Go back to the Europarl portal

Choisissez la langue de votre document :

  • bg - български
  • es - español
  • cs - čeština
  • da - dansk
  • de - Deutsch
  • et - eesti keel
  • el - ελληνικά
  • en - English (Selected)
  • fr - français
  • ga - Gaeilge
  • hr - hrvatski
  • it - italiano
  • lv - latviešu valoda
  • lt - lietuvių kalba
  • hu - magyar
  • mt - Malti
  • nl - Nederlands
  • pl - polski
  • pt - português
  • ro - română
  • sk - slovenčina
  • sl - slovenščina
  • fi - suomi
  • sv - svenska
Parliamentary questions
PDF 32kWORD 24k
1 October 2019
Answer given by Ms Gabriel on behalf of the European Commission
Question reference: P-002649/2019

Bulgaria transposed Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union(1) (the NIS Directive) into national law by adopting the Cybersecurity Law of 13 November 2018. Bulgaria communicated the measures fully transposing the directive to the Commission on 14 November 2018.

The Commission is now carrying out checks on the conformity of the national measures with the NIS Directive. As part of these checks, the Commission organises country visits to the Member States, during which it meets with competent authorities, operators of essential services (OES) and digital service providers (DSPs). A visit to Bulgaria should take place in the coming months.

The NIS Directive does not oblige Member States to impose security requirements and incident notifications obligations on the public administration. The directive provides for such obligations exclusively for operators of essential services from the sectors listed in its Annex II and for digital service providers as listed in Annex III. However, in its communication to the European Parliament and the Council ‘Making the most of NIS’(2), the Commission recommends to Member States to extend the application of the requirements set by the NIS Directive to more sectors and in particular the public administration.

In its Cybersecurity Law, Bulgaria has decided to impose measures going beyond the requirements provided in the NIS Directive and included obligations:

On persons performing public functions (who are not designated as OES) when such persons provide electronic administrative services for citizens and businesses; and
On organisations providing public services (which are not designated as operators of essential services or who are not digital service providers) when such organisations provide administrative services electronically.

(1)OJ L 194, 19.7.2016, p. 1.
(2)COM(2017) 476 final/2.

Last updated: 2 October 2019Legal notice - Privacy policy