On 13 November 2018, the new Cyber Security Act (IA) was published in order to introduce the requirements of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
The law on cybersecurity is mandatory for the following entities:
1. administrative bodies;
2. operators of essential services (eg key enterprises operating in sectors such as energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and supply, digital infrastructure - as described in the Annex to the CA);
3. digital service providers (digital services are defined as online trading space, online search engine, cloud computing services);
4. persons performing public functions when providing administrative services electronically (eg notaries, private bailiffs, state and municipal educational institutions, state and municipal medical institutions, etc.);
5. organizations providing public services (education, health, water supply, sewerage, heating, electricity, gas, telecommunications, postal, banking and financial services, etc.), which are not defined as 3 or 4 when these organizations provide administrative services by electronic means road.
Digital service providers, which are micro and small enterprises, are among the entities excluded from the scope of the Cyber Security Act.
The Law on Cybersecurity provides for severe administrative sanctions and fines of up to BGN 25,000 for repeated violations.
The requirements set in the Cybersecurity Act and the Ordinance on the minimum requirements for network and information security to it are based on:
- international standards for information security such as: ISO 27001, ISO 27009, 27013, ISO 29146, ISO 27018, etc.
- international risk management standards such as: ISO 31000, ETSI TS 102 165-1, ISO 11770-1, ISO 20889, ISO 20008-1, etc.
- international encryption standards such as: ISO 18033-1, ISO 18033-5, etc.
- international auditing standards such as: ISO 27006, ISO 19011, ISO 17020, etc.
- international standards for security assessment such as: ISO 15408-1, ISO 18045, ISO TS 19608, ISO TR 20004: 2015, ISO 29190, ISO 27030, ISO 29184 and others.
Where to start?
We are consultants with over 15 years of experience in the implementation, auditing and certification of Management Systems. Together with you we will create the most suitable plan that suits your needs!
If you would like to receive a consultation offer, please click