The financial services regulation at national level in Bulgaria is split between two supervisory authorities, namely:

• the Bulgarian National Bank (‘BNB’), which is the national competent authority for credit institutions, financial institutions, payment institutions, e-money institutions and account services providers, and most recently crypto services providers, the industry sector being generally referred to as ‘banking sector’; and
• the Financial Supervision Commission (‘FSC’), which is the national competent authority for investment intermediaries (investment firms), insurance companies and insurance intermediaries, pension and social security companies, fund managers and alternative investment fund managers and the UCITs and AIFs managed by such fund managers, as well as crypto services providers, where these are not banks, the industry sector being generally referred to as ‘non-banking sector’.

Hence, the competence of the regulator will depend on the financial services, which the FinTech Company intends to provide or is involved in.

FinTech companies operating as financial institutions, payment services providers or credit institutions (if these attract publicly deposits and other repayable funds to provide credit and other regulated services) shall normally be authorised (licensed) by the BNB or EU passported by a notification through the home EEA regulator to the BNB.

Respectively, FinTech companies providing investment, insurance, pension and social securities or collective investments management shall be authorised (licensed) by the FSC or EU passported by a notification through the home EEA regulator to the FSC.

It could be that a FinTech Company, which provides services to a BNB or FSC regulated entities are not regulated themselves i.e., falling outside the scope of financial regulation by merely facilitating the processing of operations or provision of other outsourced services to regulated entities.

However, the assessment of the activities of such FinTech companies shall be made on a case-by-case basis to avoid qualification of such activities as a regulated financial services activity.

Finally, within the EEA supervisory framework the national competent authorities (‘NCAs’), depending on the circumstances and the relevant provisions of law, act in close cooperation with the competent EU regulatory authorities, namely, the European Banking Authority (‘EBA’) and the European Central Bank (‘ECB’), the European Securities and Markets Authority (‘ESMA’) and the European Insurance and Occupational and Pension Insurance Authority (‘EIOPA’) or collectively, the European Supervisory Authorities (‘ESAs’).

As a matter of example of such cooperation is the establishment by the FSC of an Innovation Hub referencing the European Blockchain Sandbox. Most recently the FSC announced the opening by 31 January 2025 of applications for the third cohort of European Blockchain Sandbox for FinTech companies using DLT/blockchain in combination with other AI technologies and internet of things (‘IoT’).

The FSC maintains a website, conducts research and analyses results based on questionnaires completed by the supervised entities on the FinTech market since 2019. The FSC as the NCA within its scope of competence is also open to consultations on the use of financial innovations defined as „technologically oriented financial innovations which may lead to new business models, applications, processes and models with material effect on the financial markets and institutions and the financial services provided by them’ in the non-banking financial sector.

The FSC’s research on the use of innovative technologies by the supervised non-banking institutions indicated that as of the end of 2022 none of these reported the use of cryptocurrency, distributed ledger technology and augmented/virtual reality. The regulatory scenery has substantially changed since that report with a new focus on the use of robo advice, AI and machine learning instruments by locally supervised financial institutions aiming at keeping pace with their EU and global homologues.

While the BNB is also narrowly involved in the financial sector innovation, it does not have a designated webpage, innovation hub or regulatory sandbox for the banking sector services and products. It is an active participant in the various regulatory fora, following the best practices and examples in other EU jurisdictions, while keeping at the same time some healthy distance from the supervised fintech sector.

With the entry into force of the Bulgarian Markets in Crypto Assets Act and the related amendments to the Credit Institutions Act, the implementation of the regulatory framework for crypto assets at national level has been now completed. The FSC has designated a special webpage (https://www.fsc.bg/kriptoaktivi/) with advice on the implementation of the EU crypto assets regulation, with reference to the Interim MiCA Register and the full set up of EU RTS to date.

We see no imminent risks to the growth of the fintech market in Bulgaria. Should there be a risk to be considered, this is generally the absence of consistently and effectively applied regulatory sandbox procedures, despite the statements and intents set out in the FSC’s strategy documents since 2018. The latest 2024 FSC Report on the implementation of the Strategy on Monitoring of Financial Innovations in the Non-Banking Sector (2021-2024) indicated the progress in three priority axes and set out a new strategic objective for the period 2025-2027.

The priority axes (including for the next 12 months) set out by the FSC for the non-banking sector comprise of:

 

1. Determination of requirements for licensing or registration of the companies offering financial innovation products and/or services and technologies in the non-banking sector.
2. Innovation center activity comprising of (i) analysis of trends in the fintech industry; (ii) communication on the introduction of new products by the supervised entities (including AI); and methodology on the maintenance of statistics on financial innovation by the supervised entities.
3. Management of the risks related to financial innovation, including among other things training and materials related to the use of DLT, the implementation of DORA and MiCA and warnings for investors on robo-advisors and fin-influencers.

In terms of RegTech, the FSC is exploring the opportunity to use a foreign RegTech product and to develop its own information systems.

