Bulgaria

**Measures Against Money Laundering Act (MAMLA)** (Закон за мерките срещу изпирането на пари - ЗМИП).

This act defines "virtual assets" and "virtual asset service providers" and brings them within the scope of obliged entities. It outlines the specific requirements for customer due diligence, reporting, and record-keeping.

Exchange between virtual assets and fiat currencies.

Exchange between one or more forms of virtual assets.

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset are subject to AML/CFT regulation and are treated as financial activities for regulated virtual asset and stablecoin issuers.

The Financial Intelligence Directorate (FID) within the State Agency for National Security (SANS) is Bulgaria's Financial Intelligence Unit (FIU) for AML/CFT, but it is not the key supervisory body for VASPs; VASP supervision falls under other competent authorities.

**Role:** This is Bulgaria's Financial Intelligence Unit (FIU). It is the primary recipient of Suspicious Transaction Reports (STRs) and other AML-related information from obliged entities. SANS is responsible for analyzing suspicious activities and disseminating intelligence to law enforcement.

**Website:** https://www.dans.bg/ (Look for "Дирекция "Финансово разузнаване"" or "Financial Intelligence Directorate" sections)

**National Revenue Agency (NRA)** (Национална агенция за приходите - НАП)

**Role:** The NRA is responsible for the **registration and general supervision** of VASPs for AML/CFT purposes. VASPs in Bulgaria are typically required to register with the NRA and demonstrate compliance with AML obligations. The NRA may conduct inspections and impose administrative sanctions for non-compliance.

**Website:** https://nra.bg/ (Relevant sections often pertain to registration, tax obligations, and specific guidance for businesses, including VASPs.)

Bulgaria has introduced a domestic beneficial ownership definition under the Tax and Social Security Procedural Code for Double Tax Treaty applications and applies a 30% indirect control threshold for identifying UBOs, with EU-mandated updates to UBO register access rules expected by 2026.

**Natural Persons:** Name, date and place of birth, nationality, permanent address, unique identification number (e.g., national ID card, passport number). Identity must be verified using reliable, independent source documents or data (e.g., valid official identification document).

**Legal Entities:** Company name, legal form, registration number, registered address, and the names of the individuals authorized to represent the company. Verification involves obtaining extracts from commercial registers or similar official documents.

**Identification and Verification of the Beneficial Owner (BO):**

For legal entities, VASPs must identify the natural person(s) who ultimately own or control the customer, typically defined as holding 25% plus one share or more of the voting rights or exercising control via other means. This information must also be verified.

**Understanding the Purpose and Intended Nature of the Business Relationship:**

VASPs must gather information on why the customer wants to use their services, the expected transaction patterns, and the source of funds/wealth where relevant.

Regular scrutiny of transactions undertaken throughout the course of the business relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile.

Keeping customer documents, data, and information up-to-date.

**Politically Exposed Persons (PEPs):** Customers who hold or have held prominent public functions, their family members, or close associates.

**High-Risk Third Countries:** Transactions involving customers or beneficial owners from countries identified by the EU or FATF as having strategic AML/CFT deficiencies.

**Complex, Unusual, Large Transactions, or Unusual Patterns:** Transactions that have no apparent economic or lawful purpose.

**Non-Face-to-Face Business Relationships:** Although technology can mitigate some risks, remote onboarding often triggers EDD by default in the crypto sector.

**Transactions exceeding a certain threshold:** While not always mandatory for *all* virtual asset transactions, specific fiat-to-crypto exchanges above certain amounts might require EDD as per internal risk policies.

**Obligation:** VASPs are legally obliged to report any transaction (or attempted transaction) where they know, suspect, or have reasonable grounds to suspect that funds are derived from criminal activity or are related to terrorist financing.

**Recipient:** All STRs must be submitted to the **State Agency for National Security (SANS) - Financial Intelligence Directorate**.

**Timeliness:** Reports must be submitted without delay after forming a suspicion.

**No Tipping-Off:** VASPs and their employees are prohibited from disclosing to the customer or third parties that a STR has been, or will be, submitted.

**CDD Documentation:** All documents and information obtained during the CDD process (identification, verification, beneficial ownership, purpose of relationship).

