The NCCS Article 18 addresses the methodology for cybersecurity risk assessment.
| Timeline | Levels |
|---|---|
|
The cybersecurity risk assessment process will begin in March 2025, when ENTSO-E and the EU DSO entities, in consultation with the NIS Cooperation Group, will develop the assessment methodologies. |
|
Risk assessment methodology
The cybersecurity risk assessment methodologies at the EU, regional, and member state levels include the following:
a) The list of cyber threats to be examined, including at least the following threats affecting the supply chain:
severe and unexpected disruption of the supply chain
absence of ICT products, ICT services or ICT processes in the supply chain.
Cyberattacks initiated through supply chain participants;
leaking sensitive information through the supply chain, including tracking of the supply chain;
the introduction of vulnerabilities or backdoors into ICT products, ICT services, or ICT processes through supply chain actors.
b) Criteria for assessing the high or critical impact of cybersecurity risks, using the defined thresholds for consequences and probability;
c) An approach for analyzing cybersecurity risks arising from legacy, the cascading effects of cyberattacks, and the real-time nature of the systems operating the network.
d) an approach for analyzing cybersecurity risks arising from dependency on a single supplier of ICT products, ICT services, or ICT processes.
Risk impact matrix
(a) measure the consequences of cyber-attacks based on the following criteria:
(i) loss of load;
(ii) reduction of power generation;
(iii) loss of capacity in the primary frequency reserve;
(iv) loss of capacity for restoration of an electric grid to operation without relying on the external transmission network to recover after a total or partial shutdown (also called ‘black start’);
(v) the expected duration of an electricity outage affecting customers in combination with the scale of the outage in customer numbers; and
(vi) any other quantitative or qualitative criteria that could reasonably act as an indicator of the effect of a cyber-attack on cross-border electricity flows;
(b) measure the likelihood of an incident as the frequency of cyber-attacks per year.
The EU, regional, and member state cybersecurity risk assessment methodologies evaluate cybersecurity risks using the same risk impact matrix.