Europe’s network code on cybersecurity published
Source: Jonathan Spencer Jones | · SMART ENERGY INTERNATIONAL · | May 28, 2024
The EU’s first network code on cybersecurity for the electricity sector is expected to improve the cyber resilience of this critical infrastructure and the associated services.
The network code, which was foreseen in the energy system digitalisation action plan and drafted by ENTSO-E and the DSO Entity, provides a common standard to ensure the security and reliability of the interconnected system.
The network code introduces the notion of ‘high impact and critical impact entities’ and these are primarily those that have a direct impact on cross-border flows of electricity in the EU.
With common rules to perform cybersecurity risk assessments, report cyber-attacks, threats and vulnerabilities and establish cybersecurity risk management, the network code is designed to support a high, common-level of cybersecurity for cross-border electricity flows in Europe.
“The publication of the network code on cybersecurity marks an important milestone for the completion of the internal energy market and the achievement of the EU’s energy objectives, both at the level of transmission and distribution electricity grids,” says a joint ENTSO-E, DSO Entity statement.
Under the new regulation no later than 13 December 2024 member states are required to designate a national governmental or regulatory authority responsible for carrying out the assigned tasks, including identifying the high impact and critical impact entities.
By 13 March 2025, the TSOs, with the assistance of ENTSO-E and the DSO entity and following a consultation with the Network and Information Systems (NIS) Cooperation Group, are required to submit a proposal for cybersecurity risk assessment methodologies at Union, regional and member state levels.
These should include a list of cyber threats to be considered, including supply chain threats, the criteria to evaluate the impact of cybersecurity risks as high or critical, an approach to analyse the cybersecurity risks coming from legacy systems and an approach to analyse the cybersecurity risks coming from the dependency on a single supplier of ICT products, services or processes.
Within nine months after the approval of these risk assessment methodologies and every three years thereafter, ENTSO-E in cooperation with the DSO entity and in consultation with the NIS Cooperation Group, shall perform an EU-wide cybersecurity risk assessment.