**Transaction Records:** Records of all transactions, including amounts, currencies, dates, parties involved (senders and recipients), and virtual asset addresses or unique transaction identifiers.

**STRs and Related Analysis:** Copies of all STRs submitted, along with any internal analysis or documentation supporting the decision to file or not to file a report.

**Correspondence:** Records of relevant internal and external communications related to AML/CFT compliance.

**Appoint an AML Compliance Officer:** A designated person responsible for the implementation and oversight of the VASP's AML/CFT program.

**Establish Internal AML/CFT Policies and Procedures:** Develop and implement comprehensive internal rules, procedures, and controls tailored to the VASP's specific risks, covering all aspects of AML/CFT compliance (risk assessment, CDD, STR, record-keeping, training).

**Conduct Regular Risk Assessments:** Periodically assess the money laundering and terrorist financing risks associated with their products, services, customers, delivery channels, and geographical areas of operation.

**Provide Employee Training:** Ensure all relevant employees receive ongoing training on AML/CFT legislation, internal policies, and how to identify and report suspicious activities.

**Registration:** VASPs are required to register with the National Revenue Agency (NRA) prior to commencing operations.

Custodial License Requirements (AML Registration):

Under the AML Act, entities that provide services of safekeeping and administration of crypto-assets on behalf of clients (i.e., "custodian wallet providers") are classified as **Virtual Asset Service Providers (VASPs)**.

These VASPs are required to **register with the National Revenue Agency (Национална агенция за приходите - НАП)**. This is not a "custodial license" in the traditional financial sense, but rather a mandatory registration for AML/CFT purposes.

Requirements for registration in Bulgaria are now subject to enhanced anti-money laundering and counter-terrorist financing measures due to Bulgaria's inclusion on the FATF grey list, which imposes increased regulatory scrutiny and compliance obligations beyond a mere primary focus.

Implementing customer due diligence (CDD) procedures (KYC).

Monitoring transactions for suspicious activities.

Reporting suspicious transactions and activities to the State Agency for National Security (DANS).

Obliged entities in Germany must appoint an AML officer (Geldwäschebeauftragter) in line with section 7 GwG and BaFin’s updated interpretation and application guidance, which now sets more detailed and restrictive conditions on when, how, and under what governance, capacity, and conflict-of-interest standards this officer (and any deputy) must be appointed, documented, and resourced.

Developing and implementing internal AML/CFT policies and procedures.

**Закон за мерките срещу изпирането на пари (Anti-Money Laundering Act)**:

Published in the State Gazette (Държавен вестник), e.g., Issue 27 of 2018, with numerous subsequent amendments.

*Direct official URL for the consolidated text is challenging due to frequent amendments; usually found in legal databases like Lex.bg or Apis.bg.*

**National Revenue Agency (NRA) Website**:

Information regarding VASP registration is usually available on the NRA's official website.

URL: https://nra.bg/ (Navigate to "Услуги" or "Виртуални активи")

Bulgaria has adopted its Markets in Crypto-Assets Act (MCAA) on 20 June 2025, which transposes MiCA requirements including segregation of client assets rules into national law, replacing direct applicability of Article 69 of MiCA.

The current AML framework in Bulgaria **does not explicitly mandate specific operational rules for the segregation of client assets** from the VASP's own assets or from other clients' assets. The focus is purely on AML/CFT compliance.

There are **no specific insurance or bonding requirements** for VASP registration under the current AML Act in Bulgaria.

The current AML framework **does not mandate cold storage** or any specific technological storage methods for crypto-assets.

State trust companies are not automatically qualified custodians equivalent to federally regulated entities; qualification requires specific federal no-action relief, and the definition is shifting under the proposed Safeguarding Rule.

The term "qualified custodian" as understood in other jurisdictions (e.g., SEC rules in the US) **does not exist** in the current Bulgarian AML framework. Any VASP registered to provide custody services is deemed compliant for AML purposes, but without specific operational standards for custody.

