Each competent authority shall perform a Member State cybersecurity risk assessment on all high-impact and critical-impact entities in its Member State using the methodologies developed pursuant to NCCS Article 18 and approved pursuant to NCCS Article 8. The Member State cybersecurity risk assessment shall identify and analyse the risks of cyber-attacks affecting the operational security of the electricity system disrupting cross-border electricity flows. The Member State cybersecurity risk assessment shall not consider the legal, financial or reputational damage of cyber-attacks.
Within 21 months after the notification of the high-and critical-impact entities pursuant to NCCS Article 24 Paragraph 6 and every three years after that date, and after consulting the CS-NCA responsible for electricity, each competent authority, supported by the CSIRT, shall provide a Member State cybersecurity risk assessment report to the ENTSO for Electricity and the EU DSO entity, containing the following information for each high-impact and critical-impact business process:
(a) the implementation status of the minimum and advanced cybersecurity controls pursuant to NCCS Article 29;
(b) a list of all cyber-attacks reported in the previous three years pursuant to NCCS Article 38 Paragraph 3;
(c) a summary of the cyber threat information reported in the previous three years pursuant to NCCS Article 38 Paragraph 6;
(d) for each Union-wide high-impact or critical-impact process, an estimate of the risks of a compromise of the confidentiality, integrity and availability for information and relevant assets;
(e) where necessary, a list of additional entities identified as high-impact or critical-impact pursuant to NCCS Article 24 Paragraph 2,3,5.
The Member State cybersecurity risk assessment report shall take into account the Member State’s risk preparedness plan established pursuant to REGULATION (EU) 2019/941 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL Article 10.
The information contained in the Member State cybersecurity risk assessment report shall not be linked to specific entities or assets. The Member State cybersecurity risk assessment report shall also include a risk assessment of the temporary derogations issued by the competent authorities in the Member States pursuant to NCCS Article 30.