Europe’s network code on cybersecurity published

The EU’s first network code on cybersecurity for the electricity sector is expected to improve the cyber resilience of this critical infrastructure and the associated services.

The network code, which was foreseen in the energy system digitalisation action plan and drafted by ENTSO-E and the DSO Entity, provides a common standard to ensure the security and reliability of the interconnected system.

The network code introduces the notion of ‘high impact and critical impact entities’ and these are primarily those that have a direct impact on cross-border flows of electricity in the EU.

With common rules to perform cybersecurity risk assessments, report cyber-attacks, threats and vulnerabilities and establish cybersecurity risk management, the network code is designed to support a high, common-level of cybersecurity for cross-border electricity flows in Europe.

Have you read?
eFORT project developing a digital twin to tackle grid security
Energy Transitions Podcast: Cybersecurity innovation at the core of digital transformation

“The publication of the network code on cybersecurity marks an important milestone for the completion of the internal energy market and the achievement of the EU’s energy objectives, both at the level of transmission and distribution electricity grids,” says a joint ENTSO-E, DSO Entity statement.

Under the new regulation no later than 13 December 2024 member states are required to designate a national governmental or regulatory authority responsible for carrying out the assigned tasks, including identifying the high impact and critical impact entities.

By 13 March 2025, the TSOs, with the assistance of ENTSO-E and the DSO entity and following a consultation with the Network and Information Systems (NIS) Cooperation Group, are required to submit a proposal for cybersecurity risk assessment methodologies at Union, regional and member state levels.

These should include a list of cyber threats to be considered, including supply chain threats, the criteria to evaluate the impact of cybersecurity risks as high or critical, an approach to analyse the cybersecurity risks coming from legacy systems and an approach to analyse the cybersecurity risks coming from the dependency on a single supplier of ICT products, services or processes.

Within nine months after the approval of these risk assessment methodologies and every three years thereafter, ENTSO-E in cooperation with the DSO entity and in consultation with the NIS Cooperation Group, shall perform an EU-wide cybersecurity risk assessment.

Within 30 months after the notification of the high impact and critical impact entities the organisations are required to draw up regional cybersecurity risk assessment reports for each system operation region and within 40 months to report on the assessment of cybersecurity risks with regard to cross-border electricity flows.

The member state competent authorities also are required to perform cybersecurity risk assessments on all the high impact and critical impact entities.

These entities themselves are required to perform and report cybersecurity risk management for all their assets on a three-yearly basis and also they are required to establish and demonstrate compliance with a cybersecurity management system and the defined cybersecurity controls.

Other details covered in the new network code include cybersecurity procurement recommendations, cyber-attack detection, cybersecurity crisis management and protection of information.

ENTSO-E and the DSO Entity have indicated that in the coming months they will continue their collaboration and work on the different documents that will guide the implementation of the network code.