Recent and ongoing custody legislation enacted or advancing in multiple states

MiCA is no longer pending legislation but an actively enforced regulatory framework as of December 30, 2024. However, Bulgaria still faces significant outstanding implementation work, including finalization of national transposition measures and achieving full supervisory convergence, making these implementation tasks—rather than the legislation itself—the most significant pending regulatory actions.

**From 30 June 2024:** Titles III (asset-referenced tokens) and IV (e-money tokens) apply.

**From 30 December 2024:** The remaining provisions, including those for crypto-asset service providers (CASPs) offering custody services, apply.

Custodial and non-custodial crypto wallet services require government licenses in major jurisdictions (US, UK, EU), with GENIUS Act imposing federal supervision and reserve requirements for stablecoin custodians

Under MiCA, entities providing "custody and administration of crypto-assets on behalf of clients" will be categorized as **Crypto-Asset Service Providers (CASPs)**.

These CASPs will require **authorization** from a national competent authority. In Bulgaria, it is highly anticipated that the **Financial Supervision Commission (Комисия за финансов надзор - КФН)** will be designated as the competent authority for MiCA.

Article 59 of MiCA lays down the basic authorisation *principle*—that crypto‑asset services in the EU may only be provided by entities authorised as CASPs or certain existing regulated financial institutions and that authorised CASPs must be EU‑established—but the *detailed requirements* for obtaining a CASP licence are set out primarily in Article 63 (authorisation procedure) and Article 62(2)(a)-(s) (application content), not in Article 59 itself.

Legal entity with a registered office in an EU member state.

Minimum initial capital requirements (e.g., for custody services, €125,000 or a quarter of fixed overheads from the previous year, whichever is higher, potentially covered by professional indemnity insurance).

Robust governance arrangements, including clear organizational structure, internal control mechanisms, risk management procedures.

Effective arrangements to prevent conflicts of interest.

Sound administrative and accounting procedures.

Adequate IT systems, resources, and security access protocols (e.g., for private keys).

Suitability of management and shareholders (fit and proper tests).

Business plan, internal policies, and procedures for all MiCA requirements.

**Segregation of Client Assets Rules (Article 69 of MiCA):**

MiCA explicitly mandates stringent segregation rules for CASPs providing custody services. They must:

**Segregate clients' crypto-assets from their own assets and from the assets of other clients.**

Maintain records and accounts that ensure appropriate segregation and separate accounting of clients’ crypto‑assets, consistent with applicable custody and safekeeping requirements, rather than requiring immediate real‑time segregation in all cases.

Ensure that crypto-assets held on behalf of clients are not used without the explicit prior consent of the client.

Return clients' crypto-assets or their equivalent value promptly.

Be able to return any crypto-assets belonging to clients to them without delay in the event of their insolvency.

**Insurance/Bonding Requirements (Article 60 of MiCA):**

MiCA sets **prudential requirements** for CASPs, including initial capital requirements.

Instead of holding the full amount of initial capital in own funds, CASPs may be able to cover a portion of these requirements with a **professional indemnity insurance policy** that covers the territories where the CASP offers services. The specific conditions for such insurance are detailed in MiCA.

MiCA **does not explicitly mandate "cold storage"** as a specific technology. However, it requires CASPs to:

Implement the **highest standards of operational reliability, security, and integrity** in managing private keys and access credentials to crypto-assets.

Have **robust security policies and procedures** in place.

Ensure operational resilience and provide for rapid recovery of crypto-assets and clients' information in case of a system failure.

While not explicitly named, the requirement for robust security and management of private keys often implies the use of offline (cold storage) and multi-signature solutions as best practices.

MiCA does not itself define a 'qualified custodian'; it regulates crypto-asset service providers (CASPs) that offer custody and administration services through authorization and operational requirements, but that is a separate concept from the traditional 'qualified custodian' standard used in other regulatory frameworks.

Bulgaria has an established custody/parental-responsibility regime that is currently applied by courts; the evidence does not show a specific pending custody-law change tied to this claim.

Bulgaria has already adopted national legislation to implement and complement MiCA, including the Law on Crypto-Asset Markets (Crypto-Asset Markets Act/CAMA), which entered into force in July 2025 and introduced licensing, supervision, and transitional rules.

