Through a delegated act published on Monday 11 March, provided for in the Electricity Regulation and in the EU 2022 Action Plan for the digitalisation of the energy system, the European Commission has introduced the very first network code on cyber security in the electricity sector.
This delegated act establishes a risk assessment process which identifies entities with a critical or high impact on cross-border electricity flows and the measures needed to reduce the risks to which they may be subject.
To achieve this, the network code establishes a governance model that uses and aligns with existing mechanisms set out in horizontal EU legislation, in particular the revised Network and Information Security Directive (NIS2).
This is the case, for example, for reporting cyber attacks and vulnerabilities using the Computer Security Incident Response Teams (CSIRTs) or for coordinating with the CyCLONe network in the event of large-scale cyber security incidents and crises.
These new rules should encourage the establishment of a common base, while respecting existing practices and investments as far as possible.
This delegated act is now subject to examination by the European Parliament and the EU Council, each of which has 2 months in which to oppose it.
See the delegated act: https://aeur.eu/f/b9q (Original version in French by Isalia Stieffatre)