Whether a Bulgarian license or an EU ‘passport’ is required will depend on the precise scope of activities of the FinTech company. As indicated in the answer to question 1 above, the financial services to be provided determine the type and scope of regulation and the competent national and EU regulatory authority.

A fintech involved in the provision of financial services (without public attraction of deposits or other repayable instruments) under the Credit Institutions Act (“CIA”), which transposes the Capital Requirements Directive (“CRD”), such a lending, factoring and forfeiting, etc. would require registration as a financial institution in the register of financial institutions maintained by the BNB (“BNB Register of FI”). A fintech involved in provision of payment service or e-money issue and redemption will need to be licensed by the BNB as a payment institution or an E-money company. A fintech involved in crypto activities may need either a license as investment services provider for certain type of transactions in crypto assets which qualify as financial instruments, or an authorization by the FSC. It really depends on the type of regulated activity that the fintech will be involved into.

At present, Bulgaria does not have a domestic, unified national regime that lets firms obtain one licence covering all fintech activities (e.g., payments, electronic money, banking, crypto etc.) under a single authorisation. Licensing remains sector-specific and aligned with broader EU frameworks, meaning that the relevant licence for the specific activity should be obtained prior to the provisions of the regulated services or products (e.g., a licence for electronic money institution, payment institution, crypto-asset service provider, bank, investment firm, etc.).

Under the EU regulatory framework, for most types of financial activities, a possibility is provided for an entity which has obtained a relevant licence in one EU Member State (e.g., a payment institution, electronic money institution, or investment firm licence or the relevant licence for issuance of the different types of crypto assets and providing the relevant services under MiCA) – to “passport” that licence in other EU countries, including Bulgaria, by notification to their competent national authority which in turn should notify the relevant competent authority in the host Member State. This is an integrated feature of EU law, reducing the need for separate national licensing for each country.

The Digital Operational Resilience Act (DORA) adds harmonised requirements for digital operational resilience across financial services (including fintech), imposing common ICT/operational risk management standards on regulated entities.

As indicated above, there is still no typically national Regulatory Sandbox or a Regulatory Sandbox in the strict sense where Bulgarian fintech companies to test in a safe and regulated environment the use of new technologies. The FSC has established an innovation hub and has announced the opportunities for the national fintech to file applications by way of example with the European Blockchain Sandbox. On other occasions it provides an opportunity for the non-banking sector financial services entities to communicate directly the use of innovative technologies.

Bulgarian supervisors are moving toward more digital, data-driven supervision mainly by (1) standardising and digitising regulatory reporting, and (2) strengthening cross-authority information exchange at EU level.

For fintechs, the key split is that the BNB collects supervisory information for payment systems / payment services providers and e‑money issuers, while the FSC supervises the non-banking sector (capital markets, insurance, pensions) and is explicitly investing in supervisory IT modernisation.

On cross-border oversight, FSC has framed its “Unified Information System” project as enabling real-time exchange of information with EU authorities (specifically EIOPA and ESMA), which is directly relevant when firms operate across jurisdictions or via EU passports. The Unified Informaiton System is aimed at automation of the activity of all specialized and general administration departments of the Commission and provides opportunity for performing review, tracking, control, validation and analyses of the incoming and outgoing proceeded information, as well as the possibility of automated data transfer, including from and to external systems on national and international level.

The application and interpretation of existing laws related to tokenization, DeFi, and stablecoin products will depend on the characteristics and classification of the relevant crypto asset and particularly whether it will fall within the scope of a regulated asset under local or EU law.

If a crypto asset has features akin to financial instruments, it could be subject to the applicable securities laws. After amendments in the Bulgarian Markets in Financial Instruments Act (‘MIFIA’) financial instruments which are issued through distributed ledger technology (‘DLT’) are additionally regulated in Art. 4 MIFIA. The provisions of Regulation (EU) 2022/858 on Distributed Ledger Technology Market Infrastructures (‘DLTR’), which sets out a pilot regime for the regulation of crypto assets that qualify as financial instruments within the Union were introduced into the national law. The DLTR defines ‘distributed ledger’ as an information repository that keeps records of transactions and that is shared across, and synchronised between, a set of DLT network nodes using a consensus mechanism. DLT financial instruments are defined as financial instruments issued, recorded, transferred and stored using distributed ledger technology. Crypto assets which represent financial instruments including DLT financial instruments under the EU Markets in Financial Instruments Directive and its local implementation – the Bulgarian Markets in Financial Instruments Act, will fall under the regulations of the financial instruments. Derivatives referencing crypto assets would be caught by the definition of ‘financial instrument’ where they themselves constitute ‘transferable securities’, ‘financial contracts for differences’ or where they fall within ‘catch-all’ clauses of the definition – such as ‘any other derivative contracts relating to assets, rights, obligations, indices and measures not otherwise mentioned [in this Section], which have the characteristics of other derivative financial instruments, having regard to whether, inter alia, they are traded on a regulated market, OTF, or an MTF’.