Under the EUDR, the competent authority must be a national governmental body formally designated by each EU Member State (for Bulgaria, a Bulgarian state authority), not a private certification body such as the FSC.

Bulgaria has already established and brought into force its national MiCA framework for CASPs through the Markets in Crypto-Assets Act (MCAA), which entered into force on 8 July 2025 and designates the competent authorities and sets out the procedures for authorization, supervision, and enforcement of MiCA rules for crypto-asset service providers.

Amending existing laws (e.g., the FSC Act, possibly parts of the AML Act) to align with MiCA and grant the designated authority the necessary powers. This legislative work is expected to be finalized before MiCA's full application date of December 30, 2024.

This legislative work is expected to be finalized before MiCA's full application date of December 30, 2024.

**Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (Text with EEA relevance).**

**Financial Supervision Commission (FSC) Website (Expected Competent Authority):**

**State Agency for National Security (DANS)** - Financial Intelligence Directorate (FID)

**Bulgarian National Bank (BNB)** - (Supervision of financial institutions, not direct VASP licensing/AML supervision)

**Legal Framework for Violations & Penalties:**

**Violation Type:** Non-compliance with the Measures Against Money Laundering Act (MAMLA), specifically regarding VASP registration, customer due diligence (CDD), ongoing monitoring, suspicious transaction reporting (STR), record-keeping, internal control rules, etc.

**Penalty Amounts (as per MAMLA):**

For individuals: Fines from BGN 1,000 to BGN 10,000 (approx. EUR 511 to EUR 5,110).

For legal entities and sole traders: Property sanctions from BGN 5,000 to BGN 200,000 (approx. EUR 2,555 to EUR 102,260).

Repeated violations can lead to significantly higher penalties.

**Outcome:** Administrative fines, cessation of non-compliant activities, and potential criminal investigations in severe cases of money laundering.

Bulgaria has faced specific public enforcement actions in the last three years, including an EU disciplinary action proposed in June 2026 for an excessive budget deficit.

This does not mean enforcement isn't happening. It often indicates that:

Enforcement actions might be more numerous but against smaller, less prominent entities.

Such actions might not be publicly reported in detail, or only in Bulgarian administrative registers that are not easily accessible or translated.

The focus might be heavily on achieving compliance through warnings and guidance rather than punitive measures in all instances.

Bulgaria might have a smaller local crypto market compared to other major jurisdictions, leading to fewer large-scale non-compliance cases.

**State Agency for National Security (DANS) - Financial Intelligence Directorate:** This is the key body for AML/CFT supervision of VASPs.

*Source (General information on DANS responsibilities):*

**Bulgarian National Bank (BNB) - Measures Against Money Laundering Act:** The BNB website often references the framework, though DANS is the direct supervisor for VASPs.

BNB supervises AML compliance for banks under MAMLA, aligned with updated EU directives and recent legislative enhancements

*Note: Direct public English reporting of DANS's specific crypto enforcement actions is rare.*

**Measures Against Money Laundering Act (MAMLA):** This act dictates the requirements for VASPs and the penalties for non-compliance.

*Source (General legal framework):* While finding an official English translation linked to a government site is challenging, law firms often publish summaries.

Wolf Theiss - Digital Assets in Bulgaria: Regulation - A law firm overview from 2023 discussing the regulatory landscape and compliance obligations.

Titles III (ARTs) and IV (EMTs): Apply from 30 June 2024.

Other provisions: Apply from 30 December 2024.

Defined as a type of crypto-asset whose main purpose is to maintain a stable value by referencing the value of a single fiat currency (e.g., EUR-pegged stablecoin).

They are functionally equivalent to electronic money.

**Regulation:** Governed by MiCA (Title IV) and also subject to the existing Electronic Money Directive (EMD2) and national implementing legislation (e.g., Bulgaria's Payment Services and Electronic Money Act).

**Competent Authority (Bulgaria):** The Bulgarian National Bank (BNB) will likely be the primary authority for EMTs, as it oversees e-money institutions.

Defined as a type of crypto-asset that is not an e-money token and whose main purpose is to maintain a stable value by referencing any other value or right, or a combination thereof, including one or several official currencies, one or several commodities, or one or several crypto-assets (e.g., a stablecoin pegged to a basket of currencies or gold).

