Cybersecurity Risk Assessment Methods

The NCCS Article 18 addresses the methodology for cybersecurity risk assessment.

Timeline Levels

The cybersecurity risk assessment process will begin in March 2025, when ENTSO-E and the EU DSO entities, in consultation with the NIS Cooperation Group, will develop the assessment methodologies.

  • Union

  • Regional

  • Member state

eredmeny Risk assessment methodology

The cybersecurity risk assessment methodologies at the EU, regional, and member state levels include the following:

a) The list of cyber threats to be examined, including at least the following threats affecting the supply chain:

b) Criteria for assessing the high or critical impact of cybersecurity risks, using the defined thresholds for consequences and probability;

c) An approach for analyzing cybersecurity risks arising from legacy, the cascading effects of cyberattacks, and the real-time nature of the systems operating the network.

d) an approach for analyzing cybersecurity risks arising from dependency on a single supplier of ICT products, ICT services, or ICT processes.

eredmeny Risk impact matrix

NCCS Article 18 Paragraph 2

(a) measure the consequences of cyber-attacks based on the following criteria:

(i) loss of load;

(ii) reduction of power generation;

(iii) loss of capacity in the primary frequency reserve;

(iv) loss of capacity for restoration of an electric grid to operation without relying on the external transmission network to recover after a total or partial shutdown (also called ‘black start’);

(v) the expected duration of an electricity outage affecting customers in combination with the scale of the outage in customer numbers; and

(vi) any other quantitative or qualitative criteria that could reasonably act as an indicator of the effect of a cyber-attack on cross-border electricity flows;

(b) measure the likelihood of an incident as the frequency of cyber-attacks per year.


The EU, regional, and member state cybersecurity risk assessment methodologies evaluate cybersecurity risks using the same risk impact matrix.