Cyber incident at the EU Agency for Cooperation of Energy Regulators (ACER)

• The Agency launched a full investigation, working closely with the Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU).
• Our ongoing cyber incident investigation confirms that the Agency’s external firewall was impacted. The problem has been remedied. Steps were taken immediately by the Agency to mitigate the potential consequences, contain the incident and recover the relevant business function.
• The affected period was from 30 December 2022 to 04 September 2023. The investigation revealed an exploited vulnerability in the firewall that possibly allowed the perpetrators, even though not confirmed, to intercept unencrypted traffic passing through the compromised device and to get access to data on it. No other devices have been found to be affected. 
• The Agency has in place security measures to protect sensitive information. Sensitive systems were already segregated. Based on our assessments to date, ACER’s REMIT information systems that hold REMIT data and LNG market data have not been impacted by this cybersecurity incident.
• The Agency is working to further improve its cybersecurity posture in the short and medium term.
• The investigation of CERT-EU led to the discovery of a compromise in the ACER extranet.
• The extranet was taken offline for immediate remediation actions.
• The Agency is assessing the likelihood of impact and the further implementation of remediation measures.
• Affected third parties have been notified of the alternative business continuity arrangements. This is an ongoing investigation. More information will be made available in due course.
• The full force of ACER is dedicated to ACER fulfilling its mandate and ensuring business continuity, in close cooperation with CERT-EU.

More specific guidance for stakeholders who interact regularly with ACER

ACER has received queries from stakeholders on the impact of the cyber incident and requests for guidance. ACER offers the following information:

REMIT/LNG data and use of Virtual Private Network (VPN):

• The Agency has secure systems for sensitive data.
• Based on the evidence to date, the data reported by market participants to the Agency, in line with their obligations under the REMIT Regulation and the LNG market data  safeguarded in ACER's REMIT information systems has NOT been impacted.
• Stakeholders should continue to use a secure channel to report their data to the Agency in line with their obligations under the REMIT Regulation and LNG data reporting obligations.
• Stakeholders (and national regulators) that have a Virtual Private Network (VPN) connection with ACER for the exchange of REMIT data should continue to use their VPN. For stakeholders in the process of setting up their VPN connections to ACER, the set up of the VPN connection should continue.
• Sensitive data should not be sent over e-mail to ACER. This has already been our advice and as such it still stands.

E-mails:

• There is no need to stop e-mail communications with ACER.
• For any sensitive information that can only be communicated to ACER via an e-mail (although not recommended), please send it as a password protected zipped file attachment to the e-mail (with very long passwords; passwords are to be shared via other means than email such as SMS or MS Teams message to the intended recipient).

This is an ongoing investigation and further information will be made available in due course. We have established a dedicated e-mail channel DataSecurity@acer.europa.eu to address any concerns.

Press contact: Press@acer.europa.eu

Read more:

• Update: 26 January 2024
• Update: 15 December 2023
• Update: 4 December 2023
• Update: 27 November 2023