EU releases Network Code on Cybersecurity for electricity sector to boost resilience, cross-border protection

The European Union has released the inaugural EU Network Code on Cybersecurity for the electricity sector, marking a significant advancement in enhancing the cyber resilience of vital EU energy infrastructure and services. This publication is a crucial supplement to Regulation (EU) 2019/943 of the European Parliament and Council, establishing sector-specific cybersecurity regulations for cross-border electricity flows.

The Network Code on Cybersecurity will support a common level of cybersecurity for cross-border electricity flows in Europe by setting common rules to perform cybersecurity risk assessments, report cyber-attacks, threats, and vulnerabilities, and establish cybersecurity risk management. It also includes recommendations for supply chain security. The document has been developed in response to the growing digitalization and interconnection of national power systems. It provides a common standard to ensure the security and reliability of the interconnected system. 

The development of the network code was the result of excellent collaboration between the European Network of Transmission System Operators (ENTSO-E) and the European Distribution System Operators Entity (DSO Entity). ENTSO-E and DSO Entity appreciate the close communication and collaboration with the European Commission and ACER, who contributed significantly to the creation of the Network code. Gratitude is also extended to the European Union Agency for Cybersecurity (ENISA) for their continuous and active support.

“In a context of interlinked electricity digitalized systems, prevention, and management of electricity crisis related to cyber-attacks cannot be considered to be a solely national task,” the Network Code on Cybersecurity prescribed. “More efficient and less costly measures through regional and Union cooperation should be developed to its full potential. Therefore, a common framework of rules and better-coordinated procedures are needed in order to ensure that Member States and other actors are able to cooperate effectively across borders, in a spirit of increased transparency, trust, and solidarity between Member States and competent authorities responsible for electricity and cybersecurity.”

Addressing cybersecurity risk management within the scope of this regulation requires a structured process including, among others, identifying risks for cross-border flows of electricity stemming from cyber-attacks, the related operational processes and perimeters, the corresponding cybersecurity controls, and verification mechanisms. “While the timeframe for the whole process is spread over years, each step of it should contribute to a high common level of cybersecurity in the sector and the mitigation of cybersecurity risks. All participants in the process should make their best efforts to develop and agree on the methodologies as soon as possible without undue delay, and in any case, no later than the deadlines defined in this Regulation,” it added.

The entities in the scope of this regulation considered high-impact or critical-impact pursuant to Article 24 of this Regulation and subject to the obligations laid down therein, are primarily those that have a direct impact on cross-border flows of electricity in the EU. The regulation makes use of existing mechanisms and instruments, already established in other legislations, to ensure efficiency and avoid duplication in the achievement of the objectives.

When applying the regulation, Member States, relevant authorities, and system operators should take into consideration agreed European standards and technical specifications of the European Standardisation Organisations and act in line with Union legislation relating to the placing on the market or putting into service of products covered by that Union legislation.

“With a view to mitigating cybersecurity risks, it is necessary to establish a detailed rulebook governing the actions of, and the cooperation amongst, relevant stakeholders, whose activities concern cybersecurity aspects of cross-border electricity flows, with the aim of ensuring system security,” the regulation lays down. “Those organizational and technical rules should ensure that most electricity incidents with cybersecurity root causes are effectively dealt with at operational level. It is necessary to set out what those relevant stakeholders should do to prevent such crises and what measures they can take should system operation rules alone no longer suffice.” 

It outlines that it is necessary to establish a common framework of rules on how to prevent, prepare for and manage simultaneous electricity crises with a cybersecurity root cause. “This brings more transparency in the preparation phase and during a simultaneous electricity crisis and ensures that measures are taken in a coordinated and effective manner together with the competent authorities for cybersecurity in the Member States.”

The regulation identified that ‘Where a high-impact or critical-impact entity provides services in more than one Member State or has its seat or other establishment or a representative in a Member State, but its network and information systems are located in one or more other Member States, those Member States should encourage their respective competent authorities to make their best efforts to cooperate with and assist each other as necessary.”

Recent cyber-attacks show that entities are increasingly becoming the target of supply chain attacks. Such supply chain attacks not only have an impact on individual entities in the scope but can also have a cascading effect on larger attacks on entities to which they are connected in the electricity grid. Provisions and recommendations to help mitigate the cybersecurity risks associated with processes related to the supply chain, notably procurement, with impact on the cross-border flows of electricity have therefore been added.

“Since the exploitation of vulnerabilities in network and information systems may cause significant energy disruptions and harm for economy and consumers, these vulnerabilities should be swiftly identified and remedied in order to reduce risks,” the Network Code on Cybersecurity noted. “In order to facilitate the effective implementation of this Regulation relevant entities and competent authorities should cooperate to exercise and test activities that are considered to be appropriate for that purpose, including information exchange on cyber threats, cyber-attacks, vulnerabilities, tools and methods, tactics, techniques and procedures, cybersecurity crisis management preparedness and other exercises.” 