Regarding any requirements for offerings to the public of asset-referenced tokens and e-money tokens– the relevant provision of MiCA will apply as well as the provisions of the local Markets in Cryptoassets Act (further implementing MiCA’s provisions) which has entered into force as of 8 July 2025.

The Decentralized finance (DeFi) is considered to be a system of financial applications built on blockchain networks that aims to replicate some of the functions of the traditional financial system in a seemingly open and permissionless way, eliminating traditional financial intermediaries and centralized institutions . MiCA sets a comprehensive framework for the regulation of previously unregulated crypto-assets but does not directly address DeFi. Moreover, according to Recital 22 of MiCA, where crypto-asset services are provided in a fully decentralized manner without any intermediary, they should not fall within the scope of the Regulation. Therefore, insofar as DeFi is provided and executed in a fully decentralized manner, it will not be caught under MiCA provisions.

The stablecoins should be caught under MiCA Regulation and can be characterized as either asset-referenced token(s) or e-money token(s) depending on their features. Where the value of the stablecoin is “pegged” to the value of another currency, it should be considered as e-money token, if the value of the stablecoin is connected to another currency, commodity, asset or group of the aforementioned – it should be considered as an asset-referenced token.

Under the Measures against Money Laundering Act (MAMLA), crypto-asset service providers licensed under the Cryptoassets Markets Act – except insofar as they provide advice on crypto-assets – fall within the scope of MAMLA and must comply with its AML/CFT obligations.

These providers need to have a registration in the National Revenues Agency and apply the AML-CTF measures under the law.

Both the entities that are not regulated under MiCA and the MiCA regulated entities apply all key AML-CTF requirements, including KYC measures to prevent anti-money laundering along with the full catalogue of the AML measures, such a customer and transaction risk assessment and management, recording and safekeeping data and reporting to the competent authorities – the Financial Intelligence Directorate with the State Agency National Security, which the national Financial Intelligence Unit, as well as the law enforcement authorities in specific cases.

The implementation of the directly applicable Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“AMLR”) harmonises the measures to be put in place to prevent money laundering, its predicate offences and terrorist financing at Union level. It is also expected that upon transposition of the Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive(EU) 2019/1937, and amending and repealing Directive (EU) 2015/849 ( (“Sixth AML Directive”) in Bulgaria the relevant amendments of the MAMLA will secure harmonised application across the EU.

The establishment of the European AML Authority (“AMLA”), a decentralised EU agency, the AML CTF compliance will be streamlined by way of supervision of AML and CTF Activities and coordination of the national authorities to ensure the correct and consistent application of EU rules.

In Bulgaria, the regulatory environment for cryptocurrency and blockchain companies is evolving, influenced by both national policies and the EU’s comprehensive framework.

As noted above, the local Markets in Cryptoassets Act has entered into force as of 8 July 2025. Therefore, MiCA’s regime is fully operational in Bulgaria and the applicable authorization or license under the Regulation will be required for provision of the relevant crypto-asset or related services (we note that one of the provided transitional periods under the Markets in Cryptoassets Act is still applicable for individuals and legal entities who were registered in the electronic public register of the National Revenue Agency prior to 30 December 2024 which may continue to carry out the activity for which they were entered in the Register within the territory of Bulgaria without a MiCAR license until 1 July 2026, or until the issuance or refusal to issue a license under Art. 63 of MiCA, whichever occurs first).

The prudential and reserve requirements applicable to stablecoin issuers are provided in MiCA. As noted above, the relevant regulatory framework will depend on the features of the stablecoin. If the value of the stablecoin is “pegged” to the value of another currency, commodity, asset or group thereof, the related prudential and reserve requirements for the issuers of asset-referenced tokens will apply. On the other hand, it the value of the stablecoin is “pegged” to the value of another currency, the relevant prudential and reserve provisions will apply for the issuers of such e-money tokens which can either be a credit institution or as an electronic money institution.

Furthermore, to navigate the evolving regulatory requirements, companies should consider strategies such as (i) regulatory assessment and licensing to determine whether the services related to the relevant crypto asset fall under existing regulations; (ii) obtaining the necessary authorizations and licenses; (iii) implementation of Robust AML/KYC Procedures and continuous monitoring of the new regulatory developments including by engaging legal and professional consultation. By adopting similar strategies, crypto asset service providers can better navigate the regulatory landscape in Bulgaria, ensuring compliance and fostering trust with consumers and regulators alike.

Blockchain companies must navigate the requirements of the General Data Protection Regulation (‘GDPR’) to ensure data privacy and protection. The GDPR mandates strict guidelines for processing personal data within the EU.

In Bulgaria, the Personal Data Protection Act complements the GDPR, providing specific regulations and establishing the Commission for Personal Data Protection (‘CPDP’) as the supervisory authority. Blockchain companies must ensure compliance with both the GDPR and national provisions, which may include additional requirements or guidelines pertinent to data processing activities within the country.

