Banking Regulation 2025

BULGARIA Law and Practice Contributed by: Nikolay Cvetanov, Boris Lazarov, Asen Apostolov and Patrizia Foffo, Penkov, Markov & Partners

its implementation in the Bulgarian jurisdiction have been envisaged in а draft bill amending the Bulgarian CIA. These amendments form part of a broader legislative package proposal, relevant to the banking and financial sectors, following the Markets in Crypto-Assets Regulation, or part thereof, becoming applicable in the EU earlier in 2024. Most notably, the draft bill proposes changes with respect to the designation of a superviso - ry authority for the banking sector, which shall monitor compliance under DORA, the scope of its regulatory powers and the sanctions it may impose for non-compliance. Naturally, the BNB will be the regulator responsible for ensuring that both banks and their ICT service providers com - ply with DORA, being vested with the necessary powers to conduct supervisory activities, includ - ing investigations and sanctioning of in-scope organisations. In addition to the powers envisaged for the BNB by DORA, the draft bill suggests that BNB has the authority to request and review banks’ strat - egies, internal rules, procedures and mecha - nisms on implementation as regards information and network security, which must be adopted and ensured by the banks’ governing bodies in accordance with the requirements of DORA. Moreover, the BNB will be empowered to carry out, within its jurisdiction, supervisory reviews of each bank’s risks established through its own internal risk assessment and operational resil - ience testing. On the basis of these risk reviews, the BNB may assess whether the respective banks’ risk management frameworks, including strategies, procedures, mechanisms, and allo - cated resources, adequately ensure sound risk management and resilience.

It is worth noting that no specific organisa - tional (documentation) or technical (logical) requirements are set forth in the local draft bill with respect to governance of information and network security. Therefore, DORA’s general documentation, reporting, etc, obligations will have to be fully taken into consideration when implementing compliance measures, without accounting for additional local stipulations. In the event where BNB, in the course of its regulatory activities, identifies infringements of DORA, a broad range of remedial measures, respectively administrative penalties, are fore - seen to be imposed onto banks, depending on the severity of the breach. These measures range from written warnings (in the case of minor infringements), to formal requests that the inves - tigated bank undertakes corrective actions, such as to align its activity (including internal risk man - agement framework) with DORA’s requirements, and, in the most severe instances, even the revo - cation of the bank’s licence. Additionally, admin - istrative penalties for both non-complying banks and individuals, who have committed or permit - ted the commission of breaches under DORA (eg, members of management bodies of banks) are envisaged, which shall range from approxi - mately EUR25,000 to EUR100,000 for non- complying banks, respectively from EUR1,500 to EUR6,000 for individuals. It is anticipated that the proposed draft bill will be enacted later in 2024.

11. Horizon Scanning 11.1 Regulatory Developments The Euro Act

Bulgaria officially adopted an Act on the intro - duction of the euro in Bulgaria (“the Euro Act”)

87

CHAMBERS.COM

Powered by