Corporate Governance 2026

BULGARIA Law and Practice Contributed by: Konstantin Vassilev and Kiril Kirkov, Vassilev & Partners Law Firm

ESG requirements are not limited to reporting. Com - panies may also be affected by environmental per - mitting, waste, emissions, health and safety, labour, anti-discrimination, whistle-blowing, anti-corruption, public procurement, AML, sanctions and data protec - tion rules. Financial market participants may also be subject to SFDR and EU Taxonomy reporting. 7.2 ESG Developments The main ESG development is the EU-wide shift from rapid expansion of sustainability reporting and due dil - igence obligations to simplification, burden reduction and recalibration of scope. This is relevant because Bulgarian ESG reporting obligations are largely EU- driven. Bulgaria implemented CSRD-based amendments in 2024. The EU Omnibus process has since moved towards simplifying the CSRD and CSDDD frame - work, including higher thresholds, narrower scope and postponed application of parts of the due diligence regime. Bulgarian companies should reassess whether they remain within scope, what deadlines apply and which data points remain required. Fewer companies may ultimately be directly covered, but those that remain in scope will need stronger data systems, audit trails, internal controls and board-level responsibility. Companies outside direct reporting scope may still be affected indirectly because banks, investors, pub - lic customers and large customers may request ESG data from suppliers and counterparties.

mandatory AI governance mandate. Board oversight of AI derives mainly from general directors’ duties, risk management, data protection, cybersecurity, con - sumer protection, employment, anti-discrimination, intellectual property, sector-specific regulation and the EU AI Act. Boards should treat AI as a governance and risk issue where the company develops, procures, deploys or materially relies on AI systems. Oversight should cov - er AI strategy, inventory of systems, risk classification, procurement controls, data governance, human over - sight, cybersecurity, testing, documentation, incident response, vendor management and regulatory moni - toring. Most Bulgarian companies do not have a dedicated AI committee. AI oversight is usually allocated to existing structures, with implementation handled by manage - ment, legal, compliance, IT, cybersecurity, data pro - tection, product and internal audit functions. 8.2 AI Use-Related Risks The principal AI governance framework applicable in Bulgaria is the EU AI Act. It is risk-based and distin - guishes between prohibited AI practices, high-risk AI systems, general-purpose AI models, transparency obligations and lower-risk uses. It is complemented by data protection, cybersecurity, consumer protection, labour, anti-discrimination, IP, product safety, financial services and sector-specific rules. Companies should build internal AI governance around an inventory of AI use cases, risk classifi - cation, approval processes, vendor due diligence, data provenance, human oversight, testing, monitor - ing, incident response, employee training and clear accountability. The key 2025 development was the phased applica - tion of the EU AI Act. Prohibited AI practices apply from 2 February 2025, and rules on general-purpose AI models apply from 2 August 2025. The general application date is 2 August 2026, with certain high- risk AI rules applying later under the current EU time - table.

8. Artificial Intelligence 8.1 Board Oversight of AI

The main legal framework for AI in Bulgaria is Regula - tion (EU) 2024/1689, the EU Artificial Intelligence Act, which applies directly in Bulgaria. Bulgaria does not yet have a fully developed standalone national AI law, and the national implementation framework remains under development. There are no Bulgarian company law rules requiring AI expertise on boards, a dedicated AI committee or a

78 CHAMBERS.COM

Powered by