Given the transparent nature of blockchain technology, achieving compliance necessitates careful consideration and strategic implementation of the GDPR policies such as collecting and processing only the data necessary for the intended purpose; obtaining the explicit consent from data subjects before processing their personal data and ensuring that mechanisms are in place to allow data subjects to exercise their rights, such as the right to access, rectify, or erase their data. Other compliance strategies may include data anonymization and pseudonymization of personal data on the blockchain and maintaining transparency by clearly communicating data processing activities to users and stakeholders as well as implementing robust security measures to protect data on the blockchain.

With the adoption of the local Markets in Cryptoassets Act, some amendments were also introduced to the Credit Institutions Act, Payment Services and Payment Systems Act, Markets in Financial Instruments Act, the Collective Investment Schemes and Other Undertakings for Collective Investments Act and others in relation to the implementation and enforcement of Regulation (EU) 2022/2554 (the Digital Operational Resilience Act (DORA)). The proposed amendments designate the competent local authority and delegate supervisory powers and powers related to the enforcement of administrative measures by imposing administrative penalties in relation to the implementation of this Regulation.

Furthermore, on 17 February 2026, the amendments to the Cybersecurity Act transposing Directive (EU) 2022/2555 (NIS 2) into Bulgarian law have entered into force. The implementation of the Directive into the national legislation might lead to increased requirements in the field of cybersecurity. To ensure harmonized implementation across sectors, the Act provides that secondary legislation will define the minimum scope of cybersecurity measures applicable to obliged entities. As the regulatory framework described above is relatively new, we anticipate that the case-law of the relevant competent authorities will further develop continue and become established over time.

By following these steps, blockchain companies can effectively address data privacy and protection regulations in Bulgaria while ensuring transparency and security on decentralized networks.

Crypto and blockchain companies in Bulgaria should deploy layered fraud controls that address both conventional payment and account fraud and on-chain abuse, combining behavioral monitoring, strong security controls, and blockchain analytics. Under the Anti-Money Laundering Act, crypto-asset service providers authorised under the Markets in Cryptoassets framework – except when providing only advice on crypto-assets – are treated as obliged entities and must apply full AML/CTF controls. Effective onboarding should include robust identity verification, beneficial owner checks for legal entities, and risk-tiering that determines the depth of due diligence and monitoring throughout the customer relationship. Providers should continuously monitor business relationships, detect unusual or suspicious activity, and apply enhanced due diligence in higher-risk scenarios. An AML program should be built around a documented, business-wide risk assessment, clear internal rules and governance, customer due diligence procedures, ongoing monitoring, and compliant recordkeeping and data retention. Customer due diligence should at minimum cover customer identification, beneficial owner verification, and continuous monitoring to ensure customer behavior remains consistent with the stated profile and risk level. Providers should maintain operational readiness to report suspicious activity to the Financial Intelligence Directorate within the State Agency for National Security, including procedures to delay or hold transactions where appropriate and strict safeguards against tipping-off. To withstand audits, inquiries, and potential enforcement actions, companies should adopt an evidence-first posture with complete and well-organised customer files, auditable logs of key actions and rule changes, strong access controls, and documented rationales for alerts, transaction holds, and offboarding decisions. Given that Bulgarian oversight has historically relied heavily on AML registration and compliance obligations rather than a standalone crypto licensing regime, demonstrable AML effectiveness and high-quality documentation are central to regulatory defensibility.

Bulgaria operates under the regulatory framework of the EU, which generally aims to facilitate the mobility of skilled professionals across member states. This creates a predictable and stable legal environment conducive to attracting and retaining international fintech talent. The EU Blue Card program serves as a compelling alternative for highly skilled workers, offering a streamlined pathway to employment and residency within the EU. As an EU member state, Bulgaria is well-positioned to capitalize on this scheme, enhancing its appeal as a destination for international fintech talent. In addition to EU regulations, Bulgaria’s national immigration policies play a crucial role in talent acquisition. The government has undertaken measures to streamline visa and work permit processes for foreign professionals, thereby enhancing the country’s attractiveness as a fintech hub.

Other means for positioning Bulgarian fintech companies as attractive employers for global talent include offering competitive remuneration, comprehensive benefits, and a favorable work environment as well as offering remote work opportunities by recruiting international talent without requiring physical relocation, thereby broadening their access to a diverse and highly skilled workforce. Bulgarian fintech firms can further strengthen their talent acquisition strategies by establishing strategic alliances with foreign fintech firms which offer additional opportunities for talent exchange and collaboration.

It is worth noting that up until now digital nomads could reside in Bulgaria only on short-term basis (90 days every 180 days) which is no longer the case. Long-term residence in Bulgaria is granted normally for 1 year (with prolongation options) under specific circumstances which did not fit the digital nomad profile. According to recent legislative changes to the Foreigners Act and especially to the rules for its implementation, a new type of residence permit was introduced to enable digital nomads to reside in Bulgaria on long-term basis. For the purposes of the new digital nomad residence permit (DNRP) the law defines 3 categories of digital nomads:

• A digital nomad who is hired by an employer registered outside the EU/EEA/Switzerland and provides to it services from a distance using information technologies;
• A digital nomad who is the statutory representative, member of the management body, owner, shareholder owning more than 25% of the registered capital of a company registered outside the EU/EEA/Switzerland via which company the digital nomad provides services from a distance using information technologies and does not work/provide services to persons/entities in Bulgaria;
• A digital nomad who provides personally services from a distance using information technologies for a period no less than 1 year prior to the date of filing the application and does not work/provide services to persons/entities in Bulgaria and does not carry out freelancing activities in Bulgaria.

