Transmission system operators (TSOs), in collaboration with ENTSO-E and the EU DSO, are developing minimum and advanced cybersecurity control recommendations for the supply chain (NCCS Article 33) in accordance with the minimum and advanced controls (NCCS Article 29), as well as non-mandatory cybersecurity procurement recommendations (NCCS Article 35). These recommendations can be utilized by high and critical impact entities when procuring ICT products, ICT services, and ICT processes identified within the high and critical perimeters.
Non-binding cybersecurity procurement recommendations may include sector-specific guidance on the use of European cybersecurity certification schemes, provided that an appropriate scheme is available for the ICT products, ICT services, or ICT processes used by critical-impact entities. Transmission system operators (TSOs), ENTSO-E, the EU DSO, and ENISA collaborate in the development of such guidelines (NCCS Article 36).