According to NCCS Article 29 Paragraph 1, within 7 months of the submission of the first draft of the EU-wide cybersecurity risk assessment report, transmission system operators, assisted by the ENTSO for Electricity and in cooperation with the EU DSO, shall develop a proposal for minimum and advanced cybersecurity controls.
The minimum and advanced cybersecurity controls may be audited in accordance with the procedure set out in NCCS Article 31 on the basis of participation in the national compliance audit scheme or by conducting security audits by an independent third party in accordance with the requirements listed in NCCS Article 25 Paragraph 2.
The baseline minimum and advanced cybersecurity controls developed pursuant to NCCS Article 29 Paragraph 1 shall be based on the risks identified in the EU-wide cybersecurity risk assessment report referred to in NCCS Article 19 Paragraph 5 Modified minimum and advanced cybersecurity controls developed pursuant to NCCS Article 29 Paragraph 2 shall be based on the regional cybersecurity risk assessment report referred to NCCS Article 21 Paragraph 2.
Minimum cybersecurity controls include controls to protect information shared under NCCS Article 46.
Transmission System Operators (TSOs), together with ENTSO-E and the EU DSO, shall develop minimum and advanced cyber security control proposals for the supply chain (NCCS Article 33) in accordance with the minimum and advanced controls (NCCS Article 29).
Minimum and advanced cybersecurity controls
Critical and high-impact entities will apply the minimum cybersecurity controls within the high-impact scope, while critical-impact entities will apply the advanced cybersecurity controls within the critical-impact scope.
Mapping matrix The controls defined in points (a) and (b) of (NCCS Article 28 Paragraph 1) serve as a matrix for ensuring compliance with selected European and international standards, as well as relevant technical specifications, including the applicable national standards under (European Parliament and Council Directive (EU) 2022/2555 Article 5).
Cybersecurity Management System This system prescribes a comprehensive approach to managing cybersecurity at the entity level. The system includes, for example, the development of cybersecurity policies, the assignment of responsibilities, the conduct of risk assessments, and the provision of necessary resources. Its core components are designed to ensure that the entity can proactively manage cybersecurity risks, establish clear roles and responsibilities, and allocate the resources needed to protect against potential threats and vulnerabilities. This system serves as a foundational framework for the ongoing protection and resilience of organizational assets in the face of evolving cyber threats.
Risk Assessment According to Article 26 of the NCCS (NCCS Article 26), risk assessment is a structured process aimed at protecting the organization’s network and information systems. Every high-impact and critical-impact entities is required to conduct a risk assessment every three years. This process ensures that entities continuously evaluate the security posture of their systems, identify potential threats and vulnerabilities, and implement appropriate risk mitigation measures. It is an essential practice for maintaining the integrity and resilience of critical infrastructure in the face of evolving cybersecurity challenges.
Entities may request the competent authority to allow an exemption from the obligation to apply minimum and advanced cybersecurity controls.
The competent authority may grant such an exemption if the entity:
Can prove that the costs of implementing the appropriate cybersecurity controls significantly outweigh the benefits; or
Submits an enterprise-level risk assessment plan that reduces cybersecurity risks to an acceptable level using alternative control measures, in accordance with the risk acceptance criteria. The competent authority then has three months to decide whether the exemption from the minimum and advanced cybersecurity controls can be granted.
Exemptions will be granted for a period of up to three years, with the possibility of extension.