What is ENISA? 

ENISA and the Energy Sector

For the energy sector, ENISA has produced several documents on the EPES (Energy Potential Electrical System) cybersecurity threat landscape.

Specifically at the intersection of energy systems and Artificial Intelligence (AI). AI introduces a variety of privacy and security vulnerabilities that can create substantial threats to organizations. The threats share common characteristics, although it is essential to recognize that the impact of these threats varies depending on the specific case. So every organization that uses AI must conduct a thorough assessment to maintain an appropriate level of security and privacy.

While security and privacy are not necessarily identical, they are intrinsically linked and equally important. Unfortunately, these two parameters often come at the expense of performance. Therefore, security, privacy, and performance must be carefully balanced to achieve the desired results.

ENISA & CSA

The Cybersecurity Act (CSA) of 2019 significantly expanded the mandate of the European Union Cybersecurity Agency (ENISA), transforming it into a permanent agency with a broader range of responsibilities.

ENISA’s mandate covers:

• Improve cybersecurity capabilities across the EU : The task is to strengthen the cybersecurity posture of EU institutions, bodies, offices and agencies.
• Promotion of cybersecurity certification schemes: These schemes aim to improve the reliability of ICT solutions and provide assurances to users regarding their cybersecurity posture.
• Support the development of EU cyber policies: ENISA actively contributes to the formulation and implementation of EU cyber security policies. Provides expert advice ensuring that policy decisions are based on sound technical and strategic considerations.
• Improve the EU’s cyber incident response capabilities: Facilitate cooperation and information exchange between EU Member States, with more effective and unified responses to cyber threats.
• Promoting cybersecurity awareness and research: ENISA actively raises awareness of cybersecurity issues across the EU, supports cybersecurity research and innovation.

ENISA & NIS Directive

The ENISA report provides information on the impact of the NIS Directive on OES/DSP cybersecurity investments in the EU. It also examines the allocation of cybersecurity budgets and the development of specific cybersecurity capabilities. The report includes deep analyzes specific to the Energy and Healthcare sectors.

Key findings include:

• The global cybersecurity market is expected to grow substantially in the coming years.
• Investments in cybersecurity for the Health sector are being impacted by COVID-19
• EU OES/DSPs allocated 6.7% of their IT investments to information security in 2021.
• It is estimated that the average cost of a major security incident is €200,000
• 69% of OES/DSPs indicated that the majority of their information security incidents are caused by vulnerability exploitation.

Latest updates on ENISA

As a major update, the recent ENISA programming document 2024-2026, which emphasises ENISA’s mission to achieve a high common level of cybersecurity across the European Union in cooperation with the wider community. To this end, it acts as a centre of expertise in cybersecurity, gathering and providing independent and high-quality technical advice and assistance to Member States and EU agencies on cybersecurity. It contributes to the development and implementation of the Union’s cybersecurity policies. The aim is to strengthen confidence in the connected economy, boost resilience and trust in the Union’s infrastructures and services, and maintain the digital security of our society and citizens. In doing so, ENISA aims to be an agile, environmentally and socially responsible organisation with a focus on people.
The agency’s Operational Activities, detailed in the document, include the following:
• ACTIVITY 1: Providing assistance in policy development;
• ACTIVITY 2: Supporting implementation of Union policy and law;
• ACTIVITY 3: Building capacity;
• ACTIVITY 4: Enabling operational cooperation;
• ACTIVITY 5a: Contribute to cooperative response at Union and Member States level through effective situational awareness;
• ACTIVITY 5b: Contribute to cooperative response at Union and Member States level through ex-ante and ex-post services provision;
• ACTIVITY 6: Development and maintenance of EU cybersecurity certification framework;
• ACTIVITY 7: Supporting the European cybersecurity market and industry;
• ACTIVITY 8: Knowledge on emerging cybersecurity challenges and opportunities;
• ACTIVITY 9: Outreach and education;
• ACTIVITY 10: Advise on research and innovation needs and priorities.
Two ENISA reports can be highlighted that were published during 2024 and are relevant for cyber crisis management at EU level and the mapping of CRA requirements and applicable to energy cybersecurity in general and to the ELECTRON project in particular.
The Best Practices for Cyber Crisis Management study highlights the complexities behind the notion of cyber crisis and the degree of subjectivity it involves. The elevation of a large-scale cyber incident into a cyber crisis relies predominantly on a political decision, and depends largely on the level of risk that EU Member States (MS) are prepared to tolerate (i.e. ‘risk appetite’).

The best practices identified in this study highlight a number of gaps in cyber crisis management at the operational level in the EU. The imminent transposition of NIS2 into national legislation will formalise the creation of national cyber crisis management authorities. The latter will have to collaborate with – at the MS level – all competent actors in cyber crisis management, including essential entities, and – at the EU level – their EU counterparts through EU-CyCLONe. A number of initiatives could be taken to maximise these efforts.
The report on Cyber Resilience Act Requirements Standards Mapping has been developed in cooperation between the EU Joint Research Centre (JRC) and ENISA. To facilitate adoption of the CRA provisions, these requirements need to be translated into the form of harmonised standards, with which manufacturers can comply. In support of the standardisation effort, this study attempt to identify the most relevant existing cybersecurity standards for each CRA requirement, analyses the coverage already offered on the intended scope of the requirement and highlights possible gaps to be addressed.
The overall list of identified standards is summarised with the respective mapping, grouping them according to the two groups of CRA essential requirements are listed in Table 1 and Table 2.