The 3 categories of digital nomads present different documents proving the respective circumstances, but the set always includes 1) proof for average annual income for the previous calendar year in the amount of no less than 50 minimum monthly wages (as of January 2026 amounting to a total of EUR 31,010); and 2) a landlord declaration for a leased property where they will reside during their stay in Bulgaria.

The validity of the DNRP is 1 year and can be prolonged by 1 more year.

New geopolitical and regulatory developments in Europe have increased compliance expectations for fintechs involved in cross‑border activity. Heightened AML and sanctions scrutiny – particularly due to evolving EU designations of high‑risk jurisdictions such as Russia – now require more consistent enhanced due diligence and real‑time sanctions screening.  Additionally, broader updates to EU and global AML standards have expanded oversight of digital assets, strengthened transparency requirements, and pushed firms to adopt more advanced monitoring technologies. These shifts collectively raise operational and compliance demands for fintechs operating across borders.

In Bulgaria, immigration and workforce-mobility rules often determine whether a fintech can put “day-one” leadership and control functions on the ground quickly or must sequence its launch around permit lead times. EU/EEA citizens can generally start working without a Bulgarian work permit, so fintechs commonly use EU nationals for initial management, compliance, and operational “substance” while the local entity is being built out. For third-country nationals, the practical constraint is that they usually need a long-stay pathway plus a work-and-residence authorization before they can legally be employed in Bulgaria, which can add months and become a critical-path item for licensing readiness, bank onboarding, and go-live planning. One widely used route is the Single Work and Residence Permit process, which is described as involving migration authorities and labour-market access steps and is also associated with employer-side constraints such as workforce-share limits for third-country nationals (often described as 20% generally and 35% for SMEs), which can directly affect scaling plans for fast-growing teams. For highly qualified senior hires, the EU Blue Card route can be attractive, but it is eligibility-driven and includes a salary threshold and documentary requirements, so it still requires early planning rather than “just-in-time” hiring. Intra-company transfers can help multinational fintechs move key specialists or managers into Bulgaria, but the regime is narrow: the work is tied to a specific receiving entity/role, meaning it is not a general-purpose mobility solution for rapidly reshuffling startup teams. Remote-work options can support pre-entry activities (market research, coordination, short-term setup), but they typically do not replace local work authorization for regulated operations that require locally accountable staff. Bulgaria has moved toward a formal “digital nomad” category in the Foreigners Act amendments discussed publicly in 2025, defining a digital nomad as someone working remotely for an employer established outside the EU and linking the regime to long-stay visa/residence rules, which underscores that this is aimed at foreign-sourced remote work rather than staffing a Bulgarian-regulated employer.​ Practically, fintechs avoid talent shortages and delays in Bulgaria by (1) mapping each critical role to a lawful route (EU national/local hire vs. Blue Card vs. single permit vs. ICT), (2) ensuring initial compliance/AML and management coverage with EU nationals or locally eligible hires so licensing and banking workstreams can proceed while permits are pending, and (3) front-loading documentation and corporate group evidence (especially for ICT scenarios) to reduce rework and timeline slippage. They also tend to phase the build (start lean, then scale), use interim outsourcing for non-core capacity, and adopt a hub-and-spoke deployment plan so that each jurisdiction has locally authorized staff rather than trying to rotate the same third-country team across multiple countries on short notice.

Immigration rules and visa limitations materially influence the speed and strategy of fintech market entry in Bulgaria, especially when the launch plan depends on physically relocating non‑EU executives or specialist staff to Bulgaria. EU/EEA nationals can typically start work without a work permit, which allows faster initial setup and often leads fintechs to use EU‑national founders or interim managers to establish early operational substance. For third‑country nationals, companies usually need a work-and-residence route (commonly a Single Work and Residence Permit, and in some cases the EU Blue Card for highly qualified hires), which can add months and turns immigration into a critical-path workstream. These timing constraints can delay “go-live” activities when key control roles (e.g., compliance/AML leadership) are expected – by regulators, banking partners, and auditors – to be clearly appointed, available, and accountable in Bulgaria, even  if strict residence is not always a formal filing requirement. In practice, many fintechs stagger launches, rely temporarily on EU‑based staff, or outsource selected functions until permits and onboarding are completed, while maintaining clear governance and oversight. For multi‑jurisdiction launches, the constraint compounds because travel facilitation is not the same as work authorization: Bulgaria’s Schengen changes reduced friction for air/sea travel, but do not remove the need to secure the right to work in each country where staff will be based. The common response is a hub‑and‑spoke staffing plan – building a Bulgarian operations/engineering hub while placing regulated-country compliance and commercial roles locally – and sequencing hires so immigration lead times do not block licensing, integration, and customer onboarding milestones.

