No comprehensive digital economy regulation framework exists in Bulgaria. Digital economy is rather regulated by a patchwork of national and EU legislative acts. At the EU level, these include the General Data Protection Regulation (GDPR) (2016/679/EU), the Digital Services Act (Regulation (EU) 2022/2065), the Data Act (Regulation (EU) 2023/2854), the Digital Markets Act (Regulation (EU) 2022/1925) and the AI Act (Regulation (EU) 2024/1689), as well as some industry-specific EU legislation such as the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554). At the level of national legislation, digital economy is regulated mainly by the Data Protection Act (2006), the Electronic Commerce Act (2006) and the Supply of Digital Content and Digital Services and the Sale of Goods Act (2021), as well as the Cybersecurity Act (2018). Taxation issues are covered by the general tax legislation – with the VAT Act containing specific rules on the tax treatment of telecommunications services, digital services, distance selling, etc.

The key challenges relating to the digital economy lay in the interplay between Bulgarian and EU law. While EU law prevails over national law, some provisions of EU regulations and directives require national implementation in order to function properly. The Bulgarian legislature has consistently had issues with delayed and fragmentary implementation, which has led to some suboptimal legal regimes, creating uncertainty and complicating enforcement.

Taxation of Digital Services and Goods in Bulgaria

From a value-added tax (VAT) point of view, the standard VAT rate of 20% applies. As a general rule, all services should be taxable with VAT at the place of consumption, ie, where the customer is based – which normally would require that vendors are VAT registered in all countries where they have customers.

The Bulgarian legislation, based on relevant EU directives, has exempted most digital economy vendors from this obligation through the one-stop-shop scheme. Under this scheme, providers of digital services and goods may choose to register for VAT only in Bulgaria while charging VAT at the place of consumption, reducing paperwork and accounting costs.

From a withholding tax point of view, most digital services and goods are exempt from at-source taxation, unless they are bundled with consulting work or market research services.

Challenges in Managing Tax Compliance

The key challenges companies face with regard to tax compliance in the digital market relate to cross-border transactions, given the fact that the EU provides the opportunity to freely offer goods and services between its member states, while maintaining the different and sometimes overlapping taxation systems of those member states. A comprehensive tax and accounting analysis is normally needed before starting cross-border operations.

Advertising revenues are generally treated similarly to other digital services – the general VAT rules apply and no withholding tax is owed. It should, however, be noted that if the advertising service includes consultancy and/or marketing elements, the advertising revenue may be treated as remuneration for technical services, and a withholding tax at the standard rate of 10% would apply to the advertising revenue from the territory of Bulgaria.

Employing a local accountant to oversee tax compliance is essential for any business with active operations in Bulgaria. Most businesses are obliged to submit monthly declarations with complex accounting information, even when not registered for VAT purposes.

Regulatory Framework of Consumer Protection Within the Digital Goods and Services in the TMT Sector

Consumers benefit from several forms of protection in Bulgaria. As Bulgaria is a member state of the EU, Bulgarian legislation is aligned with the EU’s rules.

• Тhe Consumer Protection Act (CPA) adopts the provisions of the main EU directives in that field.
• The Electronic Commerce Act regulates online business in Bulgaria, implementing EU directives for electronic trade and introducing measures for the application of the Platform-to-Business Regulation (2019/1150/EU).
• The Electronic Communications Act (ECA) governs electronic communication services, networks and related regulatory frameworks in Bulgaria, aligning with EU law, and deals with issues such as cybersecurity and network regulation handled by the Communications Regulation Commission.

All the general rights of consumers must be observed in Bulgaria such as transparent information, fair contract terms, conformity of digital content, fair commercial practices, data protection, the right to erasure, etc.

The latest important legislative development affecting all areas of business (including the TMT sector) is the introduction of the euro as Bulgaria’s official currency as of 1 January 2026, replacing the Bulgarian lev. Key obligations for a business include displaying prices of goods and services in both currencies for a period of at least a year and using the fixed exchange rate of the lev rounded to two decimal places when recalculating prices.

Violations will be monitored by several state authorities, and a special website and telephone line have been set up for reporting misconduct.

Best Practices to Ensure Consumer Rights in the TMT Sector

To ensure that consumer rights are respected, companies in the TMT sector may take various measures:

• follow best practices issued by authorities such as the Consumer Protection Commission (CPC);
• include mandatory information on their websites to ensure consumers are aware of their rights;
• offer multiple channels for customer interaction and support;
• conduct regular internal audits to assess whether they are applying the rules correctly;
• integrate consumer protection requirements into product development and design;
• seek counsel and lawyers’ expertise when implementing company policies and T&C to prevent legal issues, especially when launching new features; and
• ensure that consent mechanisms with digital contracts are transparent and easy to understand.

Legal Framework for the Resolution of Consumer Disputes

Consumer disputes in Bulgaria can be resolved through court proceedings, and there are special procedural rules in favour of consumers that ensure they have equal chances in spite of their weaker financial and psychological position in relation to companies. The Bulgarian Civil Procedure Code applies to all court proceedings. It also integrates mediation by empowering courts to refer parties to a mediation session before the first case sitting, with financial incentives such as fee refunds for successfully mediated agreements.

Also, in the CPA there is a strong emphasis on alternative dispute resolution (ADR) in line with EU policy. Consumers are also encouraged to first submit complaints directly to the service provider. If the issue remains, they may turn to ADR bodies.

