The network code on cybersecurity describes a cybersecurity risk assessment process at European level. The process determines which entities and processes within an entity are in scope of the network code, and which controls the entities must apply to these processes. So, it largely determines what entities must do to comply with the network code.
The missing risk measures create uncertainty for entities. It is not clear whether they will fall under the network code or not. Also, a robust regulatory approval process is needed for the documents that define the risk measures. They are defined by ENTSO-E and the EU DSO entity but apply to all entities in the sector. But is not clear who may approve the document, as the responsibilities for cybersecurity risks at EU level are not worked out. So, it would be easier if the risk measures are already defined in the network code.
We therefore propose to include cybersecurity risk metrics in the network code by using the ENTSO-E incident classification scale (ICS)