How the Changes to Regulation N-18 (2025) Affect Online Stores and How to Prepare
Regulation No. N-18 of 2006 on the registration and reporting of sales is one of the key regulatory instruments that shapes and controls commercial activity in Bulgaria. Over the years, it has undergone numerous amendments to adapt to a dynamically developing economic environment. As one of the fastest-growing sectors, e-commerce is no exception and has always been under the scrutiny of legislation.
The latest amendments to the regulation were published in State Gazette No. 42 of May 23, 2025. These new rules directly affect every e-commerce store owner, setting new requirements for software systems, reporting, and business processes. Below, we discuss the main changes, how they affect online stores, what the risks are, and how to prepare to comply with the regulatory framework.
What Are the Most Important Changes
-
Right to Issue an Electronic Fiscal or System Receipt
A new paragraph, par. 19 in Art. 3 of the Regulation, has been created, which gives a person who makes sales through an e-commerce store or uses an Integrated Automated Trade Management System (IATMTS) or an Electronic System with Fiscal Memory (ESFM) in a commercial establishment the right to register and report sales by issuing a fiscal/system receipt generated in electronic form, under certain conditions. These conditions include having the client’s data necessary for providing the receipt in electronic form (Art. 25, par. 13) and storing data on the method, date, time, and minute of providing the receipt.
-
Requirements for E-commerce Stores to Submit Information to the National Revenue Agency (NRA)
Entities that make sales through an e-commerce store, whether through their own domain or a platform, are required to submit certain information to the NRA. This includes reporting data, sales data, information about the software they use, and more.
-
Changes Related to the Introduction of the Euro
The changes stipulate that the total amount payable on issued documents can be displayed not only in Bulgarian leva but also in another currency, with a view to the transition to the euro. This requires changes to fiscal devices and management software to support the new currency and method of designation.
-
Improvement of Software and Technical Requirements
The changes require that the software used for sales management and fiscal devices must be compatible with the new requirements, such as electronic receipts, new formats, euro support, and new features in ESFM (systems with fiscal memory).
-
Joint Operation of Different ESFM Devices
In a commercial establishment, in cases of refueling/sales of liquid fuels, it is permissible to use two approved types of ESFM, manufactured by different producers, provided they have been tested and approved for joint operation.
-
Deadlines for Compliance
For some of the new requirements, specific deadlines are set for merchants using fiscal devices, IATMTS, and software to bring their operations into compliance with the Regulation.
Breakdown of Key Regulatory Changes
Differentiation of Payments
One of the most fundamental requirements reinforced by the current changes is the distinction in the sales reporting regime based on the payment method. For online merchants, this principle is of critical importance. When a payment is made by bank transfer or through a licensed payment system like PayPal or Stripe, it is considered non-cash and does not require the issuance of a fiscal receipt. In such cases, it is sufficient to issue an invoice or another primary accounting document to certify the transaction.
Although this exception has existed for a while, its emphasis in the new regulation signals the NRA’s increasing focus on controlling cash flows that have previously fallen into the “gray zone” of e-commerce. Sales made via cash on delivery or any other form of cash payment, including those handled by courier companies, must now be mandatorily reported through an approved sales management software for commercial establishments (SMSCE) or a fiscal device that generates a fiscal receipt. This measure is directly aimed at ensuring full control over cash flow and eliminating opportunities for revenue concealment, guaranteeing that every transaction involving cash movement is properly registered and reported to the tax authorities. In essence, the regulator is closing one of the largest loopholes in e-commerce reporting, treating cash on delivery payments the same as any other cash payment.
Free 30-minute consultation for new clients.
Full-Fledged Introduction of Electronic Fiscal Receipts
In response to technological developments and modern business practices, the changes to Regulation N-18 (2025) introduce the possibility of issuing fiscal or system receipts entirely in electronic form, such as in PDF format, without the need for them to be printed on paper. This provision represents a significant step forward toward the complete digitalization of e-commerce processes. To take advantage of this, merchants must have the customer’s data, such as an email address, and ensure they store information on the exact date and time the electronic receipt was delivered.