Best Practices for TMT Companies With Regard to Consumer Disputes

Effective dispute management begins with prevention. This starts with accessible and responsive customer support, clear and transparent terms and policies, and detailed guidelines on the complaint management process.

Automated tools such as chatbots may be useful for standard queries, but alternatives should be available for more complex or sensitive complaints.

TMT companies should focus on vulnerable groups, such as minors and elderly users, ensuring their rights are protected.

In the past few years, ground-breaking new regulations on cryptocurrency have been introduced that have completely reshaped the cryptocurrency landscape. Up until the end of 2024, crypto exchanges, custodians and payment services were simply required to register with the National Revenue Agency (NRA) and comply with basic anti-money laundering laws and other EU consumer protection regulations.

Since 2025, with the adoption of the MiCA Regulation (2023/1114/EU), new businesses are required to pass a much more extensive licensing procedure, while entities that were compliant under the pre-MiCA regulations are required to acquire authorisation under the new scheme by the end of June 2026 or cease operations that require licensing.

The key legal challenge presented by cryptocurrency is in regulating its dual nature – both as a financial instrument and as a means of exchange, ie, money. This becomes especially apparent when looking into cryptocurrencies that purport to maintain stable value referenced to a recognised fiat currency (e-money tokens, or EMTs within the meaning of MiCA).

As of now, the MiCA regime regulates that some EMT-related services should be carried out by entities that hold not only a MiCA licence, but also a payment service provider licence, which creates intense regulatory pressure and uncertainty for these businesses. There have been moves to amend this regulatory issue, but we do not expect to see major results on that front for at least a few years.

Crypto is regulated primarily as financial instrument or digital asset by emerging EU and national law, not as technology per se. Therefore, while crypto is heavily regulated by the MiCA regime, there is no comprehensive regulation regarding blockchain technology. Instead, depending on its use, blockchain may be impacted by sectoral regulations (eg, finance, data protection, digital identity) and innovation support frameworks rather than treating it as a standalone regulated subject.

Laws and Regulations Relating to Cloud and Edge Computing

Bulgaria does not have a standalone “Cloud Act” or “Edge Computing Act”. Instead, cloud and edge services are regulated through a combination of EU‑level rules (directly applicable) and Bulgarian national laws:

• GDPR – directly applicable throughout the EU, including Bulgaria;
• Personal Data Protection Act (PDPA) – Bulgarian national law that implements and enhances GDPR;
• Cybersecurity Act – transposes the Network and Information Security Directive (NIS1) (2016/1148/EU) requirements into national law;
• ECA; and
• sector-specific acts that establish requirements for cloud usage or processing of personal data such as regulations from the Bulgarian National Bank relevant to the banking and finance sector, the Electronic Government Act relevant to the public sector, or the Health Act.

NIS2

The NIS2 Directive (NIS2) (2022/2555/EU) is yet to be transposed in Bulgaria. Based on its requirements, certain regulated industries – particularly banking, financial services and insurance – will be subject to stricter cybersecurity obligations than other sectors. Under NIS2, entities in the banking and financial market infrastructure sectors are automatically classified as essential entities, placing them in the highest supervisory tier. Once NIS2 is implemented in Bulgaria, these entities will face more rigorous security, governance and incident‑reporting obligations, as well as more intensive supervisory oversight and higher administrative sanctions.

Personal Data Processing Issues in the Context of Cloud Computing

The main issue remains the location of the personal data processing. Cloud environments may store or process data outside Bulgaria or the EU, which triggers the GDPR transfer rules.

Other issues may arise in sector-specific cases such as banking and finance, healthcare or the public sector. The main concern remains the localisation of certain categories of data.

Bulgaria does not have a standalone national AI law yet. Instead, AI regulation comes from two sources:

• the AI Act, which is the binding EU regulation directly applicable in Bulgaria and any other member state; and
• national strategic and policy documents, which do not create binding obligations but do guide national implementation (main reference is made to Concept for the Development of AI in Bulgaria until 2030 adopted by the Bulgarian government in late 2020).

Bulgaria does not yet have a deepfake‑specific statute. However, a natural person’s likeness, voice and moral rights are protected through a combination of EU‑level rules such as GDPR and existing Bulgarian national laws such as tort liability under the Obligations and Contracts Act, moral rights or rights in general under the Copyright Act (although no specific deepfake language yet exists), criminal charges under the Criminal Code for defamation, identity fraud, etc.

Sector-specific AI regulation in Bulgaria is yet to be developed based on the introduction of the AI Act in national legislation.

Elements will be gradually developed with the application in national legislations (in the EU member states) of the new requirements relevant to the AI rules. For instance, the AI Act does not create a standalone liability regime. Instead, it imposes strict compliance duties on providers, deployers, importers and distributors of AI systems.

The new EU Product Liability Directive (2024/2853/EU) explicitly covers the new AI systems and creates strict liability for defective AI systems and software. Under the Directive (national transposition may vary from member state to member state), manufacturers are liable for lack of safety, cybersecurity vulnerabilities, failure to provide updates, and data quality issues affecting performance. A very important element in this case will be the burden of proof for defectiveness and the presumption of causation for the claimant. Under the Directive, the claimant may benefit from presumption of defectiveness when the AI system does not comply with the AI Act and the presumption of causation when the product is defective and caused harm.

