The Bulgaria Whistleblower Protection Law

Explore the Bulgarian Whistleblower Protection Law, including compliance requirements, scope, and how to support and protect reporting in your organization

Get your guide

Bulgaria Whistleblower Protection Law overview

Bulgaria enacted its first-ever whistleblower protection law in January 2023 to transpose the EU Whistleblower Protection Directive’s requirements into national law. The law defines whistleblower protections for anyone reporting violations of either EU law or Bulgarian criminal and employment law, and imposes several obligations on organizations to protect internal whistleblowers.

The new legislation covers all public and private organizations with at least 50 employees, requiring them to establish mechanisms to allow for whistleblower reports and to protect whistleblowers. Employers must also appoint someone to investigate whistleblower claims, and this can be an internal manager or an external third party.

The law protects whistleblowers and those assisting them from retaliation for submitting a report. It also allows them to report their concerns externally to Bulgaria’s Commission for Protection for Personal Data, which then has legal authority to forward the complaints onto various other Bulgarian regulators depending on the exact concern being raised.

What does the Bulgarian whistleblower protection law cover?

The law adopts the minimum standards for whistleblower protection outlined in the EU Whistleblower Protection Directive. These requirements include:

A secure and confidential channel for receiving whistleblower reports must be in place.
Acknowledgment of the receipt of every whistleblowing report must be provided to the whistleblower within seven days.
An impartial person or department must be appointed to follow up on the reports.
Records must be kept of every report received in compliance with confidentiality requirements.
There must be diligent follow-up of the report by the designated person or department.
Feedback on the follow-up or investigation must be given to the whistleblower within three months of receiving the report.
All processing of personal data must be done in accordance with GDPR.

What are the rules outlined in the Bulgarian whistleblower protection law?

Bulgaria’s whistleblower protection law covers all organizations with at least 50 employees. Organizations in Bulgaria’s public sector or private organizations with 250 or more employees must have already established their whistleblower programs by the end of May 2023; smaller organizations must do so by the end of 2023. Organizations with fewer than 250 employees are also allowed to establish a joint whistleblower program in coordination with other small businesses. Financial service firms need to establish an internal reporting system even if they have only one employee.

All covered business must meet the following basic requirements

The law requires all covered businesses to

Set up a whistleblowing system with comprehensive whistleblower protections
Adopt a policy on reporting legal violations and other misconduct.
Businesses must also train employees on how to use the hotline and on the importance of non-retaliation
Review the rules for their internal reporting programs at least once every three years.

Companies are allowed to outsource the management of their hotline to a third-party service provider. They are also allowed to use existing internal reporting channels if the Bulgarian company is part of a larger corporate parent, so long as that parent company’s whistleblower program meets the requirements of the Bulgarian whistleblower law.

Anonymous report intake and management

Whistleblowers are allowed to submit reports in writing, verbally or in person; and the company must preserve a record of every report submitted. Companies are not obligated to investigate anonymous reports under Bulgaria’s law, although they can do so if they choose. That said, if a company receives an anonymous report and that person’s identity later becomes known, they are still eligible for the law’s anti-retaliation protections just like any other whistleblower. Companies also can generally ignore any whistleblower complaint that alleges misconduct more than two years old.

What are the risks of non-compliance?

Companies that violate the Whistleblower Protection Law, either by failing to implement a whistleblower program or allowing retaliation to happen, can be subject to regulatory enforcement and fines of 5,000 to 20,000 Bulgarian lev, the national currency

Explore more resources on whistleblowing and regulatory compliance in the EU

Guides
2026 Guide to Workplace Conduct
Explore the state of workplace conduct issue reports, learn what the data really says about culture, risk and trust, and determine how to best approach your speak-up program in 2026 and beyond.
Get the guide
7 Apr 2026 Carrie Penman
Looking Back, Moving Forward: A 15-Year Journey in Whistleblowing and Incident Management Benchmarking – What’s Next?
This article, from the 2026 Top 10 Trends in Risk & Compliance, discusses how past benchmarking is useful context for what’s to come in R&C.
Read more
Guides
Internal Reporting Benchmarks for Speak-Up Culture
Benchmark your internal reporting against 15 years of global data. See how Reports per 100 Employees have changed over time and what this data reveals about your speak-up culture.
Get the guide
Customer Stories
Aderco: International Whistleblowing Program Delivered by NAVEX One
Read how Aderco implemented a centralized, secure, and confidential reporting process backed by effective case management and tracking.
See their story
Customer Stories
Integrating Fragmented Internal Reporting Channels to Transform the “Voice of Employees” into a Strategic Management Resource
Hitachi, Ltd. is a global enterprise with approximately 280,000 employees worldwide, around 600 subsidiaries, and numerous group companies. To establish an effective internal reporting system, the company fully implemented the NAVEX Whistleblowing & Incident Management solution in 2020 and launched the “Hitachi Global Compliance Hotline.” Currently, the system receives approximately 2,000 internal reports annually from both domestic and international sources, functioning as a core infrastructure supporting global governance.
See their story
19 Mar 2026 Matt Kelly
Learning to Speak the Language of Business
Compliance officers need to speak the language of the business and communicate in terms that the board, management, and other leaders will understand.
Read more
18 Mar 2026 NAVEX Editorial Team
The Signals of a Healthy Speak-Up Culture
Speak-up culture is revealed through patterns, not promises. Learn which signals matter most for oversight and trust.
Read more
17 Mar 2026 NAVEX Editorial Team
From Findings to Fixes: Closing the Loop on Investigations
Closing the loop on internal investigations turns findings into corrective action. Learn how remediation, accountability, and governance visibility strengthen compliance programs.
Read more
13 Mar 2026 NAVEX Editorial Team
How to Protect Whistleblowers and Your Organization at the Same Time
Trust in speak-up programs is built after a report is made. Learn how investigations and follow-through protect whistleblowers and organizations alike.
Read more
10 Mar 2026 Jaclyn Jaeger
The European Commission’s Digital Package: What it Means for Cybersecurity Compliance
The European Commission’s digital package aims to simplify GDPR, AI Act and cybersecurity rules. Here’s what’s changing and what it means for compliance.
Read more
5 Mar 2026 Sarah Jo Loveday
Signals Show Heightened Stress on Workplace Cultures
This article, from the 2026 Top 10 Trends in Risk & Compliance eBook, discusses the signals pointing to an erosion of workplace culture.
Read more
3 Mar 2026 NAVEX Editorial Team
Consistency Is the Spine of a Defensible Investigation
Inconsistent investigations create risk. Learn why consistency, not rigidity, is essential to defensibility, fairness, and long-term credibility.
Read more