What is AI regulation in Bulgaria?
AI regulation: countries and regions
AI regulation in Bulgaria is governed primarily by the directly applicable EU AI Act (Regulation (EU) 2024/1689), not by a standalone national AI law. Bulgaria layers this on top of GDPR, the national Personal Data Protection Act, and the policy-level Concept for the Development of Artificial Intelligence until 2030. As of mid-2026 Bulgaria has designated its fundamental-rights authorities but has not yet formally designated a market surveillance authority or single point of contact, leaving the national enforcement architecture incomplete.
What this means
Bulgaria does not have its own comprehensive statute that defines and polices artificial intelligence. As an EU member state, the binding rulebook is the EU AI Act, a regulation that applies directly in Bulgaria without needing to be copied into national law. It takes a risk-based approach: it bans a small set of practices, places heavy duties on high-risk systems, and adds lighter transparency duties for some systems, including general-purpose AI models.
What Bulgaria still has to do nationally is plumbing rather than principle: name the bodies that will supervise the market, appoint the authority that designates conformity assessment bodies, set national penalties, and coordinate between ministries. That work is incomplete. The lead policy body is the Ministry of Electronic Governance, and several existing regulators (the data protection commission, the consumer protection commission and others) already hold relevant powers.
Alongside the law sits a national strategy, the Concept for the Development of Artificial Intelligence in Bulgaria until 2030, plus heavy investment in research capacity such as INSAIT. These are about building an AI ecosystem rather than regulating it, but they shape how Bulgaria approaches trustworthy AI.
Why it matters
For any organisation building, selling or deploying AI in Bulgaria, the legal obligations are largely set at EU level and are already partly in force: prohibited practices and AI literacy duties applied from February 2025, governance and general-purpose AI model rules from August 2025, and the bulk of high-risk obligations from August 2026. The fines are severe and apply regardless of where your company is based, reaching up to 35 million euro or 7 percent of worldwide annual turnover for prohibited practices.
The practical wrinkle in Bulgaria is uncertainty about who enforces what. With the market surveillance authority and single point of contact not yet designated, and national penalty rules and a national AI register still being drafted, businesses face a period where the regulation is formally in force but national supervision is, in the words of the responsible ministry, effectively "under construction." According to the Ministry of Electronic Governance response to the Bulgarian News Agency on 9 January 2026, during this first period Bulgaria "will rely mainly on temporary measures and institutional coordination 'under construction,' with limited predictability for businesses, the administration, and control authorities." That raises planning risk: you must comply with EU duties now while the institution that will inspect you is still being decided.
How it works
The core instrument: the EU AI Act applies directly
The primary binding law is Regulation (EU) 2024/1689, the EU AI Act. Because it is a regulation, it applies in Bulgaria automatically and does not need transposition into Bulgarian statute. It classifies AI by risk: prohibited practices, high-risk systems subject to conformity assessment and lifecycle duties, limited-risk systems with transparency duties, and minimal-risk systems that are largely unregulated. It also sets duties for providers of general-purpose AI models. Pan-EU mechanics, including the European AI Office, the European Artificial Intelligence Board and the detailed obligations themselves, are covered on the EU page; this page focuses on the Bulgarian layer.
National implementing decisions still being built
The AI Act requires each member state to designate national competent authorities: at least one market surveillance authority and at least one notifying authority, plus a single point of contact, by 2 August 2025. Bulgaria has missed key parts of this. The Ministry of Electronic Governance, the lead agency, has reported that it prepared a draft Council of Ministers decision to assign the notifying authority role to the Bulgarian Accreditation Service Executive Agency, but that the draft had not been submitted for adoption. The market surveillance arrangements were also only at draft stage, with the division of powers undetermined. On the European Commission's published list of single points of contact, Bulgaria appears without a designated contact. A national regulatory framework, including the sanctions regime and a national AI register, was targeted for March 2026; the Ministry told the Bulgarian News Agency that this deadline means Bulgaria "will operate without a comprehensive national framework, including with regard to sanctions, coordination between institutions, and the specifics of the public sector."