Laws and regulations in relation to the Internet of Things in Bulgaria include:

• The EU Data Act: Directly applicable throughout the EU, including Bulgaria, this regulates the access to and sharing of data in the data economy. This can be considered the “main” IoT regulation in the EU, as it generally regulates devices that generate data.
• GDPR: Directly applicable throughout the EU, including Bulgaria, this regulation applies whenever the data collected by IoT devices is personal data.
• The ECA: This law is the main telecoms law in Bulgaria and is relevant to the IoT if IoT devices use telecoms networks. The ECA has provisions on data protection and privacy for telecoms providers, including:
1. obligations for telecoms providers to implement sufficient technical and organisational measures to ensure data security and privacy;
2. limitation of data collection;
3. obligations regarding traffic data retention and reporting; and
4. exceptions for lawful access of state authorities to retained data through judicial and legally sanctioned procedures.
• NIS2: This establishes security measures and incident reporting relevant to IoT platforms. It should be noted that NISD2 is not directly applicable in EU member states – ie, NIS2 will not have effect to entities operating in Bulgaria until national implementing legislation is adopted, which, as of the time of writing, is yet to be done.
• ISO/IEC 27001: An industry standard providing a framework for INFOSEC management.
• ISO/IEC 27701: An industry standard building on ISO/IEC 27001 with regard to personal data security.

It should be noted that there is no concise IoT Act or Code, which means that the interplay between machine communications, communications secrecy and data protection may vary substantially on a case-by-case basis. Here are some basic principles:

• Machine-to-machine communication creates traffic over telecoms networks, generating data traffic regulated by the ECA. Subject to this, telecoms must implement networks that guarantee reliable, safe and confidential flow of data.
• Such communications nearly always contain some type of personal data or even special categories of data (eg, IoT devices monitoring health conditions) that are subject to GDPR.
• Control and access to data generated by connected devices is regulated by the EU Data Act.

As described above, the most challenging aspect of deploying IoT solutions is the fragmentary and dynamic nature of applicable legislation – multiple EU and national legal acts may be applicable to this activity, with the applicable law constantly changing (eg, the imminent changes in Bulgarian national law related to implementing NIS2).

Another challenge specific to IoT products is differentiating between personal and non-personal data – IoT solutions often generate datasets with both personal and non-personal data mixed, and it is therefore the controller’s task to identify the personal data and apply appropriate measures in accordance with GDPR.

IoT providers must also enable user access to IoT-generated data (EU Data Act requirement), which creates issues with providing secure APIs and real-time data access models.

Finally, as telecoms-based IoT solutions rely on public networks, they are subject to the same confidentiality and secrecy requirements, explained in detail in 11. Data Privacy and Cybersecurity.

To manage their IoT deployments, companies should implement the following governance frameworks:

• Data governance framework: Comprehensive internal data processing rules and policies, aiming at regulating the collection, retention, deletion or anonymisation of personal data and data subject rights.

• Cybersecurity and resilience framework: Implementing key INFOSEC principles and regulating breach responses.

The most important legal requirement for IoT companies with respect to data sharing is the right of users of interconnected devices to access data generated by their use of the IoT device and to request that such data be shared with a third party (EU Data Act requirement). IoT providers must make such data available in a usable and secure format, while also sharing it in a fair and non-discriminatory manner, without unreasonable contractual restrictions. These obligations may only be limited insofar as such limitations are with respect to protecting trade secrets and security-sensitive data, while also taking into account communication security and secrecy requirements.

The Data Act contains size-based exemptions and transitional arrangements to reduce burdens on smaller companies:

• Partial exemptions are in place for micro- and small enterprises that are not part of a larger group that is not exempt and are not subcontracted by a larger entity – it should be noted that these enterprises should still follow some of the rules of the Data Act.
• Medium-sized enterprises, while not benefiting from exemptions, are granted a one-year period after placing a new product on the market to make that product compatible with some of the Data Act requirements (whereas big enterprises are required to meet those requirements at the time of placing the new product on the market).

The EU data sharing legislation imposes heightened requirements for, conditions or excludes the sharing of certain categories of data:

• Personal data: The Data Act does not create a new legal basis for processing personal data. Instead, GDPR is fully applicable when it comes to personal data processed in situations regulated by the Data Act.
• Special categories of personal data: Some categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation) face stricter requirements for compliant processing than others.
• The Data Act also explicitly protects trade secrets, confidential business information and intellectual property. Data holders must apply technical and organisational safeguards, use confidentiality agreements and limit access strictly to the purpose requested when handling such information. If data holders can demonstrate a serious risk of irreparable harm, they may even fully refuse to share such data.

In Bulgaria, audiovisual media services are regulated primarily by the Radio and Television Act (RTA), which transposes the relevant EU legislation into national law.

The RTA applies to:

• traditional audiovisual media services (television and radio broadcasters);
• video-sharing platform services (eg, YouTube); and
• on-demand and streaming services (eg, Netflix),

all of them subject to differentiated regulatory regimes.

The competent authority is the Council for Electronic Media (CEM), an independent regulator responsible for licensing, registration, supervision and enforcement of audiovisual media legislation.

The main requirements under the RTA are:

• compliance with fundamental principles such as freedom of expression, media pluralism, protection of minors, consumer protection and transparency;
• adherence to self-regulatory and co-regulatory mechanisms, including recognised codes of conduct and ethical standards; and
• implementing measures to protect minors and the general public from harmful or illegal content.

