ACER issues guidelines to share cybersecurity information in the electricity sector
What is it about?
ACER issues today its guidelines to better protect cybersecurity information exchanged under the EU-wide network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (NCCS).
These guidelines are issued for the electricity sector, including transmission and distribution system operators, generators, organised markets, nominated electricity market operators (NEMOs) and the balancing responsible parties, as well as for providers of critical information and communication technology (ICT) services and managed security services.
ACER consulted the EU cybersecurity agency (ENISA), the European Network of Transmission System Operators for Electricity (ENTSO-E), EU DSO Entity and the competent authorities under the electricity cybersecurity network code in preparing these guidelines.
Why are these guidelines important?
Entities from the electricity sector (e.g. network companies and others) are required under the binding electricity-specific cybersecurity network code to share information, including on cyberattacks, threats, risk assessments and cybersecurity expenditures. Preserving the confidentiality of such sensitive information when sharing it among themselves and with relevant authorities is important.
What are ACER's recommendations?
The guidelines suggest:
- Usage of the Traffic Light Protocol (TLP) to exchange information. The guidelines also provide basic instructions for the electricity sector on how to apply it. In case there are no legally binding national classification schemes applicable to the shared information, the TLP can also be used to share information within a Member State.
- Several methods for anonymising and aggregating information. The guidelines also provide examples of how specific information exchanged under the NCCS could be anonymised or aggregated.