Fintechs in Bulgaria can protect proprietary algorithms and smart-contract code through a layered strategy combining copyright, trade secrets, selective patenting, contractual controls, and careful compliance with AI-related disclosure rules.

Copyright automatically protects computer programs and databases as literary works once created, provided they are original. This covers source code, object code and documentation, including smart-contract code. However, copyright protects only the expression of code-not the underlying ideas, logic, or algorithms.

For core algorithms, scoring models, and trading logic, trade secret protection is usually the most effective tool. Under the Bulgarian Trade Secret Protection Act (implementing Directive (EU) 2016/943), protection applies if the information is secret, commercially valuable because of its secrecy, and subject to reasonable confidentiality measures. Fintechs should therefore implement strict access controls, encryption, internal classification policies, NDAs, and IP assignment clauses. Demonstrating such “reasonable steps” is essential to enforce protection.

Patent protection is limited. Business methods and software “as such” are not patentable, but software-related inventions may qualify if they deliver a technical contribution beyond a mere algorithm. Because patents require public disclosure, they should be used selectively.

Where open-source software is involved, fintechs should adopt formal OSS governance: conduct licence audits (especially for copyleft licences), maintain modular separation between proprietary and open-source components, and track dependencies through a software bill of materials.

If AI systems are used (e.g., in credit scoring), fintechs must consider transparency and documentation duties under the EU AI Act. Required disclosures should be carefully limited to regulatory needs and structured to preserve trade-secret status.

Overall, effective protection requires aligning IP strategy, technical architecture, open-source management, and regulatory compliance within a coherent governance framework.

In the era of AI-generated impersonation, deepfakes, and synthetic media fraud, businesses must adopt an active brand protection strategy that combines intellectual property law, technology controls, and risk monitoring.

Brands can be protected either by registration of national trademarks with the Bulgarian Patent Office or by registration of EU trademarks with the EU Intellectual Property Office. Certain logo designs may also be protected by copyright as artistic works. Prior to launching their brand or choosing a company name, fintech businesses should conduct due diligence, including clearance searches in the databases of the Bulgarian Commercial Registry and the databases of the Bulgarian Patent Office and the EU Intellectual Property Office to ensure that the brand or company name does not conflict with third-party rights.

In addition to registration, companies must monitor online use of their brand. AI tools can generate fake videos, voice messages, or marketing content that imitates real brands. Automated brand-watching systems and rapid takedown procedures would be helpful to limit reputational and financial damage.

Identity verification should also go beyond traditional methods such as voice or video recognition because synthetic media fraud can bypass them. Multi-factor authentication, digital signatures, and callback confirmation procedures are recommended for high-risk transactions.

Regulatory developments, including the EU AI Act, introduce transparency and risk-management obligations for certain AI systems, which indirectly support brand integrity by addressing misuse of synthetic content.

Overall, the most effective strategy is a combination of trademark registration, continuous digital monitoring, technical authentication safeguards, and employee and customer awareness programs to counter AI-enabled brand impersonation risks.

Collaborating with third-party developers or partners raises important concerns regarding the ownership of IP rights, particularly copyrights in software and databases developed in this context. Under Bulgarian law, the general rule is that, unless otherwise agreed, the contractor holds the copyright to any copyrightable works they develop, while the ordering party may only use the work for the purposes for which it was ordered.

Therefore, when collaborating with third-party developers or partners, it is crucial to have clear contractual agreements that outline the ownership of IP created during the collaboration. These agreements should specify who owns the IP, how it can be used, and what happens if the partnership ends. Additionally, conducting IP due diligence is essential to ensure that the contractor or partner holds the title to the IP developed by their employees or subcontractors.

When entering into partnerships, fintech companies should carefully consider how to allocate the ownership and rights of use of the IP assets developed under such cooperation. It is important to note that in cases of joint ownership of copyrights, the consent of all co-owners is required for any modification of the work or for granting a license to use the work. If the co-owners fail to reach an agreement, the issue is to be resolved by the court. In cases of co-ownership of inventions and patents, unless otherwise agreed, each owner may use the invention, but the patent may be assigned or licensed only with the consent of all co-owners.

By proactively addressing these concerns through well-structured agreements and diligent IP management, fintech startups can safeguard their innovations and maintain control over their technological assets.

There are various remedies against infringements of intellectual property rights under Bulgarian civil and criminal law.

The primary remedy is to file a civil litigation case for IP rights infringement where the right holder may request from the court to: (i) establish the infringing activity; (ii) issue against the defendant an injunction prohibiting the continuation of the infringement; (iii) order the destruction of infringing goods; and (iv) award a compensation for the damages suffered by the plaintiff as a result of the infringement. In the course of such litigation it is also possible to file a request preliminary injunctive measures, such as prohibition on a provisional basis of the continuation of the infringement.

