Who is responsible for the governance of the NCCS?

The governance of NCCS involves multiple stakeholders.

ENTSO-E (European Network of Transmission System Operators for Electricity) The ENTSO-E is an entity that brings together European transmission system operators. Under the NCCS framework, ENTSO-E is responsible for conducting the Union-wide cybersecurity risk assessment (NCCS Article 19) and compiling regional cybersecurity risk assessment reports (NCCS Article 21). The regional cybersecurity risk assessment considers cybersecurity-related regional electricity supply crisis scenarios identified under (EU) 2019/941, Article 6. ENTSO-E, in collaboration with the EU DSO, organizes regional cybersecurity exercises in all system operation regions (NCCS Article 44).

EU DSO (European Distribution System Operators) The EU DSO represents European distribution system operators. Under the NCCS framework, the EU DSO collaborates with ENTSO-E in conducting the Union-wide cybersecurity risk assessment (NCCS Article 19) and compiling regional cybersecurity risk assessment reports (NCCS Article 21). ENTSO-E and the EU DSO together organize regional cybersecurity exercises in all system operation regions (NCCS Article 44).

ACER (European Union Agency for the Cooperation of Energy Regulators) The ACER is an EU agency that facilitates energy market regulation. Under the NCCS framework, ACER provides opinions on cybersecurity risk assessment methodologies (NCCS Article 8), monitors the implementation of NCCS (NCCS Article 12), and issues reporting obligations (NCCS Article 27, NCCS Article 39) along with non-binding performance indicators (NCCS Article 13). It also oversees the adoption process and implementation of terms, methodologies, and plans (NCCS Article 6). Furthermore, ACER develops a Union-wide cybersecurity crisis management and response plan for the electricity sector (NCCS Article 41).

ENISA (European Union Agency for Cybersecurity) The ENISA is an EU agency that provides expertise and support in cybersecurity. Under the NCCS framework, ENISA consults ACER and ENTSO-E on cybersecurity risk assessment methodologies (NCCS Article 6), evaluates cybersecurity exercises (NCCS Article 43), and operates the European Cybersecurity Information Exchange and Analysis Center (ECEAC) (NCCS Article 42).

DG ENER (Directorate-General for Energy) The European Commission’s Directorate-General for Energy is responsible for the EU’s energy policy.

DG CONNECT (Directorate-General for Communications Networks, Content and Technology) The European Commission’s Directorate-General for Communications Networks, Content and Technology is responsible for the EU’s digital policies.

NEMOs Nominated Electricity Market Operators.

Regional Coordination Centers (RCCs) These centers have a consultative role in developing regional cybersecurity risk assessment and risk mitigation plans and coordinate cybersecurity cooperation between Member States.

National Competent Authorities (NCAs) NCAs are responsible for implementing the NCCS in Member States. Their tasks include identifying high-impact and critical-impact entities (NCCS Article 24), approving conditions and methodologies (NCCS Article 6), granting exemptions from minimum and advanced cybersecurity controls (NCCS Article 30), conducting national cybersecurity risk assessments (NCCS Article 20), ensuring compliance and conducting audits (NCCS Article 25), and facilitating information sharing on cyberattacks.

National Regulatory Authorities (NRAs) NRAs are responsible for energy market regulation within Member States. Under the NCCS framework, NRAs determine mechanisms for cybersecurity investment cost recovery (NCCS Article 11) and conduct performance evaluations (NCCS Article 13).

Risk Preparedness National Competent Authorities (RP NCAs) RP NCAs are responsible for developing and implementing risk preparedness plans. Under the NCCS framework, RP-NCAs play a role in cybersecurity risk assessments and cyberattack management.

Cybersecurity Competent Authorities (CS NCAs) CS NCAs are responsible for developing and implementing national cybersecurity strategies.

Computer Security Incident Response Teams (CSIRTs) CSIRTs handle cybersecurity incidents. Under the NCCS framework, CSIRTs support high-impact and critical-impact entities in managing cyberattacks, share information on cyber threats, and participate in cybersecurity exercises.

Key regulatory stakeholders

Member States play a key role in the implementation of NCCS. To ensure that the NCCS requirements are effectively enforced, each Member State designates a competent authority responsible for the regulation’s implementation (NCCS Article 4).

Performs the following tasks:

  • A national governmental or regulatory authority is responsible for carrying out the tasks assigned to it in the Regulation ( ps://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202401366&qid=1730714105315#art_4[NCCS Article 4]).

  • Designated by each member state for six months after entry into force of the Regulation (NCCS Article 4 Paragraph 1).

  • Shall coordinate and cooperate with cybersecurity competent authorities, NRAs, RP NCAs, CSIRTs, and other authorities determined by each Member State to ensure the fulfillment of NCCS and avoid duplication of tasks (NCCS Article 5).

  • May delegate tasks to other national authorities (NCCS Article 4 Paragraph 3).

  • Identify high-impact and critical-impact entities (NCCS Article 24 Paragraph 2).

  • Approve the developed conditions and methodologies (NCCS Article 6 Paragraph 2).

  • Conduct cybersecurity risk assessments (NCCS Article 20 Paragraph 1).

  • Grant exemptions from minimum and advanced cybersecurity controls (NCCS Article 30 Paragraph 1). m

  • May perform inspections of critical-impact entities according to national law to verify their compliance with the NCCS (NCCS Article 25).

Performs the following tasks: