The financial services regulation at national level in Bulgaria is split between two supervisory authorities, namely:

• the Bulgarian National Bank (‘BNB’), which is the national competent authority for credit institutions, financial institutions, payment institutions, e-money institutions and account services providers, and most recently crypto services providers, the industry sector being generally referred to as ‘banking sector’; and
• the Financial Supervision Commission (‘FSC’), which is the national competent authority for investment intermediaries (investment firms), insurance companies and insurance intermediaries, pension and social security companies, fund managers and alternative investment fund managers and the UCITs and AIFs managed by such fund managers, as well as crypto services providers, where these are not banks, the industry sector being generally referred to as ‘non-banking sector’.

Hence, the competence of the regulator will depend on the financial services, which the FinTech Company intends to provide or is involved in.

FinTech companies operating as financial institutions, payment services providers or credit institutions (if these attract publicly deposits and other repayable funds to provide credit and other regulated services) shall normally be authorised (licensed) by the BNB or EU passported by a notification through the home EEA regulator to the BNB.

Respectively, FinTech companies providing investment, insurance, pension and social securities or collective investments management shall be authorised (licensed) by the FSC or EU passported by a notification through the home EEA regulator to the FSC.

It could be that a FinTech Company, which provides services to a BNB or FSC regulated entities are not regulated themselves i.e., falling outside the scope of financial regulation by merely facilitating the processing of operations or provision of other outsourced services to regulated entities.

However, the assessment of the activities of such FinTech companies shall be made on a case-by-case basis to avoid qualification of such activities as a regulated financial services activity.

Finally, within the EEA supervisory framework the national competent authorities (‘NCAs’), depending on the circumstances and the relevant provisions of law, act in close cooperation with the competent EU regulatory authorities, namely, the European Banking Authority (‘EBA’) and the European Central Bank (‘ECB’), the European Securities and Markets Authority (‘ESMA’) and the European Insurance and Occupational and Pension Insurance Authority (‘EIOPA’) or collectively, the European Supervisory Authorities (‘ESAs’).

As a matter of example of such cooperation is the establishment by the FSC of an Innovation Hub referencing the European Blockchain Sandbox. Most recently the FSC announced the opening by 31 January 2025 of applications for the third cohort of European Blockchain Sandbox for FinTech companies using DLT/blockchain in combination with other AI technologies and internet of things (‘IoT’).

The FSC maintains a website, conducts research and analyses results based on questionnaires completed by the supervised entities on the FinTech market since 2019. The FSC as the NCA within its scope of competence is also open to consultations on the use of financial innovations defined as „technologically oriented financial innovations which may lead to new business models, applications, processes and models with material effect on the financial markets and institutions and the financial services provided by them’ in the non-banking financial sector.

The FSC’s research on the use of innovative technologies by the supervised non-banking institutions indicated that as of the end of 2022 none of these reported the use of cryptocurrency, distributed ledger technology and augmented/virtual reality. The regulatory scenery has substantially changed since that report with a new focus on the use of robo advice, AI and machine learning instruments by locally supervised financial institutions aiming at keeping pace with their EU and global homologues.

While the BNB is also narrowly involved in the financial sector innovation, it does not have a designated webpage, innovation hub or regulatory sandbox for the banking sector services and products. It is an active participant in the various regulatory fora, following the best practices and examples in other EU jurisdictions, while keeping at the same time some healthy distance from the supervised fintech sector.

We see no imminent risks to the growth of the fintech market in Bulgaria. Should there be a risk to be considered, this is generally the absence of consistently and effectively applied regulatory sandbox procedures, despite the statements and intents set out in the FSC’s strategy documents since 2018. The latest 2024 FSC Report on the implementation of the Strategy on Monitoring of Financial Innovations in the Non-Banking Sector (2021-2024) indicated the progress in three priority axes and set out a new strategic objective for the period 2025-2027.

The priority axes set out by the FSC for the non-banking sector comprise of:

1. Determination of requirements for licensing or registration of the companies offering financial innovation products and/or services and technologies in the non-banking sector.
2. Innovation center activity comprising of (i) analysis of trends in the fintech industry; (ii) communication on the introduction of new products by the supervised entities (including AI); and methodology on the maintenance of statistics on financial innovation by the supervised entities.
3. Management of the risks related to financial innovation, including among other things training and materials related to the use of DLT, the implementation of DORA and MiCA and warnings for investors on robo-advisors and fin-influencers.

