In response to growing cyber threats, the CCA Amendment Act aims to introduce appropriate measures to enhance the overall level of cybersecurity by envisaging certain obligations for so-called “essential” and “important” entities - public bodies and private sector entities covered by the NIS Directive2.
One of the key amendments is the extension of the scope of obliged entities, which aims to ensure a higher level of cybersecurity in other economic sectors.
The following areas fall within the scope of the new legal framework and are explicitly mentioned in the annexes to the law:
Annex 1
· Energy (electricity, district heating and cooling, oil, natural gas and hydrogen);
· Transport (air, rail, water and road);
· Banking;
· Infrastructure on the financial market;
· Healthcare;
· Water for drinking;
· Waste water;
· Digital Infrastructure;
· Management of services in the Information and Communication Technologies;
· Public Administration;
· Space.
Annex 2
· Postal and courier services;
· Waste management;
· Manufacture, preparation and distribution of chemicals;
· Food production, processing and distribution;
· Manufacture of medical and in vitro diagnostic devices; computers, electronic and optical products; electrical equipment; machinery and equipment not classified anywhere else; motor vehicles trailers and semi-trailers; other transport equipment;
· Digital services suppliers;
· Scientific research.
If an entity carries out business in any of the areas listed in Annex 1 and is a large enterprise within the meaning of the Accounting Act, it is defined as an “essential” entity. If the entity carries on business in any of the fields listed in Annex 1 or Annex 2 and is a medium-sized enterprise, it is defined as an “important” entity. The difference between the two regimes is twofold - the intensity of the measures they are required to implement for regulatory compliance and the level of potential financial penalties for non-compliance. As a general rule, micro and small enterprises are outside the scope of the law.
Irrespective of the above criteria, however, obliged entities under this law include (irrespective of the type of entity) all administrative bodies, all providers of qualified certification services and registries of top-level domain names, DNS service providers, as well as entities that appear to be “critical”, i.e. they carry out specific activities or their activity is critical due to its specific importance at national or regional level for a particular sector or type of service. The assessment of criticality will be made on an ad hoc basis by the competent authorities.
All obliged entities will be required to provide a minimum set of technical network and information security measures and to develop and adopt internal cybersecurity policies and procedures that describe the compliance measures taken and how to address/respond to cyber threats and cyber incidents.
There is also a new procedure for reporting cyber incidents to the local competent authority - the National Computer Security Incident Response Team (“NCSIRT”), established under the Ministry of e-Government, within specific deadlines.
The supervisory authorities will be able to carry out preliminary, ongoing and subsequent supervision of compliance with the regulatory framework, such as on-site audits of obliged entities, requesting data, information and documents, imposing compulsory administrative measures, etc. In case of non-compliance with network and information security requirements, the authorized bodies will be able to impose significant sanctions, such as:
- for “essential” entities, a financial penalty of at least BGN 200,000 with a limit of up to 2% of the total worldwide annual turnover for the preceding financial year of the entity;
- for “important” entities, the penalty may not be less than BGN 100 000 and may reach up to 1.4% of the total worldwide annual turnover for the previous financial year of the entity.
The changes are essential for local businesses. They will affect a significant number of medium-sized and large businesses, which will have to bring their operations in accordance with the new regulations by engaging consultants in the fields of IT and legal services, also in view of the significant financial penalties envisaged.