Network Code on Cybersecurity

The new Network Code on Cybersecurity will cover issues such as:

• establishing methodologies and governance for electricity cross-border risk assessment,
• define a set of common minimum cybersecurity requirements and standards applicable to all actors for the electricity markets,
• further development and orchestration of cybersecurity information co​llection and dissemination among all electricity community actors,
• planning,
• monitoring,
• and reporting obligations​. 

In particular, the revised Network Code on electricity cybersecurity submitted on 14 July 2022 by the ACER to the European Commission includes rules on various electricity cybersecurity-related aspects, such as:

• a common electricity cybersecurity framework aimed to standardise the measures in place to protect the EU electricity cyber perimeter;
• governance of cybersecurity for the electricity sector;
• a comprehensive cross-border risk management process;
• cybersecurity information sharing flows to ensure timely information and foster quick and coordinated reaction of relevant stakeholders;
• rules on incident handling and crisis management;
• a cybersecurity exercise framework to enhance preparedness of all operators;
• rules for the protection of information exchange;
• a framework for monitoring, benchmarking and reporting.

The main changes introduced by ACER’s review to the network operators’ proposal include:

• specifying the elements and principles to be included in terms, conditions and methodologies;
• elaborating on governance-related issues;
• introducing the legal basis to develop guidelines for the exchange of information;
• introducing the possibility for Member States to be exempted from provisions for national security reasons.

    Regulatory chronicle 

20 October 2023

The opening of the public feedback period on Commission Delegated Regulation supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows 

14 July 2022

ACER submits to the European Commission the revised Network Code on electricity cybersecurity 

27 July 2021

ACER publishes its Framework Guideline to establish a Network Code on Cybersecurity

The Framework Guideline covers various security-related topics, such as:

• governance
• cross-border risk assessment & management
• a common electricity cybersecurity framework
• information sharing and essential information flows
• incident handling and crisis management (including data collection)
• an electricity cybersecurity exercise framework
• protection of information exchange in the context of data processing
• monitoring, benchmarking and reporting

29 June 2021

Consultation response – ACER Consultation on the Draft Framework Guideline on sector-specific rules for cybersecurity aspects of cross-border electricity flows

30 April 2021

Public Consultation on the Draft Framework Guideline on sector-specific rules for cybersecurity aspects of cross-border electricity flows
 

Framework Guideline on sector-specific rules for cybersecurity aspects of cross- border electricity flows (Draft), PC_2021_E_04)

    Documentation

ACER Framework Guideline on sector-specific rules for cybersecurity aspects of cross- border electricity flows, 22 July 2021

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union - the NIS Directive

Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (COM(2020) 823 final, the NIS2 Directive)

Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities (COM(2020) 829 final)