Chapter 3

Temporary Provisions of the NCCS

In this chapter, you will learn about the most important temporary provisions of the NCCS.

The NCCS regulation’s Article 48 outlines temporary provisions that ensure the enhanced application of cybersecurity guidelines in the electricity sector until the final conditions and methodologies are developed and adopted.

Under the precautionary principle, high-impact and critical-impact entities may voluntarily comply with the obligations defined in the NCCS regulation during the temporary period (lasting until June 13, 2028, depending on the EU-wide adoption of relevant methodologies) before their final identification under NCCS Article 24. Furthermore, NCCS Article 48 Paragraph 10 mandates that until the minimum and advanced cybersecurity controls under NCCS Article 29 are adopted, all identified entities must strive to progressively implement the guidelines developed under NCCS Article 48 Paragraph 1.

Topic Developed by Timeline

Development of provisional ECII values (NCCS Article 48 Paragraph 2)

The provisional ECII assists competent authorities in identifying high-impact and critical-impact entities.

ENTSO-E, EU DSO

October 13, 2024

Compilation of the list of high-impact and critical-impact processes (NCCS Article 48 Paragraph 4)

In addition to the provisional ECII, these processes provide further guidance to competent authorities for identifying entities.

ENTSO-E, EU DSO

December 13, 2024

Compilation of the provisional list of high-impact and critical-impact entities and notification of entities (NCCS Article 48 Paragraph 3)

Competent authority

Identification of designated entities: February 13, 2025

Notification of designated entities: March 13, 2025

Development of a provisional list of European and international standards and controls required by national regulations relevant to the cybersecurity aspects of cross-border electricity flows (NCCS Article 48)

ENTSO-E, EU DSO

June 13, 2025

The ENTSO-E (European Network of Transmission System Operators for Electricity), in collaboration with the EU DSO (European Distribution System Operators Organization), has developed a provisional list of high-impact and critical-impact processes across the Union.

The provisional list of processes can be accessed via the following links:

Provisional list of Union-wide high-impact and critical-impact processes.pdf
Provisional list of Union-wide high-impact and critical-impact processes
415 KB

The supporting methodological document provides additional information and justification for the listed processes.

Supporting document Provisional list of Union-wide high-impact and critical-impact processes.pdf
Supporting document for the provisional list of Union-wide high-impact and critical-impact processes
201 KB

As part of the NCCS, ENTSO-E, in collaboration with the EU DSO, has developed a provisional Electricity Cybersecurity Impact Index ECII and threshold values for high-impact and critical-impact categories.

The provisional Electricity Cybersecurity Impact Index (ECII) can be accessed via the following links:

Provisional ECII.pdf
Provisional Electricity Cybersecurity Impact Index (ECII)
229 KB

The supporting methodological document provides additional information and justification for the ECII.

Supporting document provisional ECII.pdf
Supporting document for the provisional Electricity Cybersecurity Impact Index (ECII)
177 KB

  • Competent authorities will notify the entities identified in the provisional list no later than March 13, 2025, informing them that they have been designated as high-impact or critical-impact entities.

  • Entities identified in the provisional list as high-impact and critical-impact may voluntarily comply with the obligations outlined in this regulation under the precautionary principle.

Here you can see the provisional time line:

provtimeline

Unresolved directive in main_01.adoc - include::03_nccs_nis2_02.adoc[]

Table of contents