Furthermore, remedies under unfair competition law are available in cases of trademark imitations, the use of imitating domain names/websites, or the unlawful acquisition, use, or disclosure of trade secrets. If such infringements are established, the Bulgarian Commission on Protection of Competition may issue a decision ordering the cessation of the infringing activities and imposing a pecuniary sanction of up to 8% of the annual turnover of the infringer.

Cross-border intellectual property enforcement for fintech products built on distributed infrastructure – such as blockchain networks, cloud-hosted models, or decentralized code- remains legally complex because enforcement mechanisms are traditionally territorial while digital assets are global.

Within the European Union, harmonization efforts help mitigate fragmentation. In Bulgaria and other EU Member States, IP rights are primarily enforced through national courts, but substantive IP standards are shaped by EU directives and regulations. Instruments such as the EU Digital Services Act facilitate cross-border platform accountability by imposing obligations on intermediaries hosting infringing content.

Fintech products built on decentralized architectures pose unique challenges because code may be stored or executed across multiple jurisdictions simultaneously. Traditional enforcement tools – such as injunctions targeting a physical server – are often ineffective when infrastructure is distributed.

The EU Enforcement Directive (IPR Enforcement Directive) provides civil enforcement mechanisms, including damages, seizure of infringing goods, and injunctions. However, practical enforcement against anonymous or decentralized actors remains difficult.

In summary, cross-border IP enforcement for decentralized fintech products relies on hybrid strategies: international legal coordination, intermediary platform regulation, and governance mechanisms embedded in technology and contracts.

Fintech companies licensing or selling software, smart‑contract code, or AI models should adopt a structured IP strategy to maintain control and ensure compliance across jurisdictions. The starting point is clear contractual allocation of IP rights: licences must specify scope, territory, permitted uses, sublicensing restrictions, and rights in modifications or derivative works. For AI models, contracts should define ownership of training data, outputs, and improvements, as these issues increasingly appear in complex technology transactions.

Fintechs should also ensure that underlying IP is clean and properly documented. This includes confirming ownership from employees and contractors and tracking obligations arising from open‑source components to avoid triggering unintended rights or copyleft conditions.

Compliance obligations- such as data‑protection rules, consumer‑protection requirements, or emerging AI‑specific transparency duties- should be addressed through warranties, compliance covenants, and audit rights.

The choice of governing law and jurisdiction is crucial, as it determines the interpretation of IP provisions, enforceability of restrictions, and the effectiveness of available remedies across borders.

Finally, enforcement and termination clauses should allow suspension of access, revocation of licences, or disabling of deployed instances in case of breach, ensuring long‑term control over the technology.

In Bulgaria, the EU AI Act is the primary framework creating AI-specific obligations for fintech use cases. AI used to evaluate creditworthiness or set credit scores for natural persons is treated as “high-risk” (with an explicit exception for AI used to detect financial fraud), which triggers a heavier compliance package around lifecycle risk management, documentation/logging, human oversight, and accuracy/robustness/cybersecurity.

Robo-advisory tools are not automatically high-risk by category, but customer-facing AI often must meet AI Act transparency duties, such as informing users they are interacting with an AI system and disclosing AI-generated/manipulated content where relevant. Fraud/AML monitoring tools may fall outside the AI Act’s “high-risk” label via the fraud-detection carve-out, but fintechs should still maintain strong governance and audit-ready evidence because other financial, consumer, and data rules will still scrutinize outcomes and controls.

For automated credit decisioning, the supervisory expectation would be that a provider treats creditworthiness/credit scoring AI for natural persons as “high-risk” under the EU AI Act (with a specific carve-out where the AI is used for detecting financial fraud) and build an evidence file that matches that classification. If the provider takes the position that a system listed in Annex III does not fall within the high‑risk category, that conclusion must be formally documented and made available to the competent authorities upon request.

For algorithmic fairness and bias mitigation in high-risk credit AI, the core “evidence” would be a documented, lifecycle risk-management system that identifies and evaluates foreseeable risks to fundamental rights, tests the system, and is regularly reviewed and updated. Provider’s risk management evidence should explicitly address adverse impacts on vulnerable groups. The provider should also evidence performance and bias controls via defined metrics and thresholds used in testing, plus a post-deployment monitoring loop that feeds back into risk controls.

For explainability, supervisors would typically look for user- and auditor-facing “traceability” rather than a single technique: fintechs should be able to explain what data features drive outcomes, how the model behaves across segments, and when human review is triggered, and fintchs should retain logs that let them reconstruct a decision pathway. Separately, where credit decisions are made solely by automated processing and have legal or similarly significant effects, GDPR Article 22 is relevant because it provides safeguards such as the right to obtain human intervention, express a point of view, and contest the decision (subject to the Article 22 framework and exceptions).

Training proprietary AI models on financial datasets usually triggers three overlapping risk areas: GDPR compliance for any personal data, financial-sector confidentiality (notably banking secrecy where bank-customer account/transaction information is involved), and IP/trade-secret control over datasets, features, and model artefacts.