**Regulation:** Governed by MiCA (Title III).

The Financial Supervision Commission (FSC) is expected to be the primary authority for ARTs under MiCA, but Bulgaria is on the FATF grey list and has ongoing compliance gaps. The FSC is listed as the competent authority for AML supervision of financial markets in Bulgaria, but the claim's reference to 'ARTs' (Asset-Referenced Tokens) under MiCA is correct only in a general sense — MiCA designates national competent authorities, and Bulgaria's FSC is responsible for financial instruments and crypto-assets. However, the source does not explicitly confirm the FSC as the primary authority for ARTs.

If a stablecoin qualifies as a "financial instrument" under Bulgarian law (transposing MiFID II), it would be regulated under existing securities laws, not MiCA. MiCA explicitly carves out financial instruments from its scope. This is less common for typical stablecoins, but a complex token design could potentially cross this line.

Issuers must comply with the EMD2 requirements, meaning that the funds received in exchange for EMTs must be **fully backed** by fiat currency.

These funds must be held in a segregated account at a credit institution or invested in secure, liquid, low-risk assets.

MiCA (Art. 52) reiterates that EMTs are subject to the same requirements as electronic money under EMD2.

MiCA (Art. 35) imposes stringent requirements:

The issuer must create and maintain a **reserve of assets** that is separate from its own assets and managed in the best interest of the token holders.

The reserve assets must be segregated and held in **custody** by authorized credit institutions or crypto-asset service providers.

The value of the reserve assets must be at all times **at least equal to the value of the outstanding ARTs**.

The issuer must have a clear **investment policy** ensuring reserve assets are invested in highly liquid financial instruments with minimal market risk.

A liquidity management policy with prescribed minimum contents is required under the applicable EU framework to support/redemption handling, rather than a generic standalone requirement for a 'robust' policy.

Under MiCA, a person may not make a public offer of, or seek admission to trading of, an EMT in the EU unless that person is the issuer of the EMT and is authorised as a credit institution or as an electronic money institution; however, MiCA does not impose a blanket prohibition on any other person issuing EMTs outside the context of a public offer or admission to trading.

In Bulgaria, most crypto-asset service providers obtain authorization from the Financial Supervision Commission (FSC), while the Bulgarian National Bank (BNB) is the competent authority only for specific MiCA-related matters such as asset-referenced tokens and e-money tokens within its powers.

Issuers of ARTs must be a **legal entity** established in the EU.

They must be authorized by the relevant national competent authority – in Bulgaria, this is expected to be the **Financial Supervision Commission (FSC)**.

The authorization process involves submitting a detailed application, including a white paper, business plan, governance arrangements, and a description of the reserve assets and their custody.

Existing credit institutions may also issue ARTs without separate authorization but must notify their competent authority.

Holders of EMTs have the right to redeem them for the underlying fiat currency at **par value**, at any time, and free of charge, as per existing e-money regulations (EMD2) and MiCA (Art. 58).

MiCA (Art. 39) mandates that ART holders have the right to redeem their tokens for the reserve assets (or their monetary value) at **par value**, without undue delay, and free of charge (unless the issuer specifies a fee in the white paper, which must be justified and proportionate).

The terms and conditions for redemption must be clearly outlined in the crypto-asset white paper.

MiCA effectively **prohibits** the issuance to the public of purely algorithmic stablecoins that do not maintain their stability through a reserve of assets.

Specifically, MiCA's definitions of ARTs and EMTs are based on maintaining stability by referencing assets. If a crypto-asset claims to maintain stability through algorithmic means without a genuine reserve, it typically falls outside these definitions.

MiCA (Recital 27) explicitly states that crypto-assets that claim to maintain a stable value without using such mechanisms (i.e., through algorithmic rules only) are not covered by the definitions of ARTs or EMTs and, if they pose a significant risk to financial stability, could be subject to specific measures. The general spirit of MiCA aims to prevent the risks associated with such unbacked algorithmic stablecoins.

