Bulgaria’s Information Services has launched a national cyber-defence collaboration with Google Cloud that brings 54 public entities into a federated security operations model, combining centralised monitoring with AI-assisted analysis and shared threat intelligence.
Announced on 20 May, the programme is among the first European deployments of Google Cloud’s Cybershield, a platform designed for national-scale cyber operations. Information Services said implementation began earlier this year and includes Google Cloud Security Operations, Google Threat Intelligence, Mandiant expertise, and analyst support intended to improve detection and response across ministries and agencies.
Simeon Kartselyanski, cyber security manager at Information Services and leader of the Bulgarian National Cyber Security Operations Center, said: “By integrating advanced AI-driven security operations and frontline threat intelligence, we are maturing our national defences to protect Bulgaria’s digital resilience and critical infrastructure.”
According to the organisations behind the rollout, the system is designed to reduce the time needed to detect, investigate, and contain cyber incidents, while giving participating entities access to a common operational picture. Instead of relying on separate teams to interpret alerts in isolation, the model pools telemetry and intelligence so that one incident pattern can be recognised and acted on across the wider network.
That approach reflects how quickly the threat landscape has shifted. In its Cloud Threat Horizons report for the first half of 2026, Google Cloud said the gap between vulnerability disclosure and active exploitation narrowed from weeks to days during the second half of 2025. The same report said identity compromise featured in 83% of compromises. Mandiant’s M-Trends 2026 report found that exploits remained the most common initial infection vector for a sixth consecutive year, accounting for 32% of intrusions, while voice phishing rose to 11%.
Against that backdrop, a fragmented operating model becomes harder to sustain. When exploitation cycles shorten and credential abuse remains central to attacks, the value of a shared security operations layer lies in speed, consistency, and the ability to correlate weak signals before they become a wider incident. It also helps address a persistent capability problem in large systems, where technical depth is rarely distributed evenly across dozens of institutions.
European cyber policy has been moving in the same direction. The EU’s NIS2 Directive requires member states to strengthen national cyber-security strategies, improve cooperation, and extend risk-management and reporting obligations across 18 critical sectors, including public administration. The directive also places greater responsibility on management bodies, bringing cyber resilience more firmly into governance, oversight, and operational planning.
Across Europe, public-sector bodies have been under pressure to modernise security monitoring while coping with legacy infrastructure, uneven staffing, and increasingly sophisticated attacks on essential services, and Bulgaria’s programme sits squarely within that wider shift towards centralisation, automation, and closer coordination between policy and operations. A federated model does not remove those pressures, but it can reduce duplication and create a more coherent response when a threat moves across multiple entities at once.
Private-sector organisations have been moving along a similar path, consolidating tools, tightening incident playbooks, and linking threat intelligence more directly to operational workflows. The distinction between national infrastructure and enterprise practice remains important, yet the pressures are increasingly familiar on both sides: too many alerts, too little time, and too much complexity spread across too many environments.
As 54 entities are drawn into a common defensive framework, success will depend less on the sophistication of any one tool than on whether integration can be achieved without blind spots, shared processes can operate without delay, and central visibility can still produce action at local level. Bulgaria’s rollout shows how AI-assisted security operations are moving from strategy to implementation, and how cyber resilience is increasingly being built not as a collection of separate systems, but as a coordinated operating model.
You must be logged in to post a comment.