Licensing and authorisation are different within the providers under the RTA and can be outlined as follows:

• Television and radio broadcasters are subject to licensing or registration procedures before the CEM, where the provider can be a natural person  (sole trader) or a legal entity. Licences are issued for a term of up to 20 years with prolongation options.
• Video-sharing platform providers and on-demand media services providers are subject to a notification and registration regime, not licensing. Providers must notify the CEM of their intention to operate. The CEM registers video-sharing platform providers within 30 days and on-demand media services providers within 14 days.
• Anyone interested in registering as a radio or television operator must submit an application to the CEM, along with the required documentation. Certain information is not provided by the applicant, as it is obtained directly by the authorities through official channels. The CEM reviews each application and issues a decision within 14 days of submission.

The fees for such licensing and registration regimes are determined based on the CEM’s administrative costs. An initial fee is charged for the issuance of an individual licencе and/or for registration, and for verification of the accuracy of the documents. Following this, an annual supervisory fee is due, which is based on the number of registered residents who can be served the media services.

Technologies and Services Falling Within the Scope of the ECA

In Bulgaria, the telecommunication rules are primary regulated in the ECA. This transposes the requirements of Directive (EU) 2018/1972 establishing the European Electronic Communications Code into national law.

The technologies and services covered by the ECA can be distinguished into two groups:

• Electronic communications networks: These include all transmission systems, including cable, radio, optical or electromagnetic systems, as well as switching or routing equipment and other resources enabling the transmission of signals.
• Electronic communications services: These are services normally provided for remuneration via electronic communications networks, which include the following types of services: an internet access service; an interpersonal communications service (number based and number-independent); and services consisting wholly or mainly of transmission services used for the provision of machine-to-machine services and for broadcasting.

The providers of such services should comply with the general requirements set out by the Communications Regulation Commission (CRC), which are adopted following public consultation.

Pre-Marketing Requirements

Any undertaking intending to place on the market a product or service that falls within the scope of the ECA is required to notify the CRC of its intention to provide such product or service. There is no general requirement for approval by the regulatory body outside of the notification obligation. The notification should be completed in Bulgarian and contain specific information as follows:

• identification details of the provider (name, registered office or place of establishment, unified identification code);
• a brief description of the product or service to be provided;
• territorial coverage;
• contact person and contact details;
• expected start date of the activity; and
• the address of the website of the provider.

Some providers – for example, the providers of number-independent interpersonal communication services – are not subject to the registration regime.

The register is kept by the CRC and consists of a public list of providers of electronic communications services, which is available online.

Depending on the type of service or technology, additional registration or authorisation by the CRC may be required. For example, the use of radio frequency spectrum, the use of numbering resources and the use of harmonised radio frequency spectrum for wireless broadband services require authorisation by the CRC.

Security requirements for telecommunications services include:

• Technical and organisational measures must be implemented that are aimed at managing risks to the security of networks and services. These measures must ensure a level of security appropriate to the assessed risk.
• Technical and organisational measures must be undertaken to prevent and mitigate security incidents.
• The protection of users’ personal data must be ensured in accordance with the ECA and GDPR. The measures implemented should include ones aimed at preventing unauthorised access, loss or alteration of data.
• Security breaches must be notified to the CRC and affected users in the event of a personal data security breach where the breach is likely to result in a high risk to the users’ rights and freedoms.

In Bulgaria, net neutrality is governed by both EU regulations and national laws that aim to ensure equal and non-discriminatory access to the internet for all end-users. The ECA guarantees the principle of net neutrality, while acting as a complementary legislation to the Open Internet Access Regulation (2015/2120/EU). The regulation guarantees the right of access to an open internet by prohibiting internet service providers (ISPs) from blocking, slowing down or discriminating against specific types of traffic.

ISPs may apply traffic management measures only where necessary for the efficient use of the network, maintaining service quality and preventing congestion, provided that such measures are transparent and non-discriminatory. ISPs may also offer specialised services, as long as they do not negatively affect the quality of internet access for other users.

Key elements of the national legislation include:

• The prohibition of discrimination: Under Article 225, para. 2 of the ECA, providers of public electronic communication networks and services are not allowed to apply different requirements or terms and conditions for access to or use of their networks and services based on the nationality, place of residence or place of establishment of the end-user, unless there are objective grounds for doing so.
• Transparency: ISPs are required to be transparent regarding their traffic management practices and must not create unjustified advantages for certain types of traffic. This requirement is reflected in the obligation of the service providers to include the information set out in Article 4, para. 1 of the Open Internet Access Regulation as a key element of the service agreements.
• End-user rights: Furthermore, the right of end-users to access services and applications of their choice via electronic communication networks is guaranteed, in compliance with the fundamental rights of the EU.

The CRC serves as the national regulatory body responsible for the oversight of the enforcement of the net neutrality regulation. It is responsible for:

• monitoring compliance by internet service providers with their obligations;
• examining complaints submitted by end-users; and
• imposing sanctions in cases of breaches of the regulation.

In particular, for the purposes of applying Article 4, para. 4 of the Open Internet Access Regulation, the CRC has approved a mechanism for monitoring internet access service performance indicators relating to speed and other quality-of-service parameters. The mechanism is available online for free use.

Net neutrality promotes competition, innovation and consumer protection by ensuring equal access to the network and freedom of choice. However, the implementation of net neutrality requires a balance between the interests of all stakeholders and effective network management, with telecommunications service providers opposing the regulation and its scope worldwide.

