The objective of the NCCS regulation is to strengthen the cybersecurity of the European electricity system within a unified framework. To ensure its effective implementation, it is essential to define precisely which entities are subject to its requirements.
Entities are identified by the competent authorities based on NCCS Article 24, NCCS Article 48.
1. Their ECII value (cybersecurity impact index) exceeds the threshold for high impact or critical impact.
Temporary ECII values are available here:
2. They participate in high-impact and critical-impact processes at the EU level.
The temporary list of processes is available here:
1. Entities that are not registered in the Union but provide services to entities operating within the Union
The competent authority may identify high-impact and critical-impact entities that are not established in the EU, provided they operate within the Union. The competent authority may request information from entities not established in the EU to determine their ECII values. Entities that are not registered in the Union but provide services to entities operating within the Union and have been notified that they qualify as high or critical-impact entity must, within three months of receiving the notification, designate a Union representative in writing and inform the notifying competent authority accordingly, as stipulated in Article 15 of the NCCS.
2. Group of entities
Each Member State’s competent authority may identify additional entities as high-impact or critical-impact entities if the following criteria are met:
The entities are part of a group of entities that face a significant risk of being simultaneously affected by a cyber attack.
The aggregated ECII value for the group exceeds the threshold for high impact or critical impact.