Bulgaria

1) The Commission for Personal Data Protection is the competent authority as regards data protection under all the legislative acts provided in question 2. It may carry out audits at the respective entity, it may impose fines for non-compliance with the law and/or orders of the Commission, request documents and information, etc.
2) Communications Regulation Commission under the Electronic Communications Act. The Commission may require undertakings providing public communications networks or publicly available electronic communications services to:
• provide information needed to assess the security and/or integrity of their services and networks, including documented security policies; and
• submit to a security audit carried out by a qualified independent body and make the results thereof available to the Commission. The cost of the audit shall be paid by the undertaking.
The Commission may also issue binding instructions, including those regarding time limits for implementation, in order for undertakings to undertake specific measures to ensure security of the networks and services provided through them.
Depending on the violation, the Commission may audit the respective undertakings, impose fines for non-compliance with the law and/or orders of the Commission, request documents and information, etc.