Cybersecurity network code for electricity

Protecting the energy sector against cyber threats is key to safeguarding our societies and economies, especially given its critical importance and increasing digitalisation.

The energy sector also presents specific characteristics, including:

• Real-time requirements: standard security measures may not always be applied to those energy systems that require an immediate response or reaction.

• Cascading effects: due to the strong interconnection between European grids and pipelines, an outage in one Member State might impact several other countries.

• Combined legacy systems with new technologies: modern technologies often need to interact and integrate with legacy infrastructure, which may result in technical vulnerabilities.

Taking into account these peculiarities, on 13 June 2024, the network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (the ‘NCCS’) came into force. The aim of the NCCS is to support a high, common level of cybersecurity for cross-border electricity flows in Europe and to complement the revised Network and Information Systems Directive (the ‘NIS 2 Directive’) establishing common measures for a high level of cybersecurity across the EU.

The NCCS was developed following several steps:

• ACER Framework Guideline was adopted on 22 July 2021.

• ENTSO-E and EU DSO Entity NCCS proposal was submitted to ACER on 14 January 2022.

• ACER revised NCCS proposal was submitted to the European Commission on 14 July 2022.

• European Commission held consultations with stakeholders, including the Network and Information Systems Cooperation Group (the ‘NIS Cooperation Group’, established by the first NIS Directive, to ensure cooperation and information exchange among Member States on cybersecurity policy), and a public consultation in Autumn 2023.

Among the main provisions, the network code:

• Mandates each EU Member State to appoint a competent authority by 13 December 2024 to ensure the network code is correctly implemented, and to oversee the entities that carry out processes which have a sufficiently high impact on cross-border electricity flows (referred to as ‘high-impact and critical-impact entities’).

• Provides a governance model and objectives for the development and review of terms and conditions, methodologies, and plans. Within the first year after the NCCS enters into force, provisional guidance will be developed by the European Network of Transmission System Operators for Electricity (ENTSO-E) and the EU DSO Entity in consultation with ACER and ENISA (the EU Agency for Cybersecurity). Subsequently, transmission system operators, in cooperation with the EU DSO Entity, will propose terms, conditions, methodologies, and plans for approval by the relevant competent authorities.

• Provides for three types of ‘macro-level’ cybersecurity risk assessments: Union-wide, regional and Member State-level, as well as a comprehensive cross-border risk assessment report.

• Sets rules on cybersecurity risk management by the high-impact and critical-impact entities.

• Contains provisions on cybersecurity crisis management.

• Includes a common electricity cybersecurity framework with minimum and advanced cybersecurity controls, covering supply chain security and a cybersecurity management system, along with provisions on its verification.

• Provides for development of recommendations on cybersecurity procurement.

• Contains rules for detecting cyber-attacks and for managing and sharing information related to cyber-attacks, threats, and unpatched actively exploited vulnerabilities.

• Provides the principles for protecting confidential information.

• Foresees cybersecurity exercises at the entity, Member State, regional, and cross-regional level.

Monitoring

ACER will monitor the implementation of the NCCS and regularly inform the Electricity Coordination Group (the Electricity Coordination Group provides a platform for strategic exchanges between Member States, national regulators, ACER, ENTSO-E and the Commission on electricity policy) and the NIS Cooperation Group on its findings.

To achieve this, ACER will:

• Define non-binding performance indicators for the assessment of operational reliability that are related to cybersecurity aspects of cross-border electricity flows.

• Provide guidance on the information required from stakeholders, including the process and frequency of the data collection.

At least every three years, ACER will publish a report reviewing the implementation status of cybersecurity risk management measures across the EU by the high-impact and critical-impact entities. This report will also identify whether additional cybersecurity rules are needed for the electricity sector and identify areas to improve the NCCS.

Benchmarking guideline

ACER will develop a non-binding guideline outlining the main principles for benchmarking cybersecurity controls.

This benchmarking, conducted by the national regulatory authorities, will evaluate whether current investments in cybersecurity:

• mitigate the risks for cross-border electricity flows;

• provide the desired results and efficiency gains in the development of the electricity systems; and

• are efficient and integrated into the overall procurement process.

Guidelines on information exchanges

ACER will issue guidelines addressing mechanisms for the entities under the NCCS to exchange information (in particular, envisaged information flows), as well as methods for anonymising and aggregating information.

To create these guidelines, ACER will consult ENISA, the competent authorities, ENTSO-E and the EU-DSO Entity.

Union-level cybersecurity crisis management plan

Within two years after being notified of the Union-wide risk assessment report by the ENTSO-E and the EU DSO Entity, ACER will develop a Union-level cybersecurity crisis management and response plan for the electricity sector. This plan will serve as an input to national cybersecurity crisis management and response plans for cross-border electricity flows.

To this end, ACER will collaborate with ENISA, ENTSO-E, the EU DSO Entity, national cybersecurity competent authorities, competent authorities designated under the NCCS, national competent authorities for risk preparedness, the national regulatory authorities and the NIS national cyber crisis management authorities.

Terms, conditions, methodologies and plans

ACER will provide input on the proposals for:

• Terms, conditions, methodologies, and plans prepared by transmission system operators. If jointly requested by the national regulatory authorities, ACER will also issue a formal opinion on these proposals.

• Non-binding provisional guidance developed by ENTSO-E and the EU DSO Entity.