Minimum and Advanced Cybersecurity Controls and Recommendations in the Supply Chain

Transmission system operators (TSOs), in collaboration with ENTSO-E and the EU DSO, are developing minimum and advanced cybersecurity control recommendations for the supply chain (NCCS Article 33) in accordance with the minimum and advanced controls (NCCS Article 29), as well as non-mandatory cybersecurity procurement recommendations (NCCS Article 35). These recommendations can be utilized by high and critical impact entities when procuring ICT products, ICT services, and ICT processes identified within the high and critical perimeters.

Non-binding cybersecurity procurement recommendations may include sector-specific guidance on the use of European cybersecurity certification schemes, provided that an appropriate scheme is available for the ICT products, ICT services, or ICT processes used by critical-impact entities. Transmission system operators (TSOs), ENTSO-E, the EU DSO, and ENISA collaborate in the development of such guidelines (NCCS Article 36).

ellatasi lanc
Click on the image to zoom in
Suppliers within the supply chain that entities identify as high-impact or critical-impact ICT service providers are classified as critical ICT service providers (NCCS Article 3 Paragraph).