CRA Compliance in Bulgaria
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Bulgaria manufacturers.
Bulgaria's national cybersecurity authority structure is coordinated through the State e-Government Agency (SEGA) and CERT Bulgaria, which serves as the national CSIRT. Bulgaria is developing its cybersecurity governance in line with NIS2 requirements, and CRA enforcement capacity is expected to build progressively ahead of the 2027 application date. Bulgarian manufacturers in IT outsourcing, electronics assembly, and growing industrial sectors face CRA obligations as their products incorporate digital elements.
National Competent Authority (CRA)
SEGA
State e-Government Agency
Bulgaria's State e-Government Agency (SEGA) coordinates national cybersecurity functions and CRA NCA responsibilities. The National Cybersecurity Coordination Centre operates under SEGA. Specific CRA NCA designation and any transfer of functions to a dedicated cybersecurity authority is to be confirmed through national implementing legislation.
https://www.egov.bg →National CSIRT (Article 14 Reports)
CERT Bulgaria
CERT Bulgaria
https://www.egov.bg/bg/kategorii-registraciya/cybersecurity
https://www.egov.bg/bg/kategorii-registraciya/cybersecurity →CRA Enforcement in Bulgaria
Bulgaria's CRA national competent authority functions are coordinated through SEGA and the National Cybersecurity Coordination Centre. Market surveillance for consumer and industrial products is coordinated with the State Agency for Metrological and Technical Surveillance (DAMTN) and the Commission for Consumer Protection (KZP). Bulgaria is developing its national cybersecurity regulatory framework under NIS2 transposition, and CRA implementing legislation will build on this foundation. The specific allocation of CRA NCA functions — whether to SEGA or a future dedicated cybersecurity authority — is to be confirmed through national implementing legislation expected ahead of December 2027.
Article 14 Incident Reporting for Bulgarian Manufacturers
Bulgarian manufacturers are expected to submit Article 14 notifications to CERT Bulgaria through SEGA's cybersecurity reporting channels. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Bulgaria's NIS2 transposition framework designates the competent authority and CSIRT for incident coordination, and CRA Article 14 procedures will follow these designated channels. Manufacturers should confirm the current Article 14 reporting mechanism with SEGA or the competent authority, as Bulgaria's national implementing legislation may refine reporting channels ahead of December 2027.
Market Surveillance & Penalties
Market surveillance for CRA products in Bulgaria is coordinated between SEGA, DAMTN, and KZP. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Bulgaria has been building market surveillance capacity and DAMTN has conducted CE marking enforcement activities under EU product safety regulations. Bulgarian manufacturers should maintain technical documentation accessible for surveillance inspection and should monitor SEGA communications for updated CRA enforcement guidance.
Support for Bulgarian Manufacturers
SEGA publishes cybersecurity guidance for Bulgarian businesses through the e-Government portal. The Bulgarian Small and Medium Enterprises Promotion Agency (BSMEPA) supports SME investments in cybersecurity through EU-funded programmes. The Bulgarian Academy of Sciences provides technical research expertise relevant to conformity assessment activities. The Bulgarian Chamber of Commerce and Industry (BCCI) provides regulatory compliance guidance for manufacturing members. EU Cohesion Funds and the Recovery and Resilience Facility provide Bulgaria with resources for digital and cybersecurity infrastructure investments, including manufacturer support programmes.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CERT Bulgaria, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact SEGA or CERT Bulgaria as a manufacturer?+
SEGA can be contacted through egov.bg. For cybersecurity regulatory queries, SEGA's cybersecurity division handles manufacturer enquiries. CERT Bulgaria is reached through the cybersecurity section of the SEGA website. Manufacturers seeking CRA implementation guidance should also consult the Bulgarian Chamber of Commerce and Industry (BCCI) at bcci.bg, which provides EU regulatory compliance support for Bulgarian manufacturers.
Does Bulgaria have national-level CRA implementing legislation?+
Bulgaria is in the process of transposing NIS2 and developing a comprehensive national cybersecurity framework. CRA implementing measures will build on the NIS2 transposition legislation and amend existing product safety laws administered by DAMTN. The specific national legislation implementing CRA market surveillance and penalty provisions is to be confirmed through the Bulgarian legislative process, with measures expected ahead of the December 2027 application date. Manufacturers should monitor the State Gazette (Държавен вестник) for relevant legislative developments.
What resources are available for Bulgarian SME manufacturers navigating CRA compliance?+
Bulgarian SME manufacturers can access free CRA guidance through ENISA's published implementation resources, available in English and accessible at enisa.europa.eu. BSMEPA provides subsidised advisory services for SMEs investing in EU compliance. The Bulgarian Chamber of Commerce (BCCI) has a digital economy working group engaged in CRA implementation. Bulgaria's National Recovery and Resilience Plan includes investment in enterprise digitalization and cybersecurity capability, creating grant opportunities for manufacturers implementing CRA-compliant processes.
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.