The European Commission has adopted the first-ever EU network code on cybersecurity for the electricity sector.
According to the Commission in a release, the network code will be an important step to improve the cyber resilience of critical EU energy infrastructure and services.
The delegated act follows a consultation process with relevant stakeholders, including contributions from ENTSO-E, EU DSO Entity and ACER, as well as a four-week period for public feedback at the end of 2023.
It will support a high, common level of cybersecurity for cross-border electricity flows in Europe.
EU network code for cybersecurity
The EU network code aims to establish a recurrent process of cybersecurity risk assessments in the electricity sector.
These assessments are aimed at systematically identifying entities that perform digitalised processes with a critical or high impact in cross-border electricity flows, their cybersecurity risks and then the necessary mitigating measures that are needed.
To do so, the network code establishes a governance model that uses and is aligned with existing mechanisms established in horizontal EU legislation, notably the revised Network and Information Security Directive (NIS2).
This is the case, for example, for the reporting of cyberattacks and vulnerabilities using the established Computer Security Incident Response Teams (CSIRTs), or coordination with the CyCLONe network in case of large-scale cybersecurity incidents and crises.
The new rules will promote a common baseline while respecting existing practices and investments as much as possible, states the Commission.
The model is hoped to be able to develop, follow and regularly review the methodologies of different stakeholders, considering the current mandates of different bodies in both the cybersecurity and electricity regulatory systems.
Have you read:
Cybersecurity standards to be developed for EU distribution systems
US developing uniform guidance on distribution cybersecurity
Although there is already a comprehensive overall legal framework for cybersecurity, the energy sector presents areas in need of renewed attention, including:
- Real-time requirements
Energy systems need to react at a speed that removes the need of standard security measures, such as authentication of a command, or verification of a digital signature, due to the delay these measures impose.
- Cascading effects
Electricity grids and gas pipelines, states the Commission, are strongly interconnected across Europe and beyond the EU. An outage in one country might trigger blackouts or shortages of supply in other areas and countries.
- Combined legacy systems with new technologies
Many elements of the energy system were designed and built before cybersecurity considerations came into play. This legacy now needs to interact with the most recent state-of-the-art equipment for automation and control, such as smart meters or connected appliances and IoT-connected devices, without being exposed to cyber-threats.
Foreseen under the Electricity Regulation (EU) 2019/943 (Article 59) and in the 2022 EU Action Plan to digitalise the energy system, the delegated act is now subject to scrutiny by the EU co-legislators.
With the announcement from the Commission, the dossier now passes to the Council and European Parliament to scrutinise the text over a period of up to four months for objection.
The rules will enter into force once this period is over.