In term RegTech, the FSC is exploring the opportunity to use a Dutch RegTech product and to develop its own information systems.

Whether a Bulgarian license or an EU ‘passport’ is required will depend on the precise scope of activities of the FinTech company. As indicated in the answer to question 1 above, the financial services to be provided determine the type and scope of regulation and the competent national and EU regulatory authority.

As indicated above, there is no typically national Regulatory Sandbox or a Regulatory Sandbox in the strict sense where Bulgarian fintech companies to test in a safe and regulated environment the use of new technologies. The FSC has established an innovation hub and has announced the opportunities for the national fintech to file applications by way of example with the European Blockchain Sandbox. On other occasions it provides an opportunity for the non-banking sector financial services entities to communicate directly the use of innovative technologies.

The application of existing securities laws to ICOs and other crypto assets will depend on the characteristics and classification of the relevant crypto asset and particularly whether it will fall within the scope of a regulated asset under local or EU law.

If a crypto asset has features akin to financial instruments, it could be subject to the applicable securities laws. After recent amendments (as of 5 August 2023), the Bulgarian Markets in Financial Instruments Act (‘MIFIA’) additionally regulates financial instruments which are issued through distributed ledger technology (‘DLT’). The amendments introduce the provisions of Regulation (EU) 2022/858 on Distributed Ledger Technology Market Infrastructures (‘DLTR’), which sets out a pilot regime for the regulation of crypto assets that qualify as financial instruments within the Union. The DLTR defines ‘distributed ledger’ as an information repository that keeps records of transactions and that is shared across, and synchronised between, a set of DLT network nodes using a consensus mechanism. DLT financial instruments are defined as financial instruments issued, recorded, transferred and stored using distributed ledger technology. Crypto assets which represent financial instruments including DLT financial instruments under the EU Markets in Financial Instruments Directive and its local implementation – the Bulgarian Markets in Financial Instruments Act, will fall under the regulations of initial public offering of securities. Derivatives referencing crypto assets would be caught by the definition of ‘financial instrument’ where they themselves constitute ‘transferable securities’, ‘financial contracts for differences’ or where they fall within ‘catch-all’ clauses of the definition – such as ‘any other derivative contracts relating to assets, rights, obligations, indices and measures not otherwise mentioned [in this Section], which have the characteristics of other derivative financial instruments, having regard to whether, inter alia, they are traded on a regulated market, OTF, or an MTF’.

For such crypto assets, the local regulations related to initial public offering of securities will apply. According to the Public Offering of Securities Act, initial public offering of securities is considered the offering of securities withing the meaning of Art. 2 (d) of Regulation (EU) 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/EC (the ‘Prospectus Regulation’) which consists of (i) an offer of securities for subscription by their issuer or an investment firm authorized by the issuer, or (ii) an offer of securities for initial sale by an investment firm pursuant to an underwriting agreement with their issuer. Therefore, public offering of securities and/or admission of securities to trading on a regulated market can be conducted after publication of a prospectus approved by the FSC under the terms and conditions of the Prospectus Regulation and the Public Offering of Securities Act unless an exemption applies.

Regarding any requirements for offerings to the public of asset-referenced tokens and e-money tokens as well as crypto assets other than asset-referenced tokens and e-money tokens under MiCA, we should note that an implementing legislation – a local Markets in Crypto Assets Act was submitted to the Parliament for voting. The local Markets in Crypto Assets Act designates the local competent authorities under MiCA depending on the relevant crypto asset. According to the draft Act the FSC will be the competent local authority under MiCA, except for the electronic money tokens for which the competent local authority is BNB. At this stage, the timeline for the first voting on the draft Markets in Crypto Assets Act remains unclear.

Under the effective Measures against Money Laundering Act (‘MAMLA’) cryptocurrency exchanges and cryptocurrency custodians (e.g. virtual asset service providers (‘VASP’), both categories being defined as obliged entities under Art.4, item 38 and item 39 of the Act.