Fundamental-rights authorities: the one completed step
The clearest completed designation is Council of Ministers Decision No. 398 of 18 June 2025, which named seven national bodies responsible for protecting fundamental rights in relation to high-risk AI under Article 77 of the AI Act. Per the Bulgarian News Agency, these are the National Ombudsman, the Central Election Commission, the Commission for Protection against Discrimination, the Commission for Personal Data Protection, the Commission for Consumer Protection, the State Agency for Child Protection, and the General Labour Inspectorate Executive Agency. Under Article 77 these bodies can request and access documentation about high-risk systems when needed to carry out their mandates.
Data protection and the role of the CPDP
Because most AI systems process personal data, the Commission for Personal Data Protection (in Bulgarian, Komisia za zashtita na lichnite danni) is central. It is Bulgaria's GDPR supervisory authority, enforcing both the GDPR and the national Personal Data Protection Act. It investigates complaints, conducts inspections and imposes fines, and is one of the designated fundamental-rights bodies under the AI Act. The AI Act does not displace data protection law; GDPR continues to govern lawful processing, and the two regimes run in parallel.
Standards and conformity assessment
High-risk compliance under the AI Act leans heavily on harmonised European standards. The Bulgarian Institute for Standardization (BDS) is the national standards body and a member of CEN and CENELEC, the European bodies developing AI Act standards, as well as ISO and IEC. Bulgarian providers will demonstrate conformity in large part by following these standards as they are adopted nationally. The notifying authority, expected to be the Bulgarian Accreditation Service Executive Agency, would be responsible for designating and monitoring the notified bodies that carry out third-party conformity assessment.
National strategy and digital institutions
Bulgaria's policy anchor is the Concept for the Development of Artificial Intelligence in Bulgaria until 2030, adopted by the Council of Ministers in December 2020 and coordinated since December 2021 by the Ministry of Electronic Governance. It sets pillars covering infrastructure, data, research, skills, sectoral innovation and ethical AI. The OECD's 2025 review notes that, "despite its comprehensive vision, the strategy lacks an action plan with clear implementation activities and timelines." The Ministry of Innovation and Growth handles economic and SME support. Research capacity is concentrated in INSAIT, the Institute for Computer Science, Artificial Intelligence and Technology, created by Decree No. 56 of the Council of Ministers on 18 February 2021 and operational from 11 April 2022 as a special unit of Sofia University, in partnership with ETH Zurich and EPFL. The Bulgarian government committed about 166.5 million leva (roughly 85 million euro) over ten years, with donations from Google, Amazon Web Services, DeepMind, SiteGround and VMware. INSAIT first presented BgGPT, a Bulgarian large language model based on Google's Gemma architecture, on 15 January 2024.
Examples
A SaaS vendor selling an AI hiring tool into Bulgaria: recruitment and candidate selection AI is a high-risk use case under Annex III of the AI Act. The vendor must meet the Act's high-risk duties (risk management, data governance, technical documentation, human oversight, logging) regardless of Bulgaria's delayed national plumbing. Because the system processes personal data, the CPDP is the relevant supervisor for the data protection dimension, and the General Labour Inspectorate and the Commission for Protection against Discrimination are among the fundamental-rights bodies that can request documentation.
A Bulgarian public body deploying a Bulgarian-language assistant: the National Revenue Agency was the first large-scale administrative structure to introduce BgGPT, the INSAIT-built model, now in expanded use across its central office and seven territorial directorates, with planned daily use by more than 7,000 employees; the model has also been deployed at the National Audit Office to assist public procurement checks. Such deployments must respect transparency duties, GDPR, and any public-sector specific rules in the forthcoming national framework. The Ministry of Electronic Governance has issued guidance on AI use in administrative services emphasising transparency and bias prevention.
A startup waiting on conformity assessment: a firm needing third-party conformity assessment for a high-risk product faces a gap, because Bulgaria had not yet formally designated its notifying authority, the Bulgarian Accreditation Service Executive Agency, meaning no Bulgarian notified body may yet be operating. In practice such firms may rely on notified bodies designated in other member states.
Common misunderstandings
"Bulgaria has its own AI law." Not as a comprehensive statute. The binding law is the directly applicable EU AI Act; a national bill has been discussed by lawmakers but is not enacted, and national implementing decisions are still being prepared.
