The European Commission has today adopted the first-ever EU network code on cybersecurity for the electricity sector. Foreseen under the Electricity Regulation (EU) 2019/943 (Article 59) and in the 2022 EU Action Plan to digitalise the energy system, this delegated act is an important step to improve the cyber resilience of critical EU energy infrastructure and services. It will support a high, common level of cybersecurity for cross-border electricity flows in Europe. The dossier now passes to the Council and European Parliament to scrutinise the text and the rules will enter into force once this period is over.
The network code aims to establish a recurrent process of cybersecurity risk assessments in the electricity sector. These assessments are aimed at systematically identifying the entities that perform digitalised processes with a critical or high impact in cross-border electricity flows, their cybersecurity risks, and then the necessary mitigating measures that are needed. For that, this network code establishes a governance model that uses and is aligned with existing mechanisms established in horizontal EU legislation, notably the revised Network and Information Security Directive (NIS2). This is the case, for example, for the reporting of cyberattacks and vulnerabilities using the established Computer Security Incident Response Teams (CSIRTs), or coordination with the CyCLONe network in case of large-scale cybersecurity incidents and crises. The new rules will therefore promote a common baseline, while respecting existing practices and investments as much as possible. This model can develop, follow and regularly review the methodologies of different stakeholders, taking into account the current mandates of different bodies in both the cybersecurity and electricity regulatory systems.
Today’s delegated act follows extensive consultation process with relevant stakeholders, including contributions from ENTSO-E, EU DSO Entity and ACER, an and a 4-week period for public feedback at the end of last year. The Commission has also informed the European Parliament about the initiative.
Under EU rules of procedure, today’s delegated act is now subject to scrutiny by the 2 EU co-legislators. This means that the European Parliament and Council each have a period of 2 months for objection to this secondary legislation, which can be extended by 2 months.