In this chapter, you will learn about the most important temporary provisions of the NCCS.
The NCCS regulation’s Article 48 outlines temporary provisions that ensure the enhanced application of cybersecurity guidelines in the electricity sector until the final conditions and methodologies are developed and adopted.
Under the precautionary principle, high-impact and critical-impact entities may voluntarily comply with the obligations defined in the NCCS regulation during the temporary period (lasting until June 13, 2028, depending on the EU-wide adoption of relevant methodologies) before their final identification under NCCS Article 24. Furthermore, NCCS Article 48 Paragraph 10 mandates that until the minimum and advanced cybersecurity controls under NCCS Article 29 are adopted, all identified entities must strive to progressively implement the guidelines developed under NCCS Article 48 Paragraph 1.
| Topic | Developed by | Timeline |
|---|---|---|
|
Development of provisional ECII values (NCCS Article 48 Paragraph 2)
|
ENTSO-E, EU DSO |
October 13, 2024 |
|
Compilation of the list of high-impact and critical-impact processes (NCCS Article 48 Paragraph 4)
|
ENTSO-E, EU DSO |
December 13, 2024 |
|
Compilation of the provisional list of high-impact and critical-impact entities and notification of entities (NCCS Article 48 Paragraph 3) |
Competent authority |
Identification of designated entities: February 13, 2025
|
|
Development of a provisional list of European and international standards and controls required by national regulations relevant to the cybersecurity aspects of cross-border electricity flows (NCCS Article 48) |
ENTSO-E, EU DSO |
June 13, 2025 |
The ENTSO-E (European Network of Transmission System Operators for Electricity), in collaboration with the EU DSO (European Distribution System Operators Organization), has developed a provisional list of high-impact and critical-impact processes across the Union.
The provisional list of processes can be accessed via the following links:
The supporting methodological document provides additional information and justification for the listed processes.
As part of the NCCS, ENTSO-E, in collaboration with the EU DSO, has developed a provisional Electricity Cybersecurity Impact Index ECII and threshold values for high-impact and critical-impact categories.
The provisional Electricity Cybersecurity Impact Index (ECII) can be accessed via the following links:
The supporting methodological document provides additional information and justification for the ECII.
Competent authorities will notify the entities identified in the provisional list no later than March 13, 2025, informing them that they have been designated as high-impact or critical-impact entities.
Entities identified in the provisional list as high-impact and critical-impact may voluntarily comply with the obligations outlined in this regulation under the precautionary principle.
Here you can see the provisional time line:
Unresolved directive in main_01.adoc - include::03_nccs_nis2_02.adoc[]