Mandatory Cyber Security Standards Apply To Operators Of Critical Infrastructure, Digital And Public Service Providers In Bulgaria

December 2018 - Bulgaria-based operators of critical infrastructure, digital and public service providers must deploy state-of-the-art technology and processes in order to fend off cyber incidents and be able to immediately report unauthorised access to their network and information systems. This is mandated by a new Cyber Security Act transposing the European Union Directive on network and information security of 2016 in Bulgaria. Companies should plan and prepare, as meeting these new standards may require significant investments in technology and compliance, or even a complete overhaul of the ways an organisation stores and accesses proprietary or client data and maintains and protects its information technology systems.

Which businesses will have to introduce the mandatory cyber security measures?

Nowadays, no business should ignore cyber security concerns and the need to protect information technology networks and systems. Under the new Cyber Security Act, however, Bulgaria-based providers of certain essential and digital services (listed below) would be required to meet certain cyber security standards and observe other related obligations as long as those operators use network and information systems for providing the services and a cyber incident may significantly affect the provision of the services.

Those essential and digital services include:

Energy: electricity distributors, suppliers and transmission system operators; Oil: operators of oil transmission pipelines, of oil production, refining and treatment facilities, storage and transmission facilities; Gas: gas distributors, suppliers and transmission system operators, storage system operators, LNG system operators, operators of natural gas refining and treatment facilities, among others; Transport: air, rail, water and road companies, including operators of intelligent transport systems; Banking: credit institutions; Financial market infrastructures: stock exchanges and central counterparty clearing houses; Health: healthcare providers (most notably hospitals and private clinics); Water: drinking water supply and distribution companies; Digital infrastructure: e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores, domain name system providers, Internet exchange point operators, as long as those digital service providers are not micro or small enterprises. Sector-specific regulators that would be...