"Nothing applies yet because Bulgaria has not finished its national framework." Wrong. The EU AI Act is already partly in force across all member states, including Bulgaria, on the EU timeline. National delays affect enforcement architecture, not the existence of the duties.
"The data protection authority regulates all AI." The CPDP is central where personal data is involved and is a designated fundamental-rights body, but AI Act market surveillance is a separate function not yet assigned in Bulgaria.
"The strategy document is the law." The Concept for the Development of AI until 2030 is policy, not binding regulation. It guides investment and coordination but does not impose enforceable AI duties.
"Fines depend on Bulgarian law being finished." The AI Act's tiered fine ceilings apply at EU level; what Bulgaria still must set is the national procedure and penalty detail.
Risks and boundaries
This page describes the Bulgarian layer of AI regulation; it is not legal advice and not a substitute for the EU AI Act text or professional counsel on a specific system. The most important boundary is legal status. As of mid-2026, confirmed: the EU AI Act applies; the Article 77 fundamental-rights bodies are designated (Decision No. 398 of June 2025); the CPDP supervises data protection. Pending or uncertain: the market surveillance authority and single point of contact are not yet formally designated, and Bulgaria does not appear with a designated contact on the Commission's list; the notifying authority (intended to be the Bulgarian Accreditation Service Executive Agency) exists only as an un-adopted draft; the national sanctions regime, coordination model and AI register are still being developed.
What could change: once the interdepartmental working group reports and Council of Ministers decisions are adopted, the supervisory and penalty picture should firm up. Readers should verify the current designation status against the European Commission and ministry sources before relying on it, because this is a fast-moving administrative process.
What to do next
Treat the EU AI Act as your compliance baseline now, not when Bulgaria finishes its national framework. Map your AI systems against the Act's risk tiers and confirm whether any fall under prohibited practices or Annex III high-risk categories.
For high-risk systems, build the lifecycle controls the Act requires: risk management, data governance, technical documentation, logging, human oversight and post-market monitoring. Track harmonised standards as the Bulgarian Institute for Standardization adopts them.
Keep data protection and AI compliance joined up. Where systems process personal data, engage with GDPR and the Personal Data Protection Act under CPDP supervision, and watch for CPDP guidance touching AI, transparency and biometrics.
Monitor the designation of Bulgaria's market surveillance authority, single point of contact and notifying authority, and the national penalty regime. Until the notifying authority is operational, plan conformity assessment via notified bodies in other member states if you need one.
Watch for the national regulatory framework and any enacted national AI bill, which may add public-sector specific rules and remediation channels.
FAQs
Does Bulgaria have a national AI law?
No comprehensive national AI statute is in force. The binding framework is the directly applicable EU AI Act (Regulation (EU) 2024/1689). National implementing decisions and a possible national bill are still in progress.
Which authority enforces the AI Act in Bulgaria?
This is not yet settled. The Ministry of Electronic Governance is the lead policy agency, but the market surveillance authority and single point of contact had not been formally designated as of mid-2026. Fundamental-rights bodies were designated in June 2025.
What is the role of the data protection commission?
The Commission for Personal Data Protection enforces the GDPR and the Personal Data Protection Act, supervises AI systems that process personal data, and is one of the designated fundamental-rights authorities under the AI Act.
Who will designate notified bodies for conformity assessment?
The intended notifying authority is the Bulgarian Accreditation Service Executive Agency, but this remained a draft Council of Ministers decision not yet adopted as of early 2026.
What is the Concept for the Development of AI until 2030?
It is Bulgaria's national AI strategy, adopted in December 2020 and coordinated by the Ministry of Electronic Governance. It is policy guidance on infrastructure, research, skills and ethics, not binding regulation.
Are the AI Act fines in effect in Bulgaria?
The Act's tiered fine ceilings, up to 35 million euro or 7 percent of worldwide turnover for prohibited practices, apply at EU level. Bulgaria still has to set the national procedural and penalty detail.
How does Bulgaria relate to GDPR and UK GDPR?
Bulgaria applies the EU GDPR, supplemented by its Personal Data Protection Act. The UK GDPR is the separate post-Brexit UK regime; organisations operating in both must comply with each.