The draft for the Network Code for cybersecurity aspects of cross-border electricity flows has been released today for public consultation. ENCS has collaborated on the writing of the Network Code as part of the drafting team.
During the public consultation period, stakeholders within the energy sector have the opportunity of sharing their views on the draft and influencing the content of the final version.
The Network code on cyber security gives sector-specific rules for cyber security aspects of cross-border electricity flows, including rules on common minimum requirements, planning, monitoring, reporting, and crisis management. Once it enters into force it will override the NIS directive.
The purpose of the Network Code is to ensure that essential grid participants take security measures, to minimize overhead over NIS directive, to regulate based on risk, and to put grid operators in the lead for product assurance. The following lines outline the main provisions of the Network Code.
It includes in its scope all entities that carry out generation, transmission, distribution, aggregation, demand response, energy storage, supply, or purchase of electricity, commercial, technical or maintenance functions regardless of the size.
The Network Code defines a risk assessment cycle that includes a top-down Union-wide cybersecurity risk assessment to identify, analyse, and evaluate possible consequences of cyber-attacks, as well as a bottom-up risk assessment, from the entities to national level, to regional level.
The document also sets the distinction of the different entities into critical-impact entities, high-impact entities, and small or micro entities according to a threshold to be established. These entities must implement a series of advanced, minimum, and basic cybersecurity hygiene controls, respectively. These controls will be defined by ENTSO-E and EU-DSO Entity.
High-impact and critical-impact entities will have to establish a cybersecurity management system that is based on an international standard, and it will have to be verified either through a certification or through a national verification scheme.
ENTSO-E and EU-DSO Entity are mandated with the creation of harmonised cybersecurity procurement requirements for high-impact and critical-impact entities to use on their procurement processes for ICT products, services, and processes. These cybersecurity procurement requirements must be compatible with Union certification schemes (e.g. EUCS, ICCS).
The Network Code also introduces changes to the information flows, incident, and crisis management. These include the establishment of SOC capabilities by critical-impact entities, such as intrusion detection, vulnerability scanning, information sharing, incident response. Moreover, sanitized, and anonymized information will be shared through national CSIRTs, reportable incidents must be reported to the national CSIRT within 4 hours, entities must have a crisis management plan, an early warning system shall be set up, and exercises must be held at entity, national, and regional level.
The draft of the Network Code is out for public consultation until the 10th of December. It can be read and the views on it can be shared here.
For more information, ENTSO-E has organized two workshops on November 19th and December 8th. Register here.