These need to have a registration in the National Revenues Agency and apply the AML-CTF measures under the law.

Both the entities that are not regulated under MiCA and the MiCA regulated entities apply all key AML-CTF requirements, including KYC measures to prevent anti-money laundering along with the full catalogue of the AML measures, such a customer and transaction risk assessment and management, recording and safekeeping data and reporting to the competent authorities – the Financial Intelligence Directorate with the State Agency National Security, which the national Financial Intelligence Unit, as well as the law enforcement authorities in specific cases.

Please, see the answer in Section 7 below for details.

In Bulgaria, the regulatory environment for cryptocurrency and blockchain companies is evolving, influenced by both national policies and the EU’s comprehensive framework.

As regards the national regulatory landscape, it should be noted that currently a light-touch Virtual Asset Service Provider (‘VASP’) registration before the Bulgarian National Revenue Agency (‘NRA’) is in place in Bulgaria for entities which provide exchange services between virtual currencies and fiat currencies and custodian wallet providers, and also for entities providing services for transfer or exchange of virtual assets, custodial services and management of virtual assets, enabling the exercise of control over the virtual assets and services relating to public offering of virtual assets. This registration is primarily aimed at preventing money laundering through the use of such assets. Bulgaria has implemented Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directives 2009/138/EC and 2013/36/EU as well as Recommendations No. 10 and No. 15 of the Financial Action Task Force. The entities which provide the services listed above are obliged entities under the AML legislation.

Regarding the developments in crypto asset regulation at national level, according to the draft Markets in Crypto Assets Act (‘Draft Act’), the VASP registration before the NRA no longer will be applicable. The draft Act provides for local implementation of MiCA’s transitional provisions, as follows:

• Persons and legal entities registered in the public register maintained by the NRA for AML purposes may continue operating the activities in Bulgaria for which they are registered with the NRA without a license until 31 December 2025 or until a decision is made regarding their license application under Art. 63 MiCA, whichever occurs first.
• Once the draft Act comes into force, these natural persons or legal entities will have the opportunity to apply for licensing through the FSC under Art. 63 of MiCA.
• Additionally, any pending registration proceedings before the NRA should be cancelled by 30 December 2024, after which the NRA will discontinue maintaining its Register (this date was provided in the draft Act, however it will be probably changed in view of the fact that the draft Act is still not adopted). Upon discontinuation, the NRA will transfer the Register’s data to the FSC, which will publish this information on its website. The natural persons and legal entities, which are already registered with the NRA should report any changes in their registered information to the FSC within 14 days of the relevant changes.

Furthermore, to navigate the evolving regulatory requirements, companies should consider strategies such as (i) regulatory assessment and licensing to determine whether the services related to the relevant crypto asset fall under existing regulations; (ii) obtaining the necessary authorizations and licenses; (iii) implementation of Robust AML/KYC Procedures and continuous monitoring of the new regulatory developments including by engaging legal and professional consultation. By adopting similar strategies, crypto asset service providers can better navigate the regulatory landscape in Bulgaria, ensuring compliance and fostering trust with consumers and regulators alike.

In Bulgaria, cryptocurrency companies must navigate both national tax laws and evolving EU regulations to ensure full compliance with tax reporting and obligations related to digital assets.

The tax reporting obligations related to digital assets would depend on whether the crypto asset transactions are conducted by natural persons or legal entities.

According to Art. 33 (3) of the Personal Income Tax Act, cryptocurrencies are considered as financial assets. The provision specifically emphasizes on the virtual currencies as part of the financial assets category in general.

1. Taxation of Legal Entities:

Taxes are due over the profits from cryptocurrency and crypto asset transactions. According to the law, gains realized during the tax year from sale or exchange of financial assets are subject to tax.

1.1. Corporate Tax:

The annual profit generated by companies (legal entities) in Bulgaria is subject to 10% corporate tax according to the Corporate Income Tax Act. The corporate tax is determined on the basis of the difference between all business-related income and expenses that are recognized for tax purposes (the annual tax profit is subject to corporate tax).

1.2. Tax on the dividends received by the company’s shareholders:

When profits are distributed to the shareholders or the sole owner of the company as dividends, a 5% dividend tax applies on the received amounts.