The Network Code on Cybersecurity defines that since technology is constantly evolving and digitalization of the electricity sector is progressing rapidly, the implementation of the provisions adopted should not be detrimental to innovation and not constitute a barrier to accessing the electricity market and the subsequent use of innovative solutions that contribute to the efficiency and sustainability of the electricity system.

Additionally, the information collected in view of monitoring the implementation of this Regulation should be limited to a need-to-know principle. Stakeholders should be granted achievable and effective deadlines for submitting such information. Double notification should be avoided.

In order to improve security coordination early on, to test future binding terms, conditions, and methodologies, the ENTSO for Electricity, the EU DSO Entity, and the competent authorities should start developing non-binding guidance immediately after the entry into force of this regulation. The guidance will serve as a baseline for the development of future terms, conditions, and methodologies. In parallel, the competent authorities should identify entities as candidates for high- and critical-impact entities to start, on a voluntary basis, to fulfill the obligations.

The regulation has been developed in close cooperation with ACER, ENISA, the ENTSO for Electricity, the EU DSO entity, and other stakeholders to adopt effective, balanced, and proportionate rules transparently and participatively. 

“Within 9 months after the approval of the cybersecurity risk assessment methodologies pursuant to Article 8 and every three years thereafter, the ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the NIS Cooperation Group, shall, without prejudice to Article 22 of Directive (EU) 2022/2555, perform a Union-wide cybersecurity risk assessment and draw up a draft Union-wide cybersecurity risk assessment report,” the EU Network Code on Cybersecurity identified. “For this purpose, they will use the methodologies developed pursuant to Article 18, and approved pursuant to Article 8, to identify, analyze, and evaluate the possible consequences of cyber-attacks affecting the operational security of the electricity system and disrupting cross-border electricity flows. The Union-wide cybersecurity risk assessment shall not consider the legal, financial or reputational damage of cyber-attacks.”

The ENTSO for Electricity, in cooperation with the EU DSO entity, shall submit the draft of the Union-wide cybersecurity risk assessment report with the results of the Union-wide cybersecurity risk assessment to ACER for opinion. ACER shall issue an opinion on the draft report within three months after its receipt. The ENTSO for Electricity and the EU DSO entity shall take utmost account of ACER’s opinion when finalizing that report.

Furthermore, within three months after receipt of ACER’s opinion, the ENTSO for Electricity, in cooperation with the EU DSO entity shall notify the final Union-wide cybersecurity risk assessment report to ACER, the Commission, ENISA, and the competent authorities.

It also prescribed that within 21 months after the notification of the high-and critical-impact entities pursuant to Article 24(6) and every three years after that date, and after consulting the CS-NCA responsible for electricity, each competent authority, supported by the CSIRT, shall provide a Member State cybersecurity risk assessment report to the ENTSO for Electricity and the EU DSO entity. 

It contains information for each high-impact and critical-impact business process including the implementation status of the minimum and advanced cybersecurity controls pursuant to Article 29; a list of all cyber-attacks reported in the previous three years pursuant to Article 38(3); a summary of the cyber threat information reported in the previous three years pursuant to Article 38(6); for each Union-wide high-impact or critical-impact process, an estimate of the risks of a compromise of the confidentiality, integrity and availability for information and relevant assets; and where necessary, a list of additional entities identified as high-impact or critical-impact. 

The ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the relevant Regional Coordination Centre, shall perform a regional cybersecurity risk assessment for each system operation region. The regional cybersecurity risk assessments shall not consider the legal, financial, or reputational damage of cyber-attacks.

“Within 30 months after the notification of the high-impact and critical-impact entities pursuant to Article 24(6), and every three years after that, the ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the NIS Cooperation Group, shall draw up a regional cybersecurity risk assessment report for each system operation region,” the Network Code on Cybersecurity added. “The regional cybersecurity risk assessment report shall take into account the relevant information contained in the Union-wide cybersecurity risk assessment reports and in the Member State cybersecurity risk assessments reports.”

In the coming months, ENTSO-E and DSO Entity will continue their collaboration and work on the different documents that will guide the implementation of the Network Code.

Last month, the European Commission initiated calls for proposals within Horizon Europe’s 2023-2024 digital, industrial, and space work program, focusing on research and innovation in artificial intelligence (AI) and quantum technologies. With an investment of €112 million in AI, and quantum research and innovation, a new series of calls has been introduced, totaling over €112 million from the 2023-2024 Horizon Europe Digital, Industry, and Space work program.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.