Identification method of the entities

The objective of the NCCS regulation is to strengthen the cybersecurity of the European electricity system within a unified framework. To ensure its effective implementation, it is essential to define precisely which entities are subject to its requirements.

Entities are identified by the competent authorities based on NCCS Article 24, NCCS Article 48.

Identification criteria:

1. Their ECII value (cybersecurity impact index) exceeds the threshold for high impact or critical impact.

Temporary ECII values are available here:

Temporary ECII Values by ENTSO-E.

2. They participate in high-impact and critical-impact processes at the EU level.

The temporary list of processes is available here:

Temporary list of processes by ENTSO-E.

Identification of additional entities

1. Entities that are not registered in the Union but provide services to entities operating within the Union

The competent authority may identify high-impact and critical-impact entities that are not established in the EU, provided they operate within the Union. The competent authority may request information from entities not established in the EU to determine their ECII values. Entities that are not registered in the Union but provide services to entities operating within the Union and have been notified that they qualify as high or critical-impact entity must, within three months of receiving the notification, designate a Union representative in writing and inform the notifying competent authority accordingly, as stipulated in Article 15 of the NCCS.

2. Group of entities

Each Member State’s competent authority may identify additional entities as high-impact or critical-impact entities if the following criteria are met:

  1. The entities are part of a group of entities that face a significant risk of being simultaneously affected by a cyber attack.

  2. The aggregated ECII value for the group exceeds the threshold for high impact or critical impact.