DORA Compliance in Bulgaria
The Digital Operational Resilience Act (DORA) entered into application on 17 January 2025 and applies directly in Bulgaria without national transposition. Financial entities licensed in Bulgaria must meet binding ICT risk management, incident reporting, resilience testing, and third-party oversight requirements.
Who is in scope in Bulgaria?
Any of the following entity types licensed or registered in Bulgaria falls under DORA (DORA Article 2):
- ▸Credit institutions (banks, building societies, savings institutions)
- ▸Insurance and reinsurance undertakings (Solvency II entities)
- ▸Investment firms, UCITS management companies, AIFMs
- ▸Payment institutions and electronic money institutions
- ▸Crypto-asset service providers (CASPs) under MiCA
- ▸Central counterparties (CCPs) and central securities depositories (CSDs)
- ▸Trading venues, data reporting service providers, trade repositories
- ▸Institutions for occupational retirement provision (IORPs) with ≥15 members
- ▸Managers of alternative investment funds and fund administrators
Micro-enterprise exemption: Entities with fewer than 10 employees and annual turnover below €2M are exempt from certain DORA requirements but must still implement basic ICT risk controls.
DORA obligations — five pillars
All five pillars apply to in-scope entities in Bulgaria:
ICT Risk Management
ICT risk yönetim çerçevesi
Belgelenmiş ICT risk yönetimi çerçevesi; yönetim organı sorumluluğu.
DORA Art. 5-6
ICT Risk Management
Koruma ve önleme
ICT sistemlerinin sürekli izlenmesi, güvenlik politikaları ve araçları.
DORA Art. 9
Incident Reporting & Detection
Tespit mekanizmaları
Anormal aktivite ve ICT olaylarını hızlı tespit için mekanizmalar.
DORA Art. 10
Business Continuity & Recovery
İş sürekliliği ve kurtarma
ICT iş sürekliliği politikası, yedekleme ve kurtarma planları.
DORA Art. 11-12
Incident Reporting & Detection
Büyük ICT olay raporlama
Büyük ICT olaylarının sınıflandırılması ve yetkili otoriteye raporlanması.
DORA Art. 17-19
Resilience Testing
Dayanıklılık testi programı
Düzenli ICT dayanıklılık testleri; kritik kuruluşlar için TLPT.
DORA Art. 24-26
Third-Party Risk Management
Üçüncü taraf ICT risk yönetimi
ICT tedarikçi register'ı, sözleşme şartları ve konsantrasyon riski yönetimi.
DORA Art. 28-30
Information Sharing
Tehdit istihbaratı paylaşımı
Siber tehdit bilgisi ve istihbaratının gönüllü paylaşımı düzenlemeleri.
DORA Art. 45
Incident reporting to BNB
When a major ICT incident occurs, Bulgaria-licensed entities must follow the DORA three-stage reporting timeline (DORA Articles 17–23):
- 4 hInitial notification — notify the competent authority immediately after classifying the incident as major. Include date/time, nature of incident and impact assessment.
- 72 hIntermediate report (within 72 hours of the initial notification) — updated status, initial root cause hypothesis, containment measures taken, and revised impact classification.
- 1 monthFinal root-cause report — full post-incident analysis, root cause, remediation actions taken, lessons learned and recurrence-prevention measures.
Reporting templates and classification criteria are set by DORA RTS (Commission Delegated Regulation 2024/1774). Parallel GDPR Article 33 notifications to the data protection authority may also be required if personal data is involved.
DORA vs NIS2 in Bulgaria
Financial entities in Bulgaria that also fall under NIS2 Annex I (banking and financial market infrastructure sectors) must comply with both frameworks. DORA acts as lex specialis for ICT risk obligations. NIS2 incident reporting to State Agency for National Security (SANS) / National CSIRT / CERT Bulgaria still applies independently for cybersecurity incidents under NIS2 Article 23.
Full NIS2 vs DORA comparison →Is your Bulgaria entity DORA-ready?
Answer 8 questions and get a DORA readiness score, prioritised gap list and action plan tailored to your entity type — free.
Run the free DORA readiness check →Get the free NIS2 checklist for DORA in Bulgaria
Free PDF delivered to your inbox. No spam — unsubscribe anytime.
Frequently asked questions
Does DORA apply to financial institutions in Bulgaria?
Yes. DORA (Regulation (EU) 2022/2554) is directly applicable across all 27 EU member states, including Bulgaria, from 17 January 2025. No national transposition is required — the Regulation applies in full as published. Financial entities regulated in Bulgaria must comply directly.
Which authority supervises DORA in Bulgaria?
DORA supervision in Bulgaria falls to the entity's primary prudential regulator: BNB (Bulgarian National Bank) and FSC. For banking groups under ECB direct supervision (SSM significant institutions), the ECB is the lead authority. National supervisors handle less significant institutions and non-bank financial entities. Cross-border groups must comply in each jurisdiction where they hold a licence.
What are the DORA incident reporting deadlines?
Financial entities must submit: an initial notification to the competent authority within 4 hours of classifying an incident as major (and no later than 24 hours from becoming aware of it); an intermediate report within 72 hours of the initial notification; and a final root-cause analysis and remediation report within 1 month. These deadlines are set by DORA Articles 17–23 and the associated Regulatory Technical Standards (RTS).
How does DORA differ from NIS2 for financial institutions in Bulgaria?
Both frameworks apply simultaneously but DORA acts as lex specialis: for ICT risk management and operational resilience, DORA's more detailed obligations take precedence over NIS2 for in-scope financial entities. However, NIS2 incident notification to the NIS2 competent authority (State Agency for National Security (SANS) / National CSIRT) may still run in parallel to DORA reporting to the financial supervisor. Organisations should maintain separate notification workflows for each regime.
Who must undergo TLPT (threat-led penetration testing) under DORA?
DORA Article 26 requires significant financial entities designated by their competent authority to conduct TLPT at least every 3 years. TLPT must follow the TIBER-EU framework or an equivalent national standard. In Bulgaria, BNB (Bulgarian National Bank) and FSC publishes the list of in-scope entities. Smaller entities must still conduct regular vulnerability assessments and network security testing under DORA Article 25.
Official sources
- NIS2 Directive (EU) 2022/2555 — EUR-Lex
- DORA Regulation (EU) 2022/2554 — EUR-Lex
- ENISA — EU Agency for Cybersecurity
Last reviewed: 2026-07-03
For decision-support purposes only. DORA obligations may vary by entity type, size and systemic significance — verify with a qualified financial regulatory expert.