From a data-protection perspective, fintech needs a clear lawful basis under GDPR for the training and any subsequent model use, and it must be able to demonstrate that the training purpose is compatible with the purpose for which the data was originally collected (or otherwise re-paper the processing). Pseudonymisation is often a key safeguard.

On the IP side, the practical objective is to ensure (a) the fintech has rights to use the dataset for training and (b) the fintech’s dataset engineering (feature definitions, labels, fraud typologies) and the resulting model remain protectable as confidential know-how. Bulgaria has a dedicated Trade Secret Protection Act implementing the EU Trade Secrets Directive, which supports unified strategy for protecting training data and model-related know-how.

Consequently, to structure data-sharing agreements to minimize risk, fintechs typically combine (1) a GDPR structure document (DPA or joint-controller arrangement) with (2) financial confidentiality terms and (3) IP/trade-secret clauses that are specific to training.

In Bulgaria, regulators generally treat AI-driven credit and investment tools as a change in delivery channel, not a change in legal responsibility, so the regulated firm remains accountable for suitability, best‑interest conduct, and compliant disclosures even when decisions are automated. In the investment context, the FSC explicitly frames “robo advisers” as automated investment advice delivered through portfolio-management algorithms and has published materials to raise consumer awareness, signalling supervisory attention rather than a “lighter” regime. ESMA’s MiFID II suitability guidelines (applied via national supervision across the EU) emphasise that suitability is a mechanism to enable the firm to act in the client’s best interest, which means AI-generated recommendations do not reduce fiduciary-like conduct expectations around best execution of the advisory process, suitability governance, and conflicts control. Those ESMA guidelines also expect firms using automated tools to give clients additional, tool-specific information (for example the degree of human involvement and whether/how human interaction can be obtained), so Bulgarian-supervised firms should expect disclosure scrutiny when advice is delivered through algorithms or chat-style interfaces.

AI systems used to assess creditworthiness or credit scores of natural persons are treated as high‑risk AI systems under Annex III of the EU AI Act, except where used solely for detecting financial fraud. Bulgarian supervisors expect firms to start from that assumption and build their compliance and evidence accordingly.  For high-risk credit AI, authorities will likely expect evidence of a continuous risk management system and documented controls for accuracy, robustness, and cybersecurity across the lifecycle.

Under the Second Consumer Credit Directive when the creditworthiness assessment is based on automated processing, consumers have the right to request and obtain a comprehensive explanation of this assessment by the creditor, and they should also be able to express their point of view and contest the assessment.

In Bulgaria, the most immediate AI liability exposure for fintechs comes from regulators and courts treating AI as part of regulated decision-making, so the firm remains fully responsible for outcomes and controls even if a model or vendor is involved. The likeliest theories over the next 12 months include negligent model governance or failure to supervise automated decisions, especially where creditworthiness/credit scoring is treated as “high-risk” under the EU AI Act. Another major risk is unlawful or poorly safeguarded solely automated decisions, where GDPR Article 22 and consumer-credit rules push expectations for meaningful explanations, human intervention, and contestability. AI-driven marketing and disclosures are also a near-term hotspot where personalization overpromises approvals, costs, or speed. Separately, operational incidents tied to models (outages, data drift, feature-store integrity failures, vendor disruptions) can be reframed as governance failures under DORA. Over time, plaintiffs may increasingly frame harmful AI outcomes as defective software issues as the EU’s updated product-liability framework expands in practice to cover software.

Bulgarian fintech companies should adopt several risk management strategies to mitigate potential legal liabilities associated with AI technologies. These include implementing robust data governance practices, ensuring algorithmic fairness and transparency, conducting regular testing and auditing, maintaining comprehensive documentation, and implementing human oversight. Companies should also stay informed about regulatory changes, enhance cybersecurity measures, develop a comprehensive AI policy, invest in ongoing training and education for employees, and collaborate with industry peers and regulators. Key practices involve using diverse and representative datasets, incorporating fairness constraints and bias detection algorithms, performing frequent bias audits, and employing third-party auditors for independent assessments. Maintaining detailed records of AI development processes and providing clear explanations of decision-making are crucial. Human intervention should be ensured in AI decision-making processes, especially for high-stakes decisions. Companies should monitor and adapt to evolving AI regulations, engage with regulatory bodies, and implement robust cybersecurity protocols. Creating and enforcing a formal AI policy, providing regular training for employees, and participating in industry associations are also important steps. By implementing these strategies, Bulgarian fintech companies can better mitigate potential legal liabilities associated with AI technologies while fostering trust and ensuring compliance in the evolving regulatory landscape.

There are no reported examples of disruption through fintech in Bulgaria in the past year.

The reforms with the highest upside for accelerating fintech innovation in Bulgaria are EU-wide measures that reduce fragmentation: EU passporting regimes (especially MiCA for crypto), mandatory Euro instant payments, and open-finance data-sharing rules, complemented by stronger cross-border AML supervision and converging stablecoin reserve / redemption standards.