From being seen as only a potential treat of the future but just a few years ago, cybercrime has now become a reality affecting the entire EU internal market. In response, cybersecurity has become an essential element of the EU Digital Single Market Strategy (‘Strategy’) leading to, among others, the adoption of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (‘NIS Directive’).

Following the Strategy, on 31 October 2018, the Bulgarian Parliament adopted the first ever Cybersecurity Act (‘Act’) transposing the NIS Directive.

The main objective of the NIS Directive and the Act is to achieve a high level of security where critical infrastructure is involved and to preserve undisrupted operation of the public sector ensuring consumer trust. The legislation also targets digital services used by both consumers and businesses to facilitate their activities.

Based on our initial review of the Act, here are some of the highlights that we find quite interesting although which are maybe not so much in the spotlight:

Who will be affected?

As expected, the Act targets both the public sector, i.e., administrative bodies, and the private sector – two main industries – namely operators of essential services (‘OES’) in several sectors (including, for example, energy and transport) and digital service providers (‘DSP’) in the categories of online marketplaces, online search engines and cloud computing service providers.

When speaking of online marketplaces, it is important to know that not every entity selling goods/services online falls under the definition of a marketplace. Concerned shall be only entities providing a platform for the conclusion of transactions in both B2B and B2C relations and not traders selling their own goods/services online, i.e., through their own websites. Further, intermediaries simply comparing prices and/or re-directing customers to a trader’s website for the final stage of a transaction are excluded as well.

Another interesting group are middle-sized entities acting as OES in sectors such as health and digital infrastructure. When determining whether an OES company is covered by the Act, authorities shall consider factors such as number of customers, market share, the significant disruptive effect a cyber incident may cause, etc. Thus, although the focus is likely to be on major players small- and especially medium-sized entities are not by default excluded. In practice, this means that even if an entity considers itself for example not a big domain name system (‘DNS’) service provider or hospital but rather a small one (e.g., because it consists of just twenty health professionals, etc.) it is not impossible that such entity would also have to implement security strategies in accordance with the Act.

What are the obligations?

The Act basically generalizes the responsibility of the entities to the level of appropriate and proportionate technical and organizational measures given the risk the respective entity is exposed to without delivering specific measures and obligations. An Ordinance prescribing slightly more concrete requirements is to be adopted hopefully in the near future.

Despite the above uncertainty, from a practical point of view, in our opinion entities could be expected to inter alia allocate a person(s) responsible for reporting incidents ensuring fast reaction to breaches, to monitor, audit and commence regular testing of information systems so that the availability and resilience of these systems is guaranteed, to adopt internal policies, and train employees.

It is likely, however, that the implementation of such measures will result in certain practical implications in terms of the General Data Protection Regulation (‘GDPR’). For instance, popular practices such as BYOD (bring your own device), the trend of social engineering and the fact that most cybersecurity incidents happen through online devices could make it very difficult if not impossible for entities to balance personal data legislation and cybersecurity rules. Another complication might arise due to the fact that cybersecurity breaches typically involve the disclosure of both personal and other data (e.g., trade secrets, etc.). Hence, this may trigger simultaneous reporting obligations under both regimes.

In view of all of the above, entities should carefully consider (maybe even on a case-by-case basis) whether they fall within the scope of the new cybersecurity legislation, as well as the potential overlap between the latter and other laws.

* * *

The article was prepared by Mr. Georgi Kanev, Senior Associate and Deputy Director, and Veronika Andreeva, Associate, both at PETERKA & PARTNERS Bulgaria