MiCA **does not regulate Central Bank Digital Currencies (CBDCs)**, such as a potential digital Euro issued by the European Central Bank (ECB) or national central banks.

Article 1(3)(e) of MiCA explicitly states that it does not apply to "crypto-assets that are issued by the European Central Bank or by national central banks of Member States when acting in their capacity as monetary authorities."

A digital Euro would coexist with MiCA-regulated private stablecoins, but the relationship is now explicitly competitive and protective rather than cooperative. The digital Euro serves as a defensive measure against private stablecoin risks to monetary sovereignty, while private euro stablecoins launched by European banks create direct market competition rather than a one-way benchmark effect.

**Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114:**

The BNB supervises e-money institutions and payment service providers. It will be the competent authority for EMTs.

The BNB would be responsible for updating national legislation (like the Payment Services and Electronic Money Act) to align with MiCA where necessary and for issuing guidance.

The FSC supervises financial markets, including securities and investment firms. It is expected to be the competent authority for ARTs and other crypto-asset service providers under MiCA.

The FSC will be instrumental in the authorization and supervision of ART issuers and other Crypto-Asset Service Providers (CASPs) under MiCA.

**Payment Services and Electronic Money Act (Закон за платежните услуги и платежните системи):**

This national law transposes the EU's Payment Services Directive (PSD2) and Electronic Money Directive (EMD2) into Bulgarian law. It currently governs e-money institutions. EMTs under MiCA will continue to be subject to its principles.

**URL (unofficial translation available, official in Bulgarian):** Search "Закон за платежните услуги и платежните системи" on Bulgarian legal databases like https://www.lex.bg/

**Measures Against Money Laundering Act (Закон за мерките срещу изпирането на пари):**

Implements the EU's new Anti-Money Laundering Regulation (AMLR), part of the 2024 AML package, which supersedes previous directives like 5AMLD and 6AMLD. Crypto-asset service providers, including stablecoin issuers and custodians, are obliged entities under this regulation and must comply with AML/CFT requirements (customer due diligence, reporting suspicious transactions, etc.).

AML/CFT remains the core regulatory objective for Virtual Asset Service Providers (VASPs), which are increasingly being brought within registration or licensing regimes and must implement risk‑based AML/CFT controls; however, the regulatory focus has evolved beyond mere registration and static compliance to encompass broader, more dynamic supervisory expectations, including enhanced risk assessments, monitoring, transparency, and technology‑driven oversight in line with updated FATF guidance.

**Future (Market Regulation):** With the upcoming full implementation of MiCA, Bulgaria will adopt a comprehensive framework for the issuance, trading, and provision of services related to most crypto-assets, covering market integrity, investor protection, and financial stability.

**State Agency for National Security (SANS) / Държавна агенция "Национална сигурност" (ДАНС)**:

**Role:** The Financial Intelligence Directorate (FID) within SANS is the primary body responsible for enforcing AML/CFT regulations related to virtual assets. VASPs are required to register with SANS and report suspicious transactions to the FID.

**Financial Supervision Commission (FSC) / Комисия за финансов надзор (КФН)**:

**Role:** As Bulgaria's financial markets regulator, the FSC is expected to be the competent authority for the implementation and supervision of the MiCA Regulation once it fully applies. This will include licensing, supervision of crypto-asset issuers, and crypto-asset service providers.

**National Revenue Agency (NRA) / Национална агенция за приходите (НАП)**:

**Role:** Responsible for the taxation of cryptocurrency transactions and income.

**Law for Measures Against Money Laundering (LMAML) / Закон за мерките срещу изпирането на пари (ЗММДТ)**

**Date:** Initially adopted in 1998, with significant amendments over the years, notably to transpose **EU AMLD5 (Directive (EU) 2018/843)** which brought Virtual Asset Service Providers (VASPs) under the scope of AML/CFT regulations.

**Key Provisions:** Requires VASPs (exchanges, custodians, etc.) to register with SANS, implement Know Your Customer (KYC) procedures, monitor transactions, and report suspicious activities. This is the primary national law governing AML/CFT for virtual assets.

**Reference (Primary EU Regulation):** https://eur-lex.europa.eu/legal-content/BG/TXT/?uri=CELEX:32009R1223 (Directly applicable in Bulgaria as EU law, reflecting amendments including Commission Regulation (EU) 2026/78.)