2. Taxation of individuals:

Profits from the sale or exchange of crypto assets are treated as income from the sale of financial assets. Such gains are subject to a flat personal income tax rate of 10% (capital gains tax). The taxable amount is calculated by subtracting the acquisition cost from the sale price for each transaction.

However, the taxation of income is different if it is acquired in the course of the person’s business. It is considered that a particular activity is organized as business if the person carries out systematically the activity for the purpose of making a profit. Income from the sale or exchange of crypto assets which is conducted for business purposes as well as income derived from cryptocurrency mining is considered business income. This income should be declared in the annual tax returns of the person and will be taxed at a rate of 15%.

3. VAT taxation:

The transactions related to the sale or exchange of cryptocurrencies are not subject to VAT taxation, however the turnover of such transactions will be included and will form the turnover for VAT registration. A VAT registration will be required if the annual turnover exceeds BGN 100,000 (circa. EUR 50,000).

Blockchain companies must navigate the requirements of the General Data Protection Regulation (‘GDPR’) to ensure data privacy and protection. The GDPR mandates strict guidelines for processing personal data within the EU.

In Bulgaria, the Personal Data Protection Act complements the GDPR, providing specific regulations and establishing the Commission for Personal Data Protection (‘CPDP’) as the supervisory authority. Blockchain companies must ensure compliance with both the GDPR and national provisions, which may include additional requirements or guidelines pertinent to data processing activities within the country.

Given the transparent nature of blockchain technology, achieving compliance necessitates careful consideration and strategic implementation of the GDPR policies such as collecting and processing only the data necessary for the intended purpose; obtaining the explicit consent from data subjects before processing their personal data and ensuring that mechanisms are in place to allow data subjects to exercise their rights, such as the right to access, rectify, or erase their data. Other compliance strategies may include data anonymization and pseudonymization of personal data on the blockchain and maintaining transparency by clearly communicating data processing activities to users and stakeholders as well as implementing robust security measures to protect data on the blockchain

By following these steps, blockchain companies can effectively address data privacy and protection regulations in Bulgaria while ensuring transparency and security on decentralized networks.

Bulgaria operates under the regulatory framework of the EU, which generally facilitates the mobility of skilled professionals across member states. This creates a predictable and stable legal environment conducive to attracting and retaining international fintech talent. The EU Blue Card program serves as a compelling alternative for highly skilled workers, offering a streamlined pathway to employment and residency within the EU. As an EU member state, Bulgaria is well-positioned to capitalize on this scheme, enhancing its appeal as a destination for international fintech talent. In addition to EU regulations, Bulgaria’s national immigration policies play a crucial role in talent acquisition. The government has undertaken measures to streamline visa and work permit processes for foreign professionals, thereby enhancing the country’s attractiveness as a fintech hub.

Other means for positioning Bulgarian fintech companies as attractive employers for global talent include offering competitive remuneration, comprehensive benefits, and a favorable work environment as well as offering remote work opportunities by recruiting international talent without requiring physical relocation, thereby broadening their access to a diverse and highly skilled workforce. Bulgarian fintech firms can further strengthen their talent acquisition strategies by establishing strategic alliances with foreign fintech firms which offer additional opportunities for talent exchange and collaboration.

The key compliance challenges for fintech companies typically involve the regulatory assessment of the management and key employees for compliance with professional qualification, educational requirements and reputational status. Third country nationals need to meet quite strict and formal requirements for professional and educational background and ‘fit and proper’ assessment requirements under the applicable EU and national laws and regulations.

While such requirements may differ depending on the type of regulated activity, these are quite similar in essence and formal qualification criteria that the competent regulator is required to consider and abide to within the respective licensing procedure.

To develop an effective market entry strategy for a fintech in Bulgaria, several key factors could be considered:

• Target Customer Demographics:

Based on local sector association’s reports Bulgaria’s fintech customer base is characterized by young professionals, product managers, and technologically savvy people. Given these demographics, fintechs may need to focus on developing user-friendly, mobile-first solutions that cater to tech-savvy young professionals.

