During the cybersecurity risk management phase, every high-impact and critical-impact entity must establish an entity-wide risk mitigation plan for all assets within their high-impact and critical-impact perimeter and conduct a risk assessment every three years (NCCS Article 26).
During the cybersecurity risk assessment phase, all high-impact and critical-impact entities must identify potential cybersecurity risks, including:
Cyber threats identified in the most recent comprehensive cybersecurity risk assessment report for the cross-border electricity sector (NCCS Article 23).
Potential supply chain threats (NCCS Article 18).