NCCS basic definitions

Before starting the course material, it is advisable to familiarize yourself with the basic definitions. You can review these definitions in this section, and they will also be accessible within the relevant parts of the material by clicking on the respective term.

fogalom

A

Accreditation

Shall mean an attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activity.

Asset

Means any information, software or hardware in the network and information systems either tangible or intangible, that has value to an individual, an organisation or a government.

Assurance level

Means a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concerned.

Authorities responsible for the management of cyber crises

Authorities designated or established pursuant to Article 9(1) of Directive (EU) 2022/2555 on the management of cyber crises. Each Member State shall designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Member States shall ensure that those authorities have adequate resources to carry out, in an effective and efficient manner, the tasks assigned to them. Member States shall ensure coherence with the existing frameworks for general national crisis management.

C

CER Directive

On December 14, 2022, the European Union adopted the European Parliament and Council Directive (EU) 2022/2557 on the resilience of critical entities and repealing Council Directive 2008/114/EC

Conformity assessment

Shall mean the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled.

Conformity assessment body

Shall mean a body that performs conformity assessment activities including calibration, testing, certification and inspection.

Conformity self-assessment

Means an action carried out by a manufacturer or provider of ICT products, ICT services or ICT processes, which evaluates whether those ICT products, ICT services or ICT processes meet the requirements of a specific European cybersecurity certification scheme.

Critical ICT service provider

Means an entity which provides an ICT service, or ICT process that is necessary for a critical-impact or high-impact process affecting cybersecurity aspects of cross-border electricity flows and that, if compromised, may cause a cyber-attack with impact above the critical-impact or high-impact threshold.

Critical-impact asset

Means an asset that is necessary to carry out a critical-impact process.

Critical-impact entity

Means an entity that carries out a critical-impact process and that is identified by the competent authorities in accordance with Article 24.

Critical-impact process

Means a business process carried out by an entity for which the electricity cybersecurity impact indices are above the critical-impact threshold.

Critical-impact perimeter

Means a perimeter defined by an entity referred to in Article 2(1) that contains all critical impact assets and on which access to these assets can be controlled and that defines the scope where the advanced cybersecurity controls apply.

Critical-impact threshold

Means the values of the electricity cybersecurity impact indices referred to in Article 19(3) b, above which a cyber-attack on a business process will cause critical disruption of cross-border electricity flows.

Cross-border flow

Means a physical flow of electricity on a transmission network of a Member State that results from the impact of the activity of producers, customers, or both, outside that Member State on its transmission network.

Cyber attack

Cyber-attack means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset.

Cybersecurity

Means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.

Cybersecurity control

Means the actions or procedures carried out with the purpose of avoiding, detecting, counteracting, or minimising cybersecurity risks.

Cybersecurity management system

Means the policies, procedures, guidelines, and associated resources and activities, collectively managed by an entity, in the pursuit of protecting its information assets from cyber threats systematically establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s network and information system security.

Cybersecurity operation centre (CSOC)

Means a dedicated centre where a technical team consisting of one or more experts, supported by cybersecurity IT systems, performs security-related tasks (Cybersecurity operation center (‘CSOC’) services) such as handling of cyber-attacks and security configuration errors, security monitoring, log analysis, and cyber-attack detection.

Cybersecurity vulnerability management

Means the practice of identifying and addressing vulnerabilities.

Cyber threat

Means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.

E

Early alert

Means the information necessary to indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.

Electricity crisis

Means a present or imminent situation in which there is a significant electricity shortage, as determined by the Member States and described in their risk-preparedness plans, or in which it is impossible to supply electricity to customers.

Electricity cybersecurity impact index (ECII)

Means an index or classification scale that ranks possible consequences of cyber-attacks to business processes involved in cross-border electricity flows.

Entity

Means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations.

European cybersecurity certification scheme

Means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes.

H

High-impact asset

Means an asset that is necessary to carry out a high-impact process.

High-impact entity

Means an entity that carries out a high-impact process and that is identified by the competent authorities in accordance with Article 24.

High-impact perimeter

Means a perimeter defined by any entity listed in Article 2(1) that contains all high-impact assets and on which access to these assets can be controlled and that defines the scope where the minimum cybersecurity controls apply.

High-impact process

Means any business process carried out by an entity for which the electricity cybersecurity impact indices are above the high-impact threshold.

High-impact threshold

Means the values of the electricity cybersecurity impact indices referred to in Article 19(3)b, above which a successful cyber-attack on a process will cause high disruption of cross-border electricity flows.

I

ICT

Information and Communications Technology.

ICT process

Means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service.

ICT product

Means an element or a group of elements of a network or information system.

ICT service

Means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems.

Incident

Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

Incident handling

Means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident.

L

Large-scale cybersecurity incident

Means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States.

Legacy ICT system

Means an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity.

M

Mapping matrix

Developed in accordance with COMMISSION DELEGATED REGULATION (EU) 2024/1366 Art.34, that maps the controls referred to in points (a) and (b) against selected European and international standards and national legislative or regulatory frameworks.

Managed security service provider

Means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management.

Managed service provider

Means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.

Member state

Means a country that is a member of the European Union and complies with EU legislation.

N

National accreditation body

Shall mean the sole body in a Member State that performs accreditation with authority derived from the State.

National single point of contact

Means the single point of contact designated or established by each Member State pursuant to Article 8(3) of DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.

Near miss

Means an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise.

Network and information system

Means:

Article 6 point (1): . an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; . any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or . digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;

O

Originator

Means an entity that initiates an information exchange, information sharing or information storage event.

OT (Operation Technology)

OT is the combination of production automation, machine-to-machine communication and data collection.

P

Procurement specifications

Means the specifications that entities define for the procurement of new or updated ICT products, ICT processes or ICT services.

R

Representative

Means a natural or legal person established in the Union who is explicitly designated to act on behalf of a high or critical-impact entity not established in the Union but delivering services to entities in the Union and who may be addressed by a competent authority or a CSIRT in the place of the high or critical-impact entity itself with regard to the obligations of that entity under this Regulation.

Risk

Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident.

Risk impact matrix

Means a matrix used during risk assessment to determine the resulting risk impact level for each risk assessed.

S

Security of network and information systems

Means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems.

Significant cyber threat

Means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage.

Stakeholder

‘Stakeholder’ is any party that has an interest in the success and ongoing operation of an organisation or process such as employees, directors, shareholders, regulators, associations, suppliers and customers.

Standard

Means a technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory.

System operation region

Means the system operation regions as defined in Annex I to ACER Decision 05-2022 on the Definition of System Operation Regions, established in accordance with Article 36 of Regulation (EU) 2019/943.

Single point of contact at entity level (SPOC)

Means single point of contact at entity level as designated under Article 38(1) point (c);

T

Technical specification

Means a document that prescribes technical requirements to be fulfilled by a product, process, service or system and which lays down one or more of the following.

U

Unpatched actively exploited vulnerability

Means a vulnerability, which has not yet been publicly disclosed and patched and for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner.

V

Vulnerability

Means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat.