Bulgaria AI Note

Bulgaria does not have a dedicated AI-specific law in force at the national level. However, it is directly subject to the EU AI Act, which establishes a harmonised legal framework across all EU Member States, based on a risk-based approach. Under this framework, AI systems are classified according to the level of risk they pose (e.g. unacceptable, high, limited, or minimal risk), with corresponding obligations and restrictions.
In the absence of a standalone domestic law, AI systems in Bulgaria are currently regulated indirectly through existing legal regimes, including data protection, consumer protection, anti-discrimination law, and sector-specific regulations. Their legal treatment depends largely on the context in which they are deployed and their effects.
At the same time, Bulgaria has tabled a Bill on the Use and Development of Artificial Intelligence (“the AI Bill”), intended to complement the EU framework. The AI Bill is expected to provide national measures necessary for its effective enforcement, such as designating competent authorities, establishing supervisory and sanctioning mechanisms, and addressing areas left to Member State discretion, while also setting out broader national policy objectives for AI development and governance.

Bulgaria is an EU Member State, so the EU AI Act operates as the higherlevel binding framework for AI. The proposed national AI Bill is explicitly framed as an implementation and complement to the AI Act, not a replacement.
The Bill identifies the introduction of measures for applying the EU AI Act as its first objective, and large parts of the Bill deal with questions that the EU AI Act leaves to Member States.
At the same time, Bulgaria proposes national addons that go beyond the EU AI Act baseline, including:

• stricter bans (e.g. total prohibition of remote biometric identification, prohibition of AI use in special intelligence means);

• explicit restrictions on AIgenerated deepfake content and AIassisted political advertising;

• specific rules on open models and lawful use of publicly available personal data for training;

• AIspecific amendments to numerous sectoral laws (education, health, gambling, judiciary, energy, cybersecurity, public procurement, etc.).The AI Bill’s transitional provisions introduce AIrelated amendments into a broad set of laws, e.g. requiring AIbased grading systems in education to provide explanations, banning the use of AI systems for judicial decisionmaking or certain gambling recommender systems, and mandating disclosure when AI is used in legislative drafting or political campaigning.

Thus, the higherlevel EU law provides the core AI regime, while Bulgaria’s AI Bill is designed to implement required elements and add stricter safeguards and proinnovation measures in areas the EU AI Act leaves open.

In practice, and pending full application of the EU AI Act and enactment of the national AI Bill, AIrelated issues in Bulgaria are addressed through general legal frameworks, including:

• Data protection law: GDPR and the Bulgarian Personal Data Protection Act are central where AI involves processing of personal data. Controllers deploying AI must ensure lawful basis, transparency, data minimization, purpose limitation, and, for high risk processing, data protection impact assessments. The proposed AI Bill would strengthen datarelated duties in the public sector by requiring specific instructions and guidance for AI deployments by public authorities.

• Non-discrimination and fundamental rights: AIenabled decisions can be challenged under equality and humanrights provisions where they result in discriminatory or otherwise rightsinfringing outcomes. The Council of Ministers has already designated the Commission for Protection against Discrimination, the Ombudsman and other bodies as national fundamentalrights authorities in relation to highrisk AI under the AI Act.

• Consumer protection and product safety: AI enabled products and services are assessed under existing consumer protection and product liability rules, including prohibitions on unfair practices and obligations for safe products.

• Sectoral regulation: Supervisory authorities for education, health, energy and other sectors apply their general mandates to AIenabled systems. The proposed AI Bill codifies many of these relationships by naming sectoral regulators as AI marketsurveillance authorities and by mandating sectorspecific AI guidelines.

Once the proposed AI Bill is enacted, AI-specific legal bases will become more prominent in enforcement and disputes. Private litigation is expected to grow gradually, with claimants using existing causes of action (dataprotection damages, equality claims, contractual and tort liability) and, over time, invoking breaches of the EU AI Act and national AI law standards as benchmarks of negligence or unlawfulness.
Two recent preliminary ruling requests from Bulgarian courts illustrate how AI-related issues are being channelled through EU law. In Case C-806/24, the Sofia District Court asks the Court of Justice of the EU to clarify whether automated telecom billing constitutes automated decision-making, and what level of transparency, explanation, and human review is required under the General Data Protection Regulation (“GDPR”) and the EU AI Act.
In Case C-245/25, arising from an insurance dispute, a Bulgarian court seeks guidance on whether software used in expert reports qualifies as a high-risk AI system under the EU AI Act and whether AI-assisted evidence satisfies standards of admissibility and reliability.
Together, these references highlight emerging concerns around transparency, explainability and fairness, showing that Bulgarian courts rely on preliminary rulings to interpret EU law.

In Bulgaria, automated decision-making (ADM) is not regulated through a standalone AI law but is primarily governed by the GDPR, with increasing interpretive influence from the EU AI Act.
ADM is subject to heightened scrutiny when it produces legal or similarly significant effects on individuals, such as in credit, employment, pricing, or access to services. The key legal trigger is Article 22 of the GDPR, which restricts solely automated decisions unless specific exceptions apply. Under the GDPR, it shall be examined whether a decision is fully automated or whether there is meaningful human intervention, which must be substantive and capable of altering the outcome rather than merely formal approval. Automated decisions with significant effects require heightened transparency, fairness, and proportionality, with particular attention paid to algorithmic opacity and “black box” systems.
Overall, ADM in Bulgaria is addressed through the GDPR framework, with particularly heightened scrutiny where automation meaningfully affects individuals’ legal or economic position. While the EU AI Act is not yet fully operational in Bulgarian case law, it is expected to reinforce risk-based obligations, particularly regarding human oversight, governance of training data, and accountability for high-risk systems.

AI use in Bulgaria currently exposes structural tension across existing legal frameworks. Under the GDPR, large-scale AI training conflicts with purpose limitation and data minimization, because AI relies on broad, evolving datasets while the law assumes specific, traceable uses. In copyright law, generative AI blurs authorship and reproduction rules, since outputs may derive from protected works without clear human creators. Liability law is strained by distributed responsibility and unpredictable system behavior.
These tensions are compounded by Bulgaria’s AI Bill, which in several areas go beyond the EU AI Act. For example, a blanket national ban on remote biometric identification and limits on law-enforcement AI exceed the EU’s risk-based approach, creating potential cross-border inconsistency. At the same time, treating training of open models on public personal data as a “public interest” activity pushes against GDPR constraints, while strict limits on children’s data further complicate dataset practices. Additionally, proposed restrictions on judicial use of AI aim to protect independence but create uncertainty about acceptable support tools. The proposed AI Bill has prompted criticism and formal opinions from several public authorities, including the Ministry of Justice, and it was not approved by the leading parliamentary committee. As a result, it is likely that the draft will either face rejection or undergo substantial revisions during the parliamentary process.
Overall, the strain arises because legal systems remain human-centered, transparent, and territorially bounded, whereas AI is opaque, adaptive, and often global.

Enacted / in-force:

• EU AI Act – in force and directly applicable in Bulgaria, with a phased implementation timeline.

• Council of Ministers decision No 398 from 18 June 2025 designating national bodies for the protection of fundamental rights under Article 77 of the EU AI Act in relation to highrisk AI systems (Ombudsman, Central Election Commission, Commission for Protection against Discrimination, Commission for Personal Data Protection, Commission for Consumer Protection, State Agency for Child Protection, General Labour Inspectorate).

Pending / proposed:

• Bill on the Use and Development of Artificial Intelligence - submitted to the National Assembly on 8 October 2025 by a group of Members of Parliament. At the time of writing, this Bill remains under parliamentary consideration. Its provisions should therefore be treated as proposals, not binding law, while still providing a useful indication of the direction of Bulgaria’s AI regulation.

• In fulfillment of the national obligations under Articles 28 and 70 of the EU AI Act, the Ministry of E-Governance has prepared a draft Decision of the Council of Ministers designating a national notifying authority under the EU AI Act. It is envisaged that Bulgaria’s national accreditation body (the Executive Agency “Bulgarian Accreditation Service”) will perform this key role. The draft Decision of the Council of Ministers is to be submitted for consideration and adoption by the Council of Ministers.

• The Ministry of Electronic Governance has conducted consultations with the relevant administrations to determine the competent market surveillance authorities and a draft Decision of the Council of Ministers has been prepared. This step is crucial for the effective implementation of supervisory functions concerning high-risk AI systems in Bulgaria.

• It is envisaged that the interinstitutional working group under the Minister of Electronic Governance, which will develop regulatory framework for the implementation of the EI AI Act in Bulgaria, defining a coordination model based on cooperation between the national competent authorities and the relevant public institutions under the EU AI Act.

• The draft “Strategy for Digital Transformation of the Republic of Bulgaria 2026–2030”, published on the Public Consultation Portal of the Council of Ministers, focuses on the digitalization of public administration, support for innovative start-ups, and technological progress aimed at improving the business environment and citizens’ quality of life. It is yet to be approved by the Council of Ministers.