• Competitive Landscape:

The Bulgarian fintech sector is growing rapidly but still has room for new entrants. Reportedly, as of 2023, there were more than 150 fintech companies operating in Bulgaria. Digital payments dominate the fintech market, followed by enterprise technology providers and digital asset exchanges. To stand out in this competitive landscape, new fintechs should identify niche markets or underserved segments, offer innovative solutions and consider focusing on emerging areas like blockchain, AI, or open banking where competition may be less intense.

• Partnerships with Financial Institutions:

Collaborating with established banks and financial institutions can be a powerful strategy for market entry. Many Bulgarian banks are actively seeking fintech partnerships to enhance their digital offerings.

• Regulatory Considerations:

Understanding and navigating the regulatory environment is crucial. Bulgaria has adopted EU-wide regulations like PSD2, which enables open banking initiatives. The government and regulators are generally supportive of fintech innovation, with initiatives like regulatory sandboxes in place. Fintechs should engage early with regulators to understand compliance requirements, consider participating in regulatory sandbox programs to test innovative solutions, and stay informed about upcoming regulatory changes that may impact the fintech sector.

By carefully considering these factors and implementing a strategic approach, fintechs can position themselves for success in Bulgaria’s growing and dynamic fintech market.

The primary financial and operational risks related to the entering the market relate to the absence of an effective regulatory sandbox which would enable fintech test their innovative products in a secure regulatory environment. As a result, the process of regulatory authorisation remains strictly formal and new entrants face challenges meeting the high regulatory standards without being able to accommodate flexible approach within pending licensing proceedings. Hence, the time consuming and relatively expensive processes of authorisation for the conduct of regulatory activity does not provide sufficient certainty for the applicants that their operations are compliant or will become compliance with the regulatory financial and operational standards of the national and EU regulatory authorities.

Outsourcing is possible and recommended depending on the type of business function but subject to strict EU-wide regulatory requirements within the EU digital resilience and cybersecurity legal framework. The most recent changes in the framework applicable to ICT outsourcing and most importantly on outsourcing of critical and important functions relate to the entry into force of the Digital Operational Resilience Act (the directly applicable regulation on digital resilience for the financial sector) and the new Cybersecurity Act (NIS2 Directive), which is to be transposed in the national law.

Fintech companies operating in Bulgaria can protect their proprietary algorithms and software through a combination of intellectual property strategies, including trade secrets, copyrights, patents, and contractual protections.

Computer programs and data bases are subject to copyright protection under the Bulgarian Copyright and Neighbouring Rights Act. Computer programs are protected as literary works and the protection applies to the expression of a computer program in any form. Ideas and principles which underlie any element of a computer program, including those which underlie its interfaces, are not protected by copyright.

Bulgarian law does not provide for a copyright registration regime or any other administrative measures for the copyright to occur. Copyright arises automatically from the moment of creation of the work, provided that the computer program is original, in the sense that it is the author’s own intellectual creation and is fixed in tangible form.

Business methods and computer programs as such are not patentable under the Bulgarian law. To be patentable, a software-related invention must demonstrate a technical contribution beyond a mere algorithm.

Proprietary algorithms and software can also be protected under the Bulgarian Trade Secret Protection Act, which implements the Trade Secrets Directive (EU) 2016/943. To be safeguarded, trade secrets must meet three criteria: (i) the information must be confidential and not generally known or easily accessible, (ii) it must have commercial value due to its secrecy, and (iii) reasonable steps must have been taken to maintain its confidentiality.

For a fintech company in Bulgaria to enforce its rights under the Trade Secret Protection Act, it is essential to show that it has actively identified and protected its information. This can be achieved through internal confidentiality policies, managing system permissions, and establishing non-disclosure agreements with all involved parties. If companies fail to demonstrate these protective measures, the information may lose its trade secret status. Bulgarian court case law provides useful guidance regarding the adequacy of such ‘reasonable steps’ in protecting trade secrets.

Brands can be protected either by registration of national trademarks with the Bulgarian Patent Office or by registration of EU trademarks with the EU Intellectual Property Office. Certain logo designs may also be protected by copyright as artistic works.

Prior to launching their brand or choosing their company name to be used on the local market, fintech businesses should conduct due diligence, including clearance searches in the databases of the Bulgarian Commercial Registry and the databases of the Bulgarian Patent Office and the EU Intellectual Property Office to make sure that the respective brand/company name are not in conflict with third party earlier rights and are available for registration and use.

