BULGARIA Law and Practice Contributed by: Konstantin Vassilev and Kiril Kirkov, Vassilev & Partners Law Firm
8.4 Key Disclosure Requirements for AI Use Bulgarian law does not currently impose a general company-law obligation to disclose all AI use, AI strategy or AI governance arrangements in annual reports. Disclosure depends on the type of company, materiality of the AI use and the applicable regulatory framework. For private companies, AI-related disclosure will usually arise only where required by specific legal regimes, contracts, sector regulation, data protec - tion rules, consumer protection rules or litigation. For public companies and issuers, AI-related matters may need to be disclosed where material to the company’s business, strategy, risks, financial position or securi - ties. If AI is material to an issuer’s business model, opera - tions, products, controls, cybersecurity exposure, customer relationships or regulatory compliance, it may need to be addressed in the annual report, risk disclosures, management report or other regulated information. Material AI-related risks should also be included in a prospectus or offering document where they are specific to the issuer or securities and mate - rial for investors. The EU AI Act contains specific transparency and information requirements, including duties to inform users that they are interacting with AI in certain cases, rules on AI-generated or manipulated content, techni - cal documentation for high-risk AI systems, registra - tion for certain systems and serious incident report - ing. Data protection, cybersecurity and sector-specific laws may also require transparency notices, impact assessments or incident notifications.
AI strategy is usually a board or senior management matter where AI is material to the business model. Operational responsibility typically sits with product, technology, legal, compliance, information security and data protection functions. Internal audit or exter - nal assurance may test AI controls in regulated sec - tors or high-impact use cases. 8.3 Liability Exposures Arising From AI Use The main regulatory exposures arise under the EU AI Act, GDPR, cybersecurity rules, consumer protection law, employment law, anti-discrimination law, product safety regulation, IP law and sector-specific regula - tion. Depending on the AI system, liability may attach to the provider, deployer, importer, distributor or user. Personal data is an immediate risk area. AI systems processing personal data may create exposure for lack of lawful basis, inadequate transparency, exces - sive data use, automated decision-making risks, poor security, unlawful profiling or insufficient handling of data subject rights. Companies may face contractual and tort claims if AI use causes harm, produces defective outputs, leads to discriminatory decisions, breaches confidential - ity, infringes IP rights, damages customers or causes operational disruption. Board and officer liability may arise where directors fail to exercise adequate oversight over material AI risks. This is most relevant where AI is central to the busi - ness, used in regulated processes, affects customers or employees, or creates material disclosure, cyber - security or compliance risks. Enforcement may come from regulators, shareholders, customers, employees and counterparties.
79 CHAMBERS.COM
Powered by FlippingBook