BULGARIA Law and Practice Contributed by: Nikolay Zisov, Svetlina Kortenska, Deyan Terziev and Teodora Peycheva, BOYANOV & Co.
From a practical corporate perspective, a fast-track procedure for company liquidation was also intro- duced in Bulgaria. The procedure is applicable only if certain conditions are met – eg, if the company has not conducted any activity (or has ceased its activity), or if the company has not hired workers and employ- ees (or has terminated their employment relationships) more than 12 months before filing the application for liquidation of the company under the new procedure, as well as other applicable conditions. However, this new regime is still not fully operational as the local authorities need to ensure the performance of certain functions. Last but not least, a local Markets in Crypto-Assets Act (which further implements the provisions of Regu- lation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto- assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (MiCAR)) was adopted by the Bulgarian Parliament and entered into force on 8 July 2025. The adopted Markets in Crypto-Assets Act also provides for a transitional period for obtaining a MiC- AR licence depending on whether the crypto-asset service provider was registered in the electronic public register with the NRA prior to 30 December 2024. The scope and focus of technology due diligence in Bulgarian technology M&A transactions have trans- formed considerably in recent years. What was once a secondary review of IT infrastructure has evolved into a strategic pillar of the deal process. Cybersecurity resilience, data privacy safeguards and regulatory compliance are now among the most scrutinised areas, reflecting the growing role of digi- tal assets, intellectual property and personal data in defining enterprise value. 9. Due Diligence/Data Privacy 9.1 Due Diligence Process Buyers have adopted a more sophisticated, risk- based approach – frequently leveraging frameworks such as ISO 27001 to evaluate a target’s cybersecurity posture, incident response readiness and data gov-
ernance maturity. This analytical depth allows acquir- ers to identify potential vulnerabilities and quantify regulatory exposure early in the transaction process. Legal and regulatory developments, particularly local enforcement of the GDPR and sector-specific frame- works governing critical infrastructure and telecom- munications, have also intensified scrutiny. Non- compliance is increasingly viewed not merely as an operational risk but as a material factor capable of affecting valuation, representations and warranties, and even deal completion. Beyond identifying risks, it shapes negotiation strategy, contract structuring and post-closing integration, reaffirming its role as a decisive element in achieving sustainable acquisition outcomes. 9.2 Technology Company Due Diligence Overall, the due diligence process in Bulgarian tech- nology M&A transactions is designed to provide bid- ders with the information they need to make informed decisions and to mitigate risks. The information is usu- ally provided under strict terms and conditions set forth in express non-disclosure agreements. Clean team arrangements and insider trading prohibitions are common. While there may be specific limitations on the information that can be provided (eg, GDPR restrictions), public companies are generally expect- ed to provide a reasonable level of due diligence to potential buyers. The level of technology due diligence that the board may allow will depend on the specific circumstances of the transaction. Sensitive or confi- dential information can be provided in stages, and the most confidential information may be provided only to top-ranked bidders or after submission of a binding offer. 9.3 Data Privacy Any processing of personal data during the due dili- gence of a technology company would need to be compliant with the requirements of the EU GDPR. There are no locally specific personal data protection rules in Bulgaria concerning the due diligence pro- cess. Specifically, disclosure of personal data must be mini- mised if insignificant for the due diligence process. The only available legal basis under the GDPR for
67 CHAMBERS.COM
Powered by FlippingBook