At present, Bulgarian legislation does not contain explicit regulation regarding 5G, IoT and AI. Instead, different aspects of these technologies are regulated across various laws and secondary legislation. Some of the relevant legal acts are the ECA, the Cybersecurity Act, GDPR and the Protection of Competition Act.

Considerations when integrating these technologies include:

• Protection of personal data: Companies in the TMT space should ensure that the processing of personal data generated using 5G, IoT and AI technologies complies with GDPR, from requiring consent to the requirements of transparency and the implementation of appropriate security measures. Before deploying new technologies that may impose a high risk to personal data, a Data Protection Impact Assessment (DPIA) could be carried out.
• Cybersecurity measures: Companies must comply with the requirements of the Cybersecurity Act, which transposes NIS2 into national law. The measures could consist of regular security audits, encryption and the implementation of intrusion detection systems.
• Regulatory requirements: The providers of such services and technologies should comply with the ECA requirements when it comes to the provision of electronic communication networks and services. Furthermore, the provision of certain services may require authorisations and licences from the CRC. For example, the provision of a 5G network and internet service is subject to prior authorisation from the CRC for the use of a frequency spectrum.

Such emerging technologies are yet to have an impact on the legal framework of the electronic communications sector in Bulgaria with the current need to adapt the existing regulations and introduce new ones. An EU regulatory framework for AI is forthcoming, which is then to be transposed into national legislation.

In the banking sector, after DORA entered in force in the beginning of 2024, financial sector purchasers of IT services have been pushing their IT suppliers to update existing service agreements. The issues usually raised relate to (i) the allocation of costs associated with changes to IT services necessary to achieve DORA compliance and (ii) whether the IT services provider handles “critical or important functions” as per DORA. In this context, negotiating a clear and predictable framework of allocated responsibilities and costs between the IT services provider and the client has been the main challenge in the financial sector in the past few years.

With the pending implementation of NIS2 in the Bulgarian legislation, some affected purchasers (eg, postal and courier service providers, food and medical manufacturers, etc) have been initiating renegotiations based on the draft legislation for implementation of the Directive – on similar lines as with DORA. However, as the NIS2 legislation is not yet adopted and the proposed draft might be changed in the course of the legislative process, such negotiations are difficult and full of uncertainty.

The application of the EU AI Act also poses challenges based on issues such as liability for AI-related outputs and using customer data to train AI models. While these do not stem directly from local legislation but from applicable licence terms, copyleft effects from the implementation of open-source LLMs are often an issue that affects the IP clauses in technology agreements.

Under the ECA, the regulatory practice of the CRC and the CPA, where applicable, telecommunications service agreements with consumers must include, at a minimum, the following key elements:

• scope of services – clear description of the electronic communications services provided and any technical limitations;
• service quality – availability, performance levels, fault repair times, and remedies for non-compliance;
• international charging information – conditions applicable to international calls and messages;
• pricing and payment terms – transparent fees, billing cycles, payment deadlines and price adjustment mechanisms;
• rights and obligations – service provision, maintenance, customer support and regulatory co-operation;
• liability and force majeure – allocation and limitation of liability in line with Bulgarian contract law;
• complaints and dispute resolution – procedures in accordance with the CPA, including cross-border disputes; and
• term and termination – contract duration (maximum two years), termination grounds and early termination consequences.

In addition, service providers are required to apply general terms and conditions compliant with the ECA, which function as mandatory contractual background rules.

Although telecommunications service agreements operate within a regulated framework, companies may still negotiate favourable terms through benchmarking market offers, negotiating enhanced SLAs, linking service quality to financial remedies, and including flexibility clauses for regulatory or technological changes.

Further to the above, interconnection agreements are subject to enhanced regulatory scrutiny in Bulgaria and require careful consideration of both legal and competition-related factors.

Key considerations for TMT companies with regard to interconnection agreements include:

• market power and competition – assessing whether any party has significant market power, which may trigger additional CRC obligations (eg, access or price regulation);
• technical interoperability – clear definition of interconnection points, technical standards, traffic management, capacity and network security;
• pricing compliance – interconnection charges must be objectively justified and aligned with CRC decisions or reference offers, where applicable; and
• regulatory flexibility – inclusion of amendment mechanisms reflecting changes in legislation or regulatory practice.

Interconnection agreements should cover at a minimum: interconnection services and delivery timelines; interconnection points and routing; technical interfaces and signalling; traffic management and quality-of-service parameters; termination, numbering and caller identification; interconnection and co-location pricing; protection of trade secrets, etc.

Applicable Legal Framework

The provision of trust services and the use of electronic signatures and digital identity schemes in Bulgaria are primarily governed by:

• Regulation (EU) No 910/2014 (eIDAS): This establishes EU-wide rules on electronic identification and trust services, directly applicable in Bulgaria.
• Electronic Document and Electronic Trust Services Act (EDETSA): This transposes eIDAS into national law, setting out additional requirements for electronic documents, trust services, responsible authorities and procedural rules.
• Electronic Government Act: This regulates the use of electronic identification for public services, specifying requirements for citizen and organisational access.
• Electronic Identification Act: This governs the issuance of electronic identity certificates and authentication procedures.
• Regulations for the implementation of the Electronic Identification Act: These detail the procedures for issuing and verifying electronic identities.

