sector response teams for computer security incidents of incidents that have an impact on the continuity of the services they provide. The obligated persons’ notifications shall be processed with priority.

Regarding the notification obligations

The notification under the Act in the event of the specified incidents occurring should be made within two hours of identifying the incident and the complete data should be sent within 5 days.

Notifications shall be submitted following the sample form approved in accordance with an ordinance on the minimum scope of network and information security measures, along with other recommended measures to be adopted by the Council of Ministers under Art. 3, Para. 2 CA.

By-law legislation is yet to be adopted.

Sanctions

The CA provides for sanctions for violation of its requirements, with fines amounting to BGN 20,000 and property sanctions – up to BGN 25,000.

It should be emphasised that the CA also provides for sanctions for officials who commit or allow a violation under Chapter Two of the Act to be committed, with fines amounting up to BGN 15,000.

The Act has entered into force as of November 16, 2018 for most of its part. The provisions on the establishment and functions of an Incident Monitoring and Response Center for incidents with a significant detrimental impact on the communication and information systems of strategic sites and activities relevant to national security as well as certain obligations of the Sector Response Teams for Computer Security Incidents for notification shall take effect as of January 1, 2022.

Ensuring the secure and orderly functioning of networks and information systems is essential to the facilitation of the cross-border movement of goods, services, capital and people. From this point of view, the European Union is increasingly focusing on the creation of common rules on cybersecurity, as it is an important step towards the establishment of a single digital economy within the internal market. We are about to observe how the new regulation will affect the public and private sectors, but in any case, the EU’s and the Bulgarian legislature’s ambition to create a legal framework on cybersecurity is commendable.