Using open-source software (‘OSS’) in fintech products offers significant benefits, including cost savings and faster development. However, it also comes with legal responsibilities. Non-compliance with OSS licenses can lead to intellectual property disputes, legal liability, and reputational damage.

To ensure compliance, companies should maintain an up-to-date inventory of all OSS components in their products and conduct thorough due diligence to understand the associated licensing terms. Establishing clear policies for evaluating, approving, and integrating OSS is essential. These policies should define procedures for assessing risks and ensuring adherence to license obligations. Additionally, fintech companies can employ automated tools to scan their codebase for OSS components and verify compliance with their licenses. These tools can help identify potential issues early and ensure that all OSS usage adheres to the relevant licensing terms.

Collaborating with third-party developers or partners raises important concerns regarding the ownership of IP rights, particularly copyrights in software and databases developed in this context. Under Bulgarian law, the general rule is that, unless otherwise agreed, the contractor holds the copyright to any copyrightable works they develop, while the ordering party may only use the work for the purposes for which it was ordered.

Therefore, when collaborating with third-party developers or partners, it is crucial to have clear contractual agreements that outline the ownership of IP created during the collaboration. These agreements should specify who owns the IP, how it can be used, and what happens if the partnership ends. Additionally, conducting IP due diligence is essential to ensure that the contractor or partner holds the title to the IP developed by their employees or subcontractors.

When entering into partnerships, fintech companies should carefully consider how to allocate the ownership and rights of use of the IP assets developed under such cooperation. It is important to note that in cases of joint ownership of copyrights, the consent of all co-owners is required for any modification of the work or for granting a license to use the work. If the co-owners fail to reach an agreement, the issue is to be resolved by the court. In cases of co-ownership of inventions and patents, unless otherwise agreed, each owner may use the invention, but the patent may be assigned or licensed only with the consent of all co-owners.

By proactively addressing these concerns through well-structured agreements and diligent IP management, fintech startups can safeguard their innovations and maintain control over their technological assets.

There are various remedies against infringements of intellectual property rights under the Bulgarian civil and criminal law.

The primary remedy is to file a civil litigation case for IP rights infringement where the right holder may request from the court to: (i) establish the infringing activity; (ii) issue against the defendant an injunction prohibiting the continuation of the infringement; (iii) order the destruction of infringing goods; and (iv) award a compensation for the damages suffered by the plaintiff as a result of the infringement. In the course of such litigation it is also possible to file a request preliminary injunctive measures, such as prohibition on a provisional basis of the continuation of the infringement.

Furthermore, remedies under unfair competition law are available in cases of trademark imitations, the use of imitating domain names/websites, or the unlawful acquisition, use, or disclosure of trade secrets. If such infringements are established, the Bulgarian Commission on Protection of Competition may issue a decision ordering the cessation of the infringing activities and imposing a pecuniary sanction of up to 8% of the annual turnover of the infringer.

Bulgarian fintechs using AI algorithms (e.g. for credit scoring and lending decisions) must comply with several legal obligations to ensure transparency and fairness. These obligations are primarily driven by EU regulations, including GDPR and the EU AI Act. Key requirements include compliance with data protection laws, conducting risk assessments, ensuring human oversight of AI systems, implementing robust data governance practices, and providing clear documentation of AI decision-making processes.

To demonstrate that their AI systems do not result in biased or discriminatory outcomes, fintechs can take several steps. These include implementing robust data governance by using diverse and representative datasets, incorporating fairness constraints and bias detection algorithms during model development, and employing explainable AI techniques. Regular testing and auditing are crucial, including conducting frequent bias audits and using fairness metrics to assess model performance across different demographic groups.

Transparency and documentation are essential, with companies needing to maintain comprehensive records of AI development processes and provide clear explanations of decision-making criteria. Human oversight should be implemented, especially for high-stakes decisions like loan approvals. Establishing an ethics committee with diverse representation can help regularly review AI models and their outcomes.

Continuous monitoring and improvement are necessary, including ongoing monitoring of AI system outputs to detect emerging biases and regularly updating and retraining models to address identified issues. By implementing these measures, Bulgarian fintechs can demonstrate their commitment to fairness and non-discrimination in AI-driven decisions, meeting legal obligations while building trust with consumers and regulators in the evolving landscape of AI governance in financial services.