The introduction of electronic receipts isn’t just an administrative convenience. It has deeper implications, reducing operational costs for paper, printers, and logistics, and simplifying the archiving process. For the NRA, this is a key element of a broader strategy to enhance digital control. When all fiscal receipts exist in a structured, electronic format, they can be much more easily analyzed, audited, and processed. This facilitates automated oversight and improves transparency across the entire reporting system. In this way, the regulator adapts to the reality of online business while securing powerful tools for control.
Updates to SMSCE and Reporting
The new requirements for sales management software (SMSCE) are a significant part of the regulatory framework. One of the key innovations is the need for changes to the XML audit file, which must include special parameters for the correct reporting of returned orders and refunded amounts. This ensures that every stage of a commercial transaction, including its cancellation, is properly documented and traceable.
Furthermore, every electronic note must mandatorily contain the name or identifier of the “operator” who made the sale, such as “Online System” or “API Checkout.”
Perhaps the most important change in this regard is the official equalization of online merchants with physical establishments concerning document storage requirements. It is now mandatory to store all reports, including daily financial reports, in a structured format for a period of at least five years. This signals that the NRA no longer treats e-commerce as a secondary or marginal sales channel but as a primary one subject to the same strict regulatory control. To achieve this, online stores must have a reliable system for generating and archiving these documents, whether in the cloud or on a physical medium. These requirements increase pressure on merchants to invest in reliable, certified software solutions that can ensure full compliance.
Another important change relates to the introduction of the euro as the official currency. The changes stipulate that the total payment amount can be displayed in issued documents not only in Bulgarian leva but also in another currency, which requires changes to fiscal devices and management software. Additionally, the joint operation of two different approved types of electronic systems with fiscal memory (ESFM) from different manufacturers is permitted in a commercial establishment, provided they have been tested and approved for joint operation.
The following table summarizes the main changes and their practical impact on the daily operations of online merchants.
How Regulation N-18 Aligns with the Cyber Resilience Act (CRA)
The most significant and often overlooked reason for the changes in Regulation N-18 (2025) lies in its harmonization with European legislation, specifically with Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA). This regulation aims to increase the security of all products with digital elements that are connected to a network or the internet. The fiscal devices and sales management software used in Bulgaria fall precisely into this category, as they connect to the NRA’s network for data reporting and process sensitive information.
As a result, the CRA imposes new and much higher standards on the manufacturers of these systems. They are now required to integrate security by design into their products, assess vulnerability risks, and provide a secure mechanism for software and firmware updates. Moreover, after being placed on the market, these products must have security support and updates for a minimum of five years or for their entire declared lifecycle. This means that the changes in Regulation N-18 are not just administrative or tax-related. They are a strategic response to the broader European cybersecurity framework, which shifts the focus of regulatory control toward a combined approach covering both the fiscal and technological essence of the processes.
This means that any company that develops or maintains SMSCE now has a legal obligation to ensure its cyber resilience. This also directly affects online merchants, as they rely on this software for their daily operations. If the software they use does not meet the requirements of the CRA and is deemed non-compliant, it can lead to serious problems.
Consequences of Non-Compliance: The Difference Between National and European Sanctions
Failure to comply with the new requirements of Regulation N-18 can lead to a number of serious consequences that vary in scale and scope. For online merchants, the most immediate threat is from the NRA. In case of non-compliance, fines can be imposed ranging from BGN 500 to BGN 10,000 for individuals and companies. In addition to financial sanctions, the agency can also impose a ban on the use of the system, and in cases of recidivism, it can even revoke the registration of the online store.
However, behind these familiar national sanctions lies a much larger and no less significant threat stemming from European legislation. The Cyber Resilience Act (CRA) provides for extremely severe fines for manufacturers of fiscal devices and SMSCE that do not meet the security requirements. The most serious violations can be punished with fines of up to EUR 15,000,000 or up to 2.5% of the company’s total worldwide annual turnover. For providing false or incomplete information, sanctions can reach EUR 10,000,000 or 2% of the turnover.