Types of Electronic Signatures

• Electronic signature and advanced electronic signature: These have legal effect equivalent to a handwritten signature only if explicitly agreed between the parties.
• Qualified electronic signature: This has unconditional legal effect equivalent to a handwritten signature, meeting the highest security and reliability standards under eIDAS and EDETSA.

Key Legal Considerations

• Liability and insurance: Providers of trust services are responsible for damages arising from failure to comply with eIDAS and EDETSA requirements.
• Data protection: Processing of personal data in connection with trust services must comply with GDPR and the PDPA.
• Intellectual property rights: Use of electronic signatures and digital identity schemes must respect third-party intellectual property.
• Applicable jurisdiction: Cross-border service provision requires clear determination of the applicable law in case of disputes.
• Fundamental rights: The use of electronic signatures and digital identity schemes must not infringe fundamental rights, including the right to privacy and data protection.

Applicable Legal Framework

The Bulgarian video gaming industry is not regulated by a single statute. Instead, general legislation and sector-specific laws apply, depending on the game’s characteristics and distribution model. The most relevant legal acts include:

• The Gambling Act applies to video games that contain gambling or gambling-like elements, such as betting or real monetary value winnings, and must be licensed and supervised by the NRA.
• The RTA applies when games are distributed or promoted online, requiring protection for minors, consumers and commercial communications.
• The CPA regulates the online sale of video games and in-game purchases, including rules on unfair commercial practices and consumers’ right to withdraw.
• The Copyright and Related Rights Act (CRRA) safeguards video games as complex objects of copyright and protects developers’ intellectual property.
• The Criminal Code applies to cases of illegal gambling, fraud or other criminal activities related to games.

Key Legal Challenges

The lack of specialised regulation creates uncertainty for businesses. There is no clear distinction between gambling and non-gambling game mechanics. Mechanisms like “loot boxes” can be considered gambling if they meet betting and winning criteria. The cross-border nature of the gaming industry raises issues about jurisdiction, applicable law and regulatory co-operation.

In-Game Purchases, Loot Boxes and Gambling Elements

Bulgarian law does not contain explicit rules on in-game purchases or loot boxes.

Where such mechanisms do not involve gambling elements, they are regulated primarily under consumer protection law.

If loot boxes or similar mechanics involve betting and the possibility of winning real money or valuable items, they may qualify as gambling and fall under the Gambling Act, which imposes strict licensing and operational requirements.

Age Ratings and Content Restrictions

In Bulgaria, the PEGI system is used to categorise video games by age. It is not mandatory, but most developers and distributors use it.

The Gambling Act stops people under 18 from gambling, which can affect games with gambling elements.

The RTA requires that children are protected from harmful content on online video-sharing platforms.

The Child Protection Act stops the distribution of materials that harm children’s development. This can apply to games with violence, pornography or other inappropriate elements.

Industry Codes of Conduct

There are no generally established industry-wide codes of conduct for the video game sector in Bulgaria. Self-regulation is limited and company-specific.

Supervisory Authorities

The gaming industry’s regulatory oversight is fragmented, varying based on the legal issue. The NRA handles gambling activities, including online gambling and games with gambling elements. The CEM supervises media and advertising content, including game-related advertising on media platforms. The CPC enforces consumer rights in relation to the sale and marketing of video games.

Enforcement Powers

The NRA supervises gambling activities, carries out inspections, requests information, imposes fines, revokes licences and orders the cessation of unlawful activities. The CEM supervises compliance with advertising and audiovisual media requirements, monitors content, refers violations to authorities and imposes sanctions on media service providers. The CPC enforces consumer protection legislation, conducts inspections, imposes sanctions for unfair practices and issues binding orders to remedy infringements.

Enforcement Practice

Public information on recent enforcement actions targeting video game companies is scarce, as the sector is not a primary focus. However, the NRA enforces the Gambling Act for illegal gambling, including video games. Also, the CPC regularly sanctions consumer law violations related to the sale and marketing of digital products, including video games.

Game developers in Bulgaria face several recurring intellectual property challenges:

• piracy and unauthorised distribution – illegal copying, downloading and distribution of games remain a significant issue, causing financial losses and undermining developers’ ability to monetise their products;
• copyright infringement risks – developers may unintentionally infringe copyright by using third-party code, music, images or other assets without proper authorisation or beyond the scope of the granted licence;
• licensing complexity – different game engines, digital platforms and distribution channels often require separate and highly specific licensing arrangements, which can be difficult to manage, especially for smaller studios; and
• enforcement difficulties – аlthough Bulgarian law provides IP protection, enforcing rights in online and cross-border environments can be time-consuming and costly.

Creators enjoy several mechanisms to protect their intellectual property in virtual environments:

• copyright protection – pursuant to the CRRA, original works such as software code, audiovisual elements, music, graphics, characters and game design are protected automatically upon creation. Authors have exclusive rights to reproduce, distribute, communicate to the public and modify their works;
• moral rights – authors retain moral rights, including the right to be recognised as the author and to determine whether, when and how their work is disclosed to the public;
• trade mark protection – game titles, logos, studio names and distinctive signs may be protected under the Marks and Geographical Indications Act; and
• industrial design protection – applies to the visual appearance of products (including graphical elements under certain conditions), offering a separate form of protection apart from copyright.

