The NCCS is a comprehensive regulation that covers multiple aspects of cybersecurity in the electricity sector. The key areas include:
Risk assessment is one of the key pillars of the NCCS. Cybersecurity risk management under the scope of the NCCS regulation requires a structured process that includes, among other aspects, the identification of risks arising from cyberattacks affecting cross-border electricity flows, the related operational processes and scopes, as well as appropriate cybersecurity controls and authentication mechanisms. Risk assessment is conducted cyclically at the EU, regional, national, and entity levels. The risk-based approach outlined in various provisions aims to identify the processes, supporting assets, and the entities operating them that impact cross-border electricity flows. Depending on the extent to which potential cyberattacks affect these entities' operations related to cross-border electricity flows, the entities may be classified as having a high impact or a critical impact. Member States are responsible for identifying entities that meet the qualification criteria for high-impact and critical-impact entities through the competent authority designated under the NCCS regulation. The cybersecurity risk assessments at the EU, national, regional, and entity levels, as stipulated in the NCCS regulation, may be limited to risks arising from cyberattacks as defined in REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of the European Parliament and the Council. Consequently, they may exclude risks associated with physical attacks, natural disasters, and operational disruptions caused by facility or human resource outages.
The provisions of the NCCS regulation shall not prejudice Union law establishing specific rules for the certification of information and communication technology (ICT) products, ICT services, and ICT processes, particularly concerning the framework for the establishment of European cybersecurity certification schemes, as set out in REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of the European Parliament and the Council.
With a view to mitigating cybersecurity risks, it is necessary to establish a detailed rulebook governing the actions of, and the cooperation amongst, relevant stakeholders, whose activities concern cybersecurity aspects of cross-border electricity flows, with the aim of ensuring system security. Those organisational and technical rules should ensure that most electricity incidents with cybersecurity root causes are effectively dealt with at operational level. It is necessary to set out what those relevant stakeholders should do to prevent such crises and what measures they can take should system operation rules alone no longer suffice. Therefore, it is necessary to establish a common framework of rules on how to prevent, prepare for and manage simultaneous electricity crises with a cybersecurity root cause. This brings more transparency in the preparation phase and during a simultaneous electricity crisis and ensures that measures are taken in a coordinated and effective manner together with the competent authorities for cybersecurity in the Member States.
Since the exploitation of vulnerabilities in network and information systems can cause significant disruptions in energy supply and substantial damage to the economy and consumers, these vulnerabilities must be swiftly identified and addressed to mitigate risks. To facilitate the effective implementation of the NCCS regulation, relevant entities and competent authorities must cooperate in practicing and testing activities deemed appropriate for this purpose. This includes the exchange of information related to cyber threats, cyberattacks, vulnerabilities, assets and methods, tactics, techniques, and procedures, as well as cybersecurity crisis management preparedness and other exercises. The regulation defines the scope of reportable cyberattacks, threats, and vulnerabilities, as well as the rules for information sharing and confidentiality obligations.
Recent cyber-attacks show that entities are increasingly becoming the target of supply chain attacks. Such supply chain attacks not only have an impact on individual entities in the scope but can also have a cascading effect on larger attacks on entities to which they are connected in the electricity grid.
Based on the regulation, minimum and advanced cybersecurity control requirements and procurement recommendations will be formulated for the actors in the supply chain.