When fintech companies develop proprietary AI models, several key IP considerations must be addressed to protect their innovations. Safeguarding AI technologies and datasets from infringement requires a combination of legal strategies and diligent IP management.

First, securing ownership of IP developed by employees and contractors is crucial. This can be achieved through well-drafted employment and independent contractor agreements that explicitly define ownership rights, usage restrictions, and confidentiality obligations related to AI models and training datasets.

Many fintech companies also rely on trade secret protection to keep proprietary AI architectures, training data, and model weights confidential. To maintain trade secret protection, companies should implement strong non-disclosure agreements (‘NDAs’) with employees, contractors, and any third parties who may have access to sensitive information. These NDAs should outline the obligations to maintain confidentiality and the consequences of unauthorized disclosure. Furthermore, robust cybersecurity measures are essential to prevent unauthorized access or leaks. This includes implementing secure access controls, encryption, and regular security audits to identify and address potential vulnerabilities.

When using third-party AI tools, companies must ensure legal compliance and conduct due diligence to verify that these tools do not infringe on existing IP rights. Additionally, businesses should be cautious about data acquisition methods, such as web scraping, ensuring adherence to copyright laws and the terms of service of data sources. It is important to verify that the data being used is legally obtained and that the company has the right to use it for training AI models.

There are no national pieces of law yet, securing the implementation of the EU Artificial Intelligence Act. The FSC though already provided some guidance on the deployment of robo- advice by the supervised entities. Both the legal framework and the implementation measures are work in progress to be considered in the coming months.

Bulgarian fintech companies should adopt several risk management strategies to mitigate potential legal liabilities associated with AI technologies. These include implementing robust data governance practices, ensuring algorithmic fairness and transparency, conducting regular testing and auditing, maintaining comprehensive documentation, and implementing human oversight. Companies should also stay informed about regulatory changes, enhance cybersecurity measures, develop a comprehensive AI policy, invest in ongoing training and education for employees, and collaborate with industry peers and regulators. Key practices involve using diverse and representative datasets, incorporating fairness constraints and bias detection algorithms, performing frequent bias audits, and employing third-party auditors for independent assessments. Maintaining detailed records of AI development processes and providing clear explanations of decision-making are crucial. Human intervention should be ensured in AI decision-making processes, especially for high-stakes decisions. Companies should monitor and adapt to evolving AI regulations, engage with regulatory bodies, and implement robust cybersecurity protocols. Creating and enforcing a formal AI policy, providing regular training for employees, and participating in industry associations are also important steps. By implementing these strategies, Bulgarian fintech companies can better mitigate potential legal liabilities associated with AI technologies while fostering trust and ensuring compliance in the evolving regulatory landscape.

No, there are no reported examples of disruption through fintech in Bulgaria.

Several areas of fintech are attracting investment in Bulgaria across different funding stages:

Digital payments continue to be a major focus, with this segment being the largest contributor to the fintech sector’s performance in Bulgaria. Companies in this area are attracting investments at various stages, from seed to later rounds.

Enterprise technology providers, which enable API management, cloud computing, artificial intelligence, machine learning, and natural language processing, are also seeing significant interest from investors. Digital identity and trust services are also gaining traction. Insurtech is another growing area.

Blockchain and decentralized finance (DeFi) are expected to see more viable mainstream business models emerging, potentially attracting more investment in the near future. Open banking and open finance solutions are areas where increased activity is also anticipated, especially as banks look to fintech for new sources of profitability and growth.

In terms of investment stages, the Bulgarian fintech ecosystem is seeing activity across various levels. Pre-seed and seed funding are common, with several venture capital funds focusing on these early stages with ticket sizes ranging from €25,000 to €1 million. Series A rounds are becoming more frequent. Later-stage funding (Series B and beyond) is less common, but there are efforts to attract higher-ticket investors for these rounds.

It’s worth noting that while there is growing interest and investment in the Bulgarian fintech sector, the ecosystem is still developing. Many of the fintech companies are small and medium-sized enterprises, and there is a recognized need for more quality projects and larger investments to fuel growth in later stages.