When dealing with digital and virtual assets, the following issues are particularly important:

• originality – copyright protection applies only to original works that reflect the author’s creative choices;
• authorship and ownership – it must be clearly determined who is the author and whether the rights belong to an individual creator or an employer (eg, in the case of works created in an employment relationship or under a commission agreement);
• licensing and scope of use – any use of third-party digital assets must be covered by a valid licence specifying permitted uses, duration, territory and remuneration; and
• digital exploitation – rights related to online distribution, streaming, in-game purchases and virtual marketplaces should be explicitly addressed in contracts.

Bulgaria’s trade mark protection covers virtual goods and services, including in-game items and digital marketplaces. Registered trade marks are protected against unauthorised use in digital environments that could confuse consumers. Using identical or similar trade marks for virtual goods, online games or related services without permission is trade mark infringement.

User-generated content in games and virtual platforms raises several legal concerns:

• risk of copyright infringement – users may upload or create content incorporating third-party protected works without permission;
• allocation of liability – a key issue is whether liability lies with the user or the platform. Platforms may benefit from liability limitations under EU law if they act promptly upon notice of infringement; and
• licensing – platforms should include clear terms and conditions regulating the ownership, licensing and permitted use of user-generated content.

Bulgaria’s national laws do not specifically regulate social media platforms. Instead, they apply to digital services, data protection, consumer protection and intellectual property. Since Bulgaria is an EU member state, EU social media regulations apply within its borders.

Key applicable laws and regulations include:

• The RTA: This act regulates media services, including video-sharing platform services. Social media platforms such as TikTok and Instagram fall under the RTA’s definition of a video-sharing platform service – in short, a service, whose principal purpose or essential functionality is devoted to providing programmes and/or user-generated videos for the purpose of informing, entertaining or educating, by means of electronic communication networks. However, the RTA is only applicable to services under the jurisdiction of Bulgaria. As of the beginning of 2026, only one video-sharing platform is registered within the jurisdiction of Bulgaria.
• The CRRA: This act protects copyright in works published on social media. The unlawful uploading or distribution of third-party works may result in sanctions.
• The PDPA:This act complements GDPR and sets out the specific rules and procedures applicable in Bulgaria regarding the processing of personal data, including by social media platforms.
• The ECA: This act defines various types of electronic communications services, including “interpersonal communications services”. Social media platforms that provide means for communication between users fall within this category – they provide number-independent interpersonal communications services. This means that under the ECA, social media platforms are in general exempt from stricter regulatory requirements relating to the provision of electronic communications services, which apply to providers.
• The Electronic Commerce Act:This act may apply to aspects of electronic commerce that are carried out through social media.
• The CPA:When social media platforms are used for commercial purposes, the provisions of the CPA relating to consumer protection may be applicable.

Furthermore, within the TMT sector in Bulgaria, self-regulation and co-regulation through codes of conduct and standards are encouraged, where appropriate and suitable. For example, when it comes to consumer protection, the National Council for Self-Regulation (NCSR) has developed National Ethical Rules for Advertising and Commercial Communication, which are applicable to commercial communication realised through social media platforms, including influencer campaigns, which are becoming more popular. Consumers can submit a complaint to the Ethics Committee of the NCSR regarding violations of the National Ethical Rules, which issues a decision on the matter. When the Committee finds a violation, it may issue a decision to remove the advertisement or post.

When it comes to the protection of children, there is no specific law which poses an age restriction to the use of social media. Nonetheless, the regulations concerning the media content available to children and the processing of children’s personal data are stricter.

There is no dedicated regulatory body exclusively overseeing social media platforms. The regulatory oversight is fragmented and depends on the specific legal issue.

The primary authorities exercising oversight over social media in Bulgaria include:

• The CEM: The CEM exercises supervision over media service providers and video-sharing platform services, ensuring compliance with the principles of freedom of expression, protection of privacy, and the prohibition of hate speech. The CEM monitors the protection of children using media platforms and consumer rights. The CEM may issue binding instructions, refer matters to the competent authorities, and impose sanctions.
• The Commission for Personal Data Protection (CPDP):The CPDP supervises the processing of personal data on social media, ensuring compliance with the principles of transparency and purpose limitation. The CPDP may conduct inspections, issue corrective orders, and impose fines for breaches of the PDPA and GDPR.
• The CPC:The CPC oversees commercial practices on social media, including advertising and online sales. It monitors the provision of consumer information and the prohibition of unfair commercial practices. The CPC may conduct inspections, issue orders, and impose fines for violations of the CPA.

Outside of the regulatory bodies operates the NCSR. The NCSR is an expression of the concept of self-regulation and co-regulation in the media sector in Bulgaria, set out in the RTA. The NCSR monitors compliance by advertisers with the National Ethical Rules for Advertising and Commercial Communication. It reviews complaints and issues recommendations for the amendment of advertising content. After the review of a complaint, the Ethical Commission of the Council comes out with a decision. For failure to comply with the decision, a pecuniary sanction is imposed by the CEM under the RTA.