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA)**

**Date:** Entered into force on **June 29, 2023**.

**Key Provisions:** This is an EU regulation, meaning it will be directly applicable in Bulgaria (and all EU member states) without the need for national transposition.

**Titles III and IV (Asset-referenced tokens and e-money tokens):** Apply from **June 30, 2024**.

**Other provisions (e.g., authorization of CASPs):** Apply from **December 30, 2024**.

Bulgaria has already implemented MiCA into national law, making the harmonized regulatory framework active within the country, rather than a future creation.

Authorization and supervision of crypto-asset service providers (CASPs).

Issuance of certain crypto-assets (asset-referenced tokens, e-money tokens, other crypto-assets).

Market abuse rules, consumer protection, and operational resilience.

**Income Tax Act for Individuals (Закон за данъците върху доходите на физическите лица - ЗДДФЛ)** and **Corporate Income Tax Act (Закон за корпоративното подоходно облагане - ЗКПО)**

**Key Provisions:** Gains from the sale of cryptocurrencies are generally subject to income tax for individuals (10% flat tax on the positive difference between the sales price and acquisition price) and corporate tax for legal entities (10% on corporate profits). The NRA has issued guidance on the tax treatment of crypto-assets.

**Legal, but Regulated:** Crypto trading and the operation of crypto exchanges (VASPs) are **legal in Bulgaria**, but subject to strict regulatory oversight, primarily for AML/CFT purposes.

**Registration Requirement:** All entities operating as Virtual Asset Service Providers (VASPs) – including crypto exchanges, custodial wallet providers, and those facilitating fiat-to-crypto and crypto-to-crypto exchanges – **must register with the State Agency for National Security (SANS)** and comply with the obligations outlined in the Law for Measures Against Money Laundering (LMAML). This includes implementing robust KYC, customer due diligence, transaction monitoring, and suspicious activity reporting.

A specific licensing regime (CASP authorization under MiCA) is now required for operating a crypto exchange in Bulgaria, replacing the prior AML registration model.

**Future under MiCA:** From **December 30, 2024**, crypto exchanges and other Crypto-Asset Service Providers (CASPs) operating in Bulgaria (or serving Bulgarian customers) will need to be **authorized by the Financial Supervision Commission (FSC)** or another competent authority in the EU, and comply with the full scope of MiCA requirements (capital requirements, organizational requirements, consumer protection rules, etc.).

**Legal Basis:** EU sanctions are typically imposed through Council Decisions and implemented via Council Regulations. These Regulations are directly applicable in all EU Member States without the need for national transposition.

EU sanctions apply in Bulgaria, but Bulgaria has imposed additional national restrictions, such as a temporary ban on fuel exports to other EU members following Lukoil sanctions, modifying the uniform application of EU sanctions within its jurisdiction.

All natural and legal persons, entities, or bodies within the territory of the EU.

Any legal person, entity, or body incorporated or constituted under the law of a Member State.

Any natural or legal person, entity, or body in respect of any business done in whole or in part within the EU.

**Definition of "Funds" and "Economic Resources":** EU sanctions regulations typically prohibit making "funds" and "economic resources" available to designated persons and entities. Post-AMLD5 and the Russia sanctions, cryptocurrencies are widely understood and treated as "funds" or "economic resources" for sanctions compliance purposes.

**Legal Reference:** Council Regulation (EU) No 833/2014 (concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine), Article 5b, explicitly mentions the prohibition of providing crypto-asset wallet, account, or custody services to Russian persons/entities. Similar provisions can be found in other sanctions regimes.

Council Regulation (EU) No 833/2014 (See Article 5b for crypto-related restrictions concerning Russia)

**Obligation to Freeze Assets:** VASPs must immediately freeze all funds and economic resources belonging to, or owned or controlled by, designated persons and entities listed in EU sanctions regimes. This includes any crypto assets held or transacted through the VASP.

**Prohibition on Making Funds Available:** VASPs are prohibited from making any funds or economic resources, directly or indirectly, available to or for the benefit of designated persons and entities.

