Network Code on Cybersecurity 

1. Establishing a solid governance for cybersecurity aspects of cross-border electricity flows to ensure the reliability of the electricity system and to ensure close collaboration with existing governance structures for cybersecurity.

2. Determining common criteria for performing risk assessments based on defined risk scenarios for the operational reliability of the electricity system about cross border electricity flows.

3. Promoting a common electricity cybersecurity framework and by that fostering a common minimum electricity cybersecurity level across the Union. Providing for clear verification rules to assess the application of the minimum and advanced cybersecurity controls.

4. Providing for clear verification rules to assess the application of the minimum and advanced cybersecurity controls.

5. Establishing essential information flows by setting up a system for the collection and sharing of essential information in relation to cross border electricity flows.

6. Establishing effective processes to identify, classify and respond to cross-border cybersecurity incidents.

7. Setting up effective processes for crisis management to handle cybersecurity incidents of cross-border relevance.

8. Defining common principles for electricity cybersecurity exercises to increase resilience and improve the risk preparedness of the electricity sector.

9. Protecting the information exchanged under this Regulation.

10. Determining a process for monitoring the implementation of this Regulation, to assess the effectiveness of investments in cybersecurity protection and to report on the

progress of cybersecurity protection across the Union.

11. Ensuring that the cybersecurity procurement requirements with relevance for cross-border electricity flows are not detrimental to innovation, new systems, processes and procedures.

NCC will be applicable to a wide range of actors and stakeholders of the electric energy ecosystem, that their activities have a direct or indirect cybersecurity impact, on cross-border electricity flows.

Throughout this regulation, an important distinction is made according to the impact of a potential cyber-attack on a process and the subsequent disruption caused on cross-border energy flows. As such a crucial differentiation is made between the Critical-impact perimeter which includes and defines the scope where advanced cybersecurity controls apply, and the High-impact perimeter which includes and defines the scope where the minimum cybersecurity controls apply. The regulation is not applicable to micro or small enterprises (staff less that 10 persons, and annual turnover and/or balance sheet not exceeding 2 million Euros), unless deemed critical-impact or high-impact.

Responsible to monitor the implementation of this Regulation will be the European Union

Agency for the Cooperation of Energy Regulators (ACER), which will carry out monitoring activities in cooperation with the European Union Agency for Cybersecurity (ENISA) and the support of ENTSO-E and EU Distribution Systems Operators (DSO) Entity. In addition, a cybersecurity risk assessment cycle is planned to be performed every three years, to identify, analyze, and evaluate the possible consequences of cyber-attacks affecting the operational security of the electricity system and disrupting cross-border electricity flows.

ENTSO-E and EU-DSO Entity are mandated with the creation of harmonized cybersecurity procurement requirements for high-impact and critical-impact entities to use on their procurement processes for ICT products, services, and processes.

NCC also introduces changes to the information flows, incident, and crisis management. These include the establishment of SOC capabilities by critical-impact entities, such as intrusion detection, vulnerability scanning, information sharing, incident response.

Moreover, sanitized, and anonymized information will be shared through national CSIRTs, reportable incidents must be reported to the national CSIRT within 4 hours, entities must have a crisis management plan, an early warning system shall be set up, and exercises must be held at entity, national, and regional level.

Latest updates on NCC

On March 11, 2024, the European Commission adopted the EU Network Code on Cybersecurity for the electricity sector. This one being the first time that the EU passed cybersecurity laws especially aimed at this critical infrastructure, presents a major landmark in EU industrial regulation. Comprising part of the Electricity Regulation (EU) 2019/943, this rule aims to raise cyber resilience in several important EU energy services and infrastructure. It especially provides a cybersecurity common standard for cross-border power transfers and a governance model that conforms with present EU rules, notably the revised Network and Information Security Directive (NIS2). [20]

Following its acceptance, the NCC text has moved ahead to the next stage of the procedure namely the detailed examination by the two EU co-legislators, as set forth by the applicable EU norms of procedure. While a precise date has not been mentioned as of the time of writing, the rules are anticipated to take effect upon the conclusion of this examination session.