Key data privacy laws and regulations applicable to telecommunications providers include:

• GDPR: The GDPR is directly applicable throughout the EU, including Bulgaria. GDPR prevails in any conflicts with national law.
• The PDPA.
• The ECA: This law is the main telecoms law in Bulgaria and has provisions on data protection and privacy for telecoms providers, including:
1. obligations for telecoms providers to implement sufficient technical and organisational measures to ensure data security and privacy;
2. limitation of data collection;
3. traffic data retention and reporting; and
4. exceptions for lawful access of state authorities to retained data through judicial and legally sanctioned procedures.
• The Electronic Commerce Act: This law contains no specific provisions regarding telecoms providers, but provides some general rules on consumer protection in e-commerce that are also applicable to telecoms providers.
• CPDP Instruction No 1 from 21 December 2016 on the circumstances in which companies providing electronic communications services to the public notify consumers of personal data breaches, the form and manner of notification.
• Joint Guidelines on the conditions, methodology and deadlines for the provision of information between companies providing electronic communications services to the public on the existence of unpaid obligations of the end-user, issued by the CPDP and the Commission on Regulating Communications on 21 December 2021.

No formal telecoms-specific privacy codes of conduct have legal effect, though all major players have internal ethical codes and policies that affect this sphere.

The main challenges for telecoms companies relate to the dynamic nature of the legislation – at both national and EU levels. New rules and guidelines coming affect ongoing contracts that were concluded under legacy legislation and data that was previously lawfully retained under different legislation.

Bulgarian telecoms follow the standard EU GDPR transfer regime; there is no national-specific international transfer mechanism other than GDPR.

Transfers within the EU/EEA are freely permitted under GDPR (while being subject to the common principles of lawful processing, purpose limitation and confidentiality). Transfers outside the EU/EEA have to comply with a more complicated set of rules, such as:

• Where the recipient jurisdiction has been identified as ensuring an adequate level of protection with an EU adequacy decision (Art. 45 of GDPR), transfers are freely permitted;
• Where no EU adequacy decision is in place, transfers outside the EU/EEA are only permissible in limited circumstances (where appropriate safeguards, provided by the respective jurisdiction’s legal mechanisms; binding corporate rules that have been pre-approved by the CPDP; standard data protection clauses approved by the EC, etc). In these cases no authorisation by the CPDP is needed;
• Transfers outside the EU/EEA may also be conducted with authorisation by the CPDP on the basis of contractual clauses or provisions to be inserted into arrangements with public authorities and bodies;
• In the absence of an EU adequacy decision and the provisions above, transfers outside the EU/EEA may only be made in very limited circumstances (explicit informed consent of the data subject; performance of contract with the data subject, etc)
• In any case, transfers outside of the EU/EEA should be accompanied by a Transfer Impact Assessment;

In Bulgaria, interception and surveillance are tightly regulated. Law enforcement must always get court approval before accessing confidential personal data (traffic data). Without such approval, the telecoms operator must refuse any requests for traffic data.

This framework gives telecoms little control over the process and they’re not responsible for making discretionary decisions. Telecoms must provide all traffic data for which a valid court order has been issued (except where no such data is kept – data was never created or deleted after the statutory retention period expired), and they must refuse to provide traffic data that is not specified in a court ruling. This is a lawful restriction of data subject rights under Article 23 of GDPR. In that sense, telecoms must also not inform data subjects of the existence of disclosure, even when they request it.

Bulgaria does not have a formal data localisation requirement, but due to the limitations on cross-border data transfers, third-party vendors and cloud service providers are usually local or EU/EEA-based.

These companies are considered data processors (or data controllers, depending on their relationship with the telecom) under GDPR, while telecoms are data controllers. Therefore, telecoms should always regulate data transfers with these companies with data processing agreements.

Evolving data privacy regulations affect telecom network infrastructure in multiple ways, such as:

• Privacy-by-design becoming a requirement for new technologies: New software solutions are expected to include functionalities like data segregation, role-based access control, logging and auditability, while older systems need updates to become compliant with such requirements (the cost-benefit comparisons between updating older systems or developing new ones often weighs in favour of developing newer systems, driving the implementation of newer software solutions);
• Longer development cycles: New solutions must pass data protection impact assessments and security audits, which affects timelines and costs for new developments.

The main legal challenges to protecting user data, managing consent and ensuring data security are balancing overlapping legal regimes. These include the EU and Bulgarian data protection legislation and the ECA, which establish data privacy, confidentiality and secrecy, and national cybersecurity and lawful interception regulations.

Managing consent is also challenging. Data subject consent within the GDPR framework is only relevant when specific, informed and given freely, with the option of easy withdrawal. This can be difficult when managing legacy systems or migrating between systems.

Direct marketing must also comply with data privacy regulations, which only allow it in limited circumstances beyond explicit consent.

Privacy-by-design and security-by-design principles are implemented through legal and DPIA reviews throughout new feature development, especially when they affect tracking, profiling, AI or targeted advertising. Privacy-by-design principles include data minimisation, purpose limitation, separation of core service data from marketing and analytics data, granular consent banners and automated data retention schedules.

GDPR limits data sharing with advertisers, analytics providers and other third parties. Firstly, both parties’ roles must be clearly defined. The telecoms provider is usually a data controller, but advertising and analytics partners can be data processors, independent controllers or joint controllers. Incorrect classification can lead to invalid data processing agreements, enforcement risks and compliance risks. Secondly, advertising and tracking often require data subject consent and opt-out features.

Cybersecurity regulations, such as NIS2, GDPR, DORA and supervisory guidelines, have transformed cybersecurity from a digital media feature to a crucial operational and legal requirement. Recent legislation prioritises risk-based, state-of-the-art security measures, including continuous risk assessments, regular testing, security audits and security-by-design features. This shift necessitates specialised security and legal personnel and increased operational costs.