**Customer Due Diligence (CDD) and Screening:** Under the EU Anti-Money Laundering Directives (AMLDs), VASPs are obliged to apply CDD measures, which explicitly include screening clients and beneficial owners against sanctions lists.

**Directive (EU) 2018/843 (AMLD5):** Extended AML/CFT obligations to VASPs, including customer due diligence and reporting of suspicious transactions.

**Directive (EU) 2015/849 (AMLD4):** The foundational AML directive, as amended by AMLD5.

The European Banking Authority (EBA) has extended its Guidelines on ML/TF risk factors and customer due diligence to explicitly cover crypto‑asset service providers (CASPs), and these guidelines are to be applied across the EU via national competent authorities, including in Bulgaria. However, the guidelines themselves are not directly legally binding on VASPs/CASPs; instead, Bulgarian authorities (e.g., the Financial Intelligence Directorate, Bulgarian National Bank, Financial Supervision Commission) are expected to ‘comply or explain’ with the EBA Guidelines and transpose their substance into national supervision and expectations for obliged entities, including CASPs/VASPs. The updated EBA ML/TF risk factor Guidelines will apply from 30 December 2024.

The EBA Guidelines on ML/TF risk factors remain EBA/GL/2021/02, but they now apply only in their consolidated, amended form as modified by EBA/GL/2023/03 and EBA/GL/2024/01 (including new and updated guidance such as sectoral rules for crypto‑asset service providers).

**Russia:** Extensive restrictions on trade, financial services (including crypto services to or for persons/entities residing in Russia or established in Russia), and specific sectors.

**North Korea (DPRK):** Comprehensive embargoes on financial services, trade, and related activities.

**Iran, Syria, Venezuela, Myanmar, Belarus, etc.:** Various targeted sanctions regimes that may include financial and sectoral restrictions.

**Directive (EU) 2018/1673 (AMLD6):** Requires Member States to ensure that offenses relating to money laundering (which includes sanctions evasion as a predicate offense) are punishable by maximum terms of imprisonment of at least four years, and imposes additional sanctions or measures, including fines for legal persons.

**Implementation:** The EU adopts Council Regulations that transpose UN Security Council Resolutions into EU law.

**Scope:** UN sanctions typically target specific individuals, entities, and countries (e.g., ISIL (Da'esh) and Al-Qaida, Taliban, DPRK, Iran, Libya, Somalia, Sudan, Yemen, etc.).

**Obligations for VASPs:** The same obligations for freezing assets, prohibiting making funds available, and screening apply as with EU autonomous sanctions, as they are implemented through the same EU legal framework.

**Legal Reference (Example for Al-Qaida/ISIL):** Council Regulation (EC) No 881/2002 implementing UNSCR 1267 (1999) and subsequent resolutions concerning restrictive measures against certain persons and entities associated with the ISIL (Da'esh) and Al-Qaida organisations.

Council Regulation (EC) No 881/2002

**UN Sanctions List:** The consolidated list of persons and entities subject to UN sanctions is available on the UN website.

UN Security Council Sanctions Committees

Use U.S. correspondent banking services.

Use U.S.-origin technology or software.

Facilitate transactions that touch the U.S. financial system.

**Sanctioned Entity Screening:** VASPs dealing with the U.S. or using U.S. financial infrastructure are expected to screen against OFAC's Specially Designated Nationals (SDN) and Blocked Persons List, as well as other OFAC sanctions lists.

**Crypto Enforcement:** OFAC has actively targeted crypto mixers, exchanges, and individuals involved in sanctions evasion using virtual assets. They have explicitly stated that sanctions apply to virtual currency transactions just as they apply to traditional fiat transactions.

**Geographic Restrictions:** OFAC administers numerous sanctions programs targeting specific countries (e.g., Russia, Iran, North Korea, Cuba, Syria, Venezuela) and illicit actors (e.g., narcotics traffickers, terrorists, cybercriminals).

**Penalties for Violations:** Violations can result in severe civil and criminal penalties, including substantial fines, imprisonment for individuals, and being cut off from the U.S. financial system.

OFAC's Guidance on Virtual Currency