For a long time, NIS2 felt like something distant – a regulation discussed in webinars, whitepapers, and future planning sessions.
That phase is over.
Across Europe, countries are moving from interpretation to enforcement, and Bulgaria is following the same path. The shift may not feel dramatic on the surface, but in practice it changes everything. What was once guidance is becoming obligation. What used to be flexible is becoming measurable.
NIS2 is no longer something to prepare for “someday.” It’s something businesses need to act on now.
From Directive to Reality
The core of NIS2 hasn’t changed. The requirements, the sectors, the overall direction – all of that has already been defined at EU level.
If you’re looking for a full breakdown of the directive itself, including who is covered and what the regulation includes, we’ve already explored that in detail here: What is NIS2: Key Changes and How They Impact Your Organization
What’s happening now is different.
The focus has shifted from understanding NIS2 to applying it. Bulgaria, like many other EU countries, is aligning its national legislation and preparing for enforcement. That’s when things become real – because regulations only start to matter when they are tied to accountability.
A Much Wider Circle of Affected Companies
One of the most noticeable changes is not in the wording of the directive, but in its reach.
Under previous regulations, cybersecurity obligations were limited to a relatively small group of organizations. NIS2 expands that significantly. Companies that never considered themselves part of “critical infrastructure” are now within scope.
This includes many organizations in IT, software, and digital services – sectors that are central to the Bulgarian economy. For many of these businesses, this will be the first time cybersecurity becomes a formal regulatory requirement, rather than an internal priority or best practice.
Cybersecurity Moves to the Boardroom
Another shift is happening internally within organizations.
Cybersecurity is no longer something that can sit entirely within the IT department. NIS2 makes that clear by placing responsibility directly on management. Leadership is expected to understand the risks, approve the measures, and take ownership of the outcome.
This changes the conversation. Security stops being purely technical and becomes part of how the business is run. Decisions about risk, investment, and priorities are no longer isolated – they are connected to compliance and accountability.
From Documentation to Demonstration
In the past, many organizations approached cybersecurity with a focus on documentation. Policies were written, procedures were defined, and assessments were conducted periodically.
NIS2 raises the bar.
It’s no longer enough to show that something exists on paper. Organizations are expected to demonstrate that their security measures actually work – that risks are actively managed, that incidents can be detected, and that responses are effective.
This is where many companies start to feel the pressure, because moving from theory to practice requires a different level of maturity.
If you’re exploring how this looks in real scenarios, especially from a technical perspective, we’ve covered it in more detail here: NIS2 and Penetration Testing: Ensuring Compliance and Cyber Resilience
Why Testing Becomes Central
One of the most practical ways to prove that security works is through testing.
Under NIS2, penetration testing is not just a good practice – it becomes part of how organizations validate their readiness. It’s how vulnerabilities are discovered before they are exploited, and how response capabilities are verified before they are needed.
This is particularly relevant for organizations that also fall under financial regulations, where requirements overlap. We’ve explored that connection in more detail here: NIS2 and DORA Testing Requirements – What You Actually Need
What’s important to understand is that penetration testing is not about ticking a box. It’s about gaining visibility into real risk.
A Continuous Effort, Not a One-Time Project
Perhaps the biggest mindset shift is this: compliance is no longer a one-time milestone.
NIS2 directive expects organizations to operate in a state of ongoing awareness. Risks need to be reassessed, systems monitored, and improvements made continuously. This reflects the reality of today’s threat landscape, where change is constant and static defenses quickly become outdated.
For many companies, this is the most challenging part – not the initial effort, but maintaining consistency over time.
What This Means in Practice
For businesses in Bulgaria, the question is no longer whether NIS2 will apply, but how prepared they are for when it does.
The organizations that approach this early tend to have a clear advantage. They have time to understand the requirements, prioritize what matters, and build their approach gradually. Those who wait often find themselves under pressure, trying to meet expectations within tight deadlines.
In reality, NIS2 regulation in Bulgaria does not demand perfection. What it requires is structure, consistency, and evidence that security is taken seriously and managed actively.
Final Thought
NIS2 is often described as a compliance requirement, but that framing misses the bigger picture.
What it really introduces is a different standard – one where cybersecurity is measurable, accountable, and embedded into the way organizations operate.
For businesses in Bulgaria, this is both a challenge and an opportunity. Those who treat it as a checkbox exercise will likely struggle. Those who approach it as a way to strengthen their resilience will be better positioned in the long run.
How AMATAS Can Help
At AMATAS, we work with organizations that are navigating this exact transition – from uncertainty to clarity, and from compliance to real protection.
Whether it’s understanding where you stand, identifying what’s missing, or building a practical path forward, the goal is always the same: making cybersecurity work in a way that is both effective and sustainable.
Not Sure Where You Stand with NIS2?
If you’re unsure how NIS2 applies to your organization – or how far you are from being ready – it’s worth getting a clear picture early. A short conversation can often bring more clarity than hours of research. Schedule a meeting with AMATAS to understand your position and next steps.
FAQ
Who does NIS2 apply to in Bulgaria?
NIS2 applies to a significantly broader range of organizations than its predecessor. It covers medium and large companies operating in critical sectors such as energy, transport, banking, healthcare, digital infrastructure, and IT services. Many software companies and digital service providers that were previously outside the scope of cybersecurity regulation now fall under NIS2 obligations for the first time.
What are the penalties for non-compliance with NIS2 in Bulgaria?
Organizations classified as “essential entities” can face fines of up to €10 million or 2% of global annual turnover, whichever is higher. “Important entities” face fines of up to €7 million or 1.4% of global annual turnover. Beyond financial penalties, management can be held personally liable for failures in cybersecurity governance.
What does NIS2 actually require organizations to do?
NIS2 requires organizations to implement risk management measures, maintain incident response capabilities, secure their supply chains, and report significant incidents to the relevant national authority within 24 hours of becoming aware of them. Critically, it also requires organizations to demonstrate that these measures work in practice – not just that they exist on paper.
What is the difference between “essential” and “important” entities under NIS2?
Essential entities are those operating in the most critical sectors – energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, and public administration. Important entities cover additional sectors such as postal services, waste management, chemicals, food production, and broader digital services. The main practical difference is the level of supervisory scrutiny and the size of potential fines.
Does NIS2 compliance need to be maintained continuously?
Yes. NIS2 is not a one-time certification. Organizations are expected to continuously monitor risks, update their security measures, and reassess their posture as threats evolve. This is one of the more demanding aspects of the regulation for businesses used to treating compliance as a periodic project rather than an ongoing operational responsibility.
What should Bulgarian businesses do first?
The most practical first step is understanding whether your organization falls within scope and, if so, which category applies to you. From there, a gap assessment helps identify where your current security posture falls short of NIS2 requirements. Starting early gives you time to build toward compliance gradually, rather than scrambling to meet deadlines under pressure.
