The European Union has been very active in developing new regulations to manage cybersecurity risks. In 2022, we expect that three different regulations will be approved that will affect grid operators: The CER Directive, the NIS 2 Directive, and the Network Code on Cybersecurity.
At the core of all three directives are two requirements to entities: the requirements to manage risks and to take appropriate measures to mitigate them, and the requirement to report significant incidents to the national authorities.
The regulations differ however significantly in the scope and details of these requirements. For instance, what risks should be mitigated and what incidents should be reported? How quickly should incidents be reported?
This whitepaper gives an overview of the differences between these regulations, so that grid operators can best prepare for them.