Protecting the energy sector against cyber threats is key to safeguarding our societies and economies, especially given its critical importance and increasing digitalisation.

The energy sector also presents specific characteristics, including:

• Real-time requirements: standard security measures may not always be applied to those energy systems that require an immediate response or reaction.

• Cascading effects: due to the strong interconnection between European grids and pipelines, an outage in one Member State might impact several other countries.

• Combined legacy systems with new technologies: modern technologies often need to interact and integrate with legacy infrastructure, which may result in technical vulnerabilities.

Taking into account these peculiarities, on 13 June 2024, the network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (the ‘NCCS’) came into force. The aim of the NCCS is to support a high, common level of cybersecurity for cross-border electricity flows in Europe and to complement the revised Network and Information Systems Directive (the ‘NIS 2 Directive’) establishing common measures for a high level of cybersecurity across the EU.

The NCCS was developed following several steps:

• ACER Framework Guideline was adopted on 22 July 2021.

• ENTSO-E and EU DSO Entity NCCS proposal was submitted to ACER on 14 January 2022.

• ACER revised NCCS proposal was submitted to the European Commission on 14 July 2022.

• European Commission held consultations with stakeholders, including the Network and Information Systems Cooperation Group (the ‘NIS Cooperation Group’, established by the first NIS Directive, to ensure cooperation and information exchange among Member States on cybersecurity policy), and a public consultation in Autumn 2023.

Among the main provisions, the network code:

• Mandates each EU Member State to appoint a competent authority by 13 December 2024 to ensure the network code is correctly implemented, and to oversee the entities that carry out processes which have a sufficiently high impact on cross-border electricity flows (referred to as ‘high-impact and critical-impact entities’).

• Provides a governance model and objectives for the development and review of terms and conditions, methodologies, and plans. Within the first year after the NCCS enters into force, provisional guidance will be developed by the European Network of Transmission System Operators for Electricity (ENTSO-E) and the EU DSO Entity in consultation with ACER and ENISA (the EU Agency for Cybersecurity). Subsequently, transmission system operators, in cooperation with the EU DSO Entity, will propose terms, conditions, methodologies, and plans for approval by the relevant competent authorities.

• Provides for three types of ‘macro-level’ cybersecurity risk assessments: Union-wide, regional and Member State-level, as well as a comprehensive cross-border risk assessment report.

• Sets rules on cybersecurity risk management by the high-impact and critical-impact entities.

• Contains provisions on cybersecurity crisis management.

• Includes a common electricity cybersecurity framework with minimum and advanced cybersecurity controls, covering supply chain security and a cybersecurity management system, along with provisions on its verification.

• Provides for development of recommendations on cybersecurity procurement.

• Contains rules for detecting cyber-attacks and for managing and sharing information related to cyber-attacks, threats, and unpatched actively exploited vulnerabilities.

• Provides the principles for protecting confidential information.

• Foresees cybersecurity exercises at the entity, Member State, regional, and cross-regional level.

Monitoring

ACER will monitor the implementation of the NCCS and regularly inform the Electricity Coordination Group (the Electricity Coordination Group provides a platform for strategic exchanges between Member States, national regulators, ACER, ENTSO-E and the Commission on electricity policy) and the NIS Cooperation Group on its findings.

To achieve this, ACER will:

• Define non-binding performance indicators for the assessment of operational reliability that are related to cybersecurity aspects of cross-border electricity flows.
• Provide guidance on the information required from stakeholders, including the process and frequency of the data collection.

At least every three years, ACER will publish a report reviewing the implementation status of cybersecurity risk management measures across the EU by the high-impact and critical-impact entities. This report will also identify whether additional cybersecurity rules are needed for the electricity sector and identify areas to improve the NCCS.

Benchmarking guideline

ACER has developed a non-binding guide outlining principles for national regulators when conducting the benchmarking of cybersecurity investments in the electricity sector required by the network code. ACER encourages national regulatory authorities to follow these principles when conducting the analysis.

Guidelines on sharing cybersecurity information

ACER has issued guidelines addressing mechanisms for the entities under the NCCS to exchange information (in particular, envisaged information flows), as well as methods for anonymising and aggregating information.

To create these guidelines, ACER has consulted the EU Agency for Cybersecurity (ENISA), the competent authorities, ENTSO-E and the EU-DSO Entity.

Union-level cybersecurity crisis management plan

Within two years after being notified of the Union-wide risk assessment report by the ENTSO-E and the EU DSO Entity, ACER will develop a Union-level cybersecurity crisis management and response plan for the electricity sector. This plan will serve as an input to national cybersecurity crisis management and response plans for cross-border electricity flows.

To this end, ACER will collaborate with ENISA, ENTSO-E, the EU DSO Entity, national cybersecurity competent authorities, competent authorities designated under the NCCS, national competent authorities for risk preparedness, the national regulatory authorities and the NIS national cyber crisis management authorities.

Terms, conditions, methodologies and plans

ACER will provide input on the proposals for:

• Terms, conditions, methodologies, and plans prepared by transmission system operators. If jointly requested by the national regulatory authorities, ACER will also issue a formal opinion on these proposals.
• Non-binding provisional guidance developed by ENTSO-E and the EU DSO Entity.

European Stakeholder Committee on cybersecurity

Through the European Stakeholder Committee on cybersecurity in the electricity sector organised by ACER in close cooperation with ENTSO-E and the EU DSO Entity, industry associations cooperate with each other and with the authorities referred to in the Cybersecurity Network Code to:

• identify problems and propose improvements to the implementation of the existing Cybersecurity Network Code;
• recommend future revisions of the Network Code;
• identify whether any additional risk prevention rules may be needed for the electricity sector; and
• respond to technological developments in the sector.

By tackling these points, the cybersecurity committee will help maintain a high, common level of cyber resilience in Europe’s electricity grid and adapt policy to evolving digital risks.