ACER and Cybersecurity

Cyber incidents and attacks can disrupt energy related essential services e.g. causing electricity blackouts or causing damages to existing infrastructure. A reliable energy system is the backbone of the economy. Energy supply powers industry and is essential to our daily lives (home, work, movement and entertainment). 

The harmful effects of cyber incidents and attacks can be widespread on individuals, organisations and communities. A cyberattack or a cyberincident in one country can affect the EU energy digitalised system in more than a single geographical area, also causing cascade effects.

Cybersecurity is so critical in energy that Europe's legislators have adopted a sector-specific approach to reinforce cyber security in electricity which applies in addition to the general cyber laws.

See ACER's Cybersecurity Glossary.​
 

How realistic are cyber threats in energy?

Cyber threats in energy are very real and cyber incidents increase in frequency and in their impact.  In Ukraine, 225,000 people lost power in a cyberattack in 2015 on the electricity grid infrastructure.  For electricity systems, the threat of cyberattack is substantial and growing.

With heightened cyber threats, increasingly digitalised critical energy infrastructure is vulnerable to attacks.  The very interconnectedness of assets across the energy system, if not cyber secure, makes them vulnerable to threats.

How does ACER contribute to cybersecurity?​

​​​ACER contributes to strengthening the cybersecurity of Europe's energy system in three main ways:

1. Advising on EU legislation and rules

ACER and national regulators provide expert advice on EU legislation and cyber rules relating to the energy sector.

• In 2021, at the request of the European Commission, ACER developed a Framework Guideline (under the Electricity Regulation) which will help shape a legally binding EU-wide Cybersecurity Network Code for Cross-Border Electricity.

• ACER and regulators are actively engaged in European Commission Expert Groups.

2. Sharing information among energy regulators and capacity building

Since 2015, ACER and the national energy regulators cooperate and share information in a dedicated cybersecurity task force co-chaired by ACER and CEER:

• Such collaboration covers issues such cybersecurity preparedness, response, recovery planning, and regulatory approaches to drive prudent risk reduction effort

• Outputs include shared resources, reports and recommendations

• This task force (and CEER training courses) help ongoing capacity building with the aim to prevent, detect, respond, and recover from cyberattacks

• Prepare and distribute factsheets, reports and papers with the aim to explain and explorer complex and emerging cybersecurity topic of interest for the energy community, as well as to provide the position of regulators in respect to the adoption of such principles and technologies

3. ACER's leading cyber experts contribute to EU and international collaboration

ACER's cyber specialists are leading global cyber security experts who fosters best practices globally:

• ACER and energy regulators engage with fellow international experts (e.g. NERC, EPRI and NARUC in the US) to share expertise and experience on issues such as standards, strategy and the prudency of investment​

• ACER engages with network operators and the EU Institutions and Agencies (e.g. ENISA, DG ENER and the Joint Research Centre), participating in the Commission's expert groups in developing European-wide cyber approaches

• ACER engages with the standardisation community with the purpose to use already existing standards, where those exist, or to strive future standardisation efforts that may be needed for the efficient implementation of the Regulation

The EU works on various fronts to promote the efficient implementation of cyber resilience in all sectors of EU human life. Europe has a cybersecurity strategy and cross-sectoral cyber security legislation (the 2016 NIS Directive and the 2019 Cybersecurity Act and a (2020) proposal to revise the original NIS Directive). The Cybersecurity Act standardises the certification of cybersecurity products at the European Union level and in the energy sector, and strengthens ENISA (the EU's agency that deals with cybersecurity).​
 

Europe sees electricity as “critical" and reinforces its cybersecurity with an additional electricity sector-specific approach​

​Europe's 2019 energy laws complement Europe's horizontal cybersecurity legislation by reinforcing cybersecurity in electricity sector-specific legislation. In 2019, the European Commission also adopted a Recommendation on cybersecurity in the energy sector.

Both the recast (2019) Electricity Directive and Electricity Regulation have cybersecurity measures. For example, the Electricity Directive deals with issues related to smart meters and cybersecurity. The Electricity Regulation provides for binding EU-wide rules in electricity– called a Cybersecurity Network Code. The Electricity Regulation also provides for a cybersecurity role for the new EU entity for Distribution System Operators (EU DSO entity).

Europe's general cyber laws (the NIS Directive on security of network and information systems) also apply and energy is identified a “critical" sector.  Under the NIS Directive, “operators of essential services" includes those operators identified by the Member States as energy critical infrastructures. Hence most of the Energy Operators (in particular many electricity suppliers, many Distribution System Operators (DSOs) and all Transmission System Operators (TSOs)) are subject to its cyber security and notification requirements and are required to assess cyber risks as well as to respect minimum standards that aim to mitigate risks, together with other obligations.

In July 2021, ACER has published its non-binding Framework Guideline on sector-specific rules for cybersecurity aspects of cross-border electricity flows.

The Framework Guideline provides high-level principles for the development of a binding Cybersecurity Network Code that will contribute to maintain the security of the electricity system across Europe.

It covers various topics:

• governance

• cross-border risk assessment & management

• a common electricity cybersecurity framework

• information sharing and essential information flows

• incident handling and crisis management (including data collection)

• an electricity cybersecurity exercise framework

• protection of information exchange in the context of data processing

• monitoring, benchmarking and reporting

Next steps

In July 2021, ACER has submitted the Framework Guideline to the European Commission.

As a next step, a specific drafting committee will prepare a network code’s proposal based on the ACER Framework Guidelines.

ACER will then revise the proposed network code to ensure compliance with its Framework Guideline and that it does not hamper the market’s efficient functioning. ACER shall submit the revised network code to the European Commission within six-months.

​These new sector-specific rules for cybersecurity covering issues such as:

• establishing methodologies and governance for electricity cross-border risk assessment

• define a set of common minimum cybersecurity requirements and standards applicable to all actors for the electricity markets

• further development and orchestration of cybersecurity information co​llection and dissemination among all electricity community actors

• planning

• monitoring

• and reporting obligations​