Although these massive fines are aimed at manufacturers, they also create a huge risk for online merchants. If the software or fiscal device provider is not compliant with the CRA, it could lead to the temporary or permanent withdrawal of the device’s type approval under Art. 10 of Regulation N-18. In such a case, even if the merchant has acted in good faith, their reporting system will be rendered invalid. This exposes the business to a direct risk of sanctions from the NRA, even if it is not directly responsible for the technical problem.
This cause-and-effect relationship places a new emphasis on the need for thorough due diligence when choosing partners for accounting and software services. Online merchants must ensure that their suppliers are not only technically competent but also fully compliant with both national and European legislation to avoid indirect sanctions and ensure the continuity of their operations.
Specific Steps for Preparation
To prepare for the changes, online store owners must take several key steps that cover both the technical and organizational aspects of the business.
Technical Preparation: Software and Hardware Updates
The first and most important step is to review the current software infrastructure. It is vital to contact the provider of your SMSCE, ERP, or other sales management system, such as platforms like Shopify or WooCommerce. You should get confirmation from the provider that the software used will be updated to meet the new requirements. This includes support for the changed XML parameters for correct reporting of returned orders and refunded amounts, as well as the ability to generate and send electronic fiscal receipts in PDF format. It’s important to ensure that the system can display the total payment amount in both BGN and EUR, especially if you work with international clients. Additionally, if the store uses fiscal devices, it is necessary to check whether they are compatible with the new requirements, approved models, and whether they support dual-currency designation.
Organizational and Documentary Measures
Parallel to technical preparation, internal business processes must also be adapted. Online merchants should create a reliable system for automatically generating and storing all daily financial reports for at least five years. This can be achieved through specialized cloud solutions or local archiving systems. Systematizing this data is critical, as in the event of an NRA audit, the absence of any part of it can be considered a serious violation.
It is also important to update the customer interface and ordering procedures. To issue an electronic receipt, the store must have the necessary customer data, such as an email address, and provide a way to automatically or easily send the electronic receipt. Logs must also be stored to record when, how, and through what channel the receipt was provided, as well as the exact date and time of dispatch. For this purpose, staff responsible for order processing and invoicing should be trained on the new requirements, and a checklist should be prepared for verification with each order.
Timely preparation for the introduction of the euro is also necessary. From August 8, 2025, to December 31, 2026, prices must be displayed in Bulgarian leva and euros, which requires checking and testing the software and fiscal systems to ensure they correctly display the amounts.
Recommendation: Contact Professionals
The complexity of the new requirements, their technical aspects, and the constant evolution of the regulatory framework make it almost impossible for a business owner to keep up with everything. In this context, using licensed accounting services is not just a convenience but a strategic necessity. Professional accountants are able to ensure the correct registration of the software with the NRA within the statutory seven-day period, monitor the agency’s current guidelines, and guarantee that all technical and documentary requirements are met. They can provide expert guidance on the correct reporting of different types of payments, especially cash on delivery, and assist with the systematic archiving of all necessary documents.
Partnering with a reliable accountant significantly reduces the risk of serious sanctions and frees the online store owner to focus on business growth instead of getting lost in the labyrinth of complex regulations. This step is essential to ensure not only formal compliance but also the long-term stability and peace of mind of the owner.
Free 30-minute consultation for new clients.
Conclusion
The changes to Regulation N-18 (2025) are not just another set of administrative requirements but part of a broader regulatory transformation aimed at increasing transparency and control in the field of e-commerce. These amendments set new and higher standards for reporting, requiring a more precise differentiation of payments, introducing the possibility of electronic fiscal receipts, and synchronizing national regulations with the European Cyber Resilience Act.
The key is to take a systematic approach: conduct an audit, update the software and fiscal equipment, store the necessary data and logs, ensure the correct issuance and transmission of electronic receipts, and rely on the help of a licensed accountant. This way, online stores can transform their operations without being caught off guard by the new requirements.
Author
