NCCS Article 26 and NCCS Article 27 outline the details of entity-level cybersecurity risk assessment and management.
According to NCCS Article 26 Paragraph, during the cybersecurity risk management phase, each high-impact and critical-impact entity must develop an entity-level risk reduction plan for all assets within the high-impact and critical-impact perimeter and must conduct a risk assessment every three years.
The entity analyzes the likelihood and consequences of identified cybersecurity risks and determines the cybersecurity risk level using the risk impact matrix, which is developed by transmission system operators (TSOs) in collaboration with ENTSO-E for the electricity market and the EU DSO, in accordance with NCCS Article 19 Paragraph 2, integrating EU, regional, and member state cybersecurity risk assessment methodologies.
According to NCCS Article 26 Paragraph 2, each high-impact and critical-impact entity must base its cybersecurity risk management on an approach aimed at protecting its network and information systems, consisting of the following phases:
a) Establishing the context;
b) Conducting cybersecurity risk assessment at the entity level;
c) Managing cybersecurity risks;
d) Accepting cybersecurity risks.
| Timeline | Levels |
|---|---|
|
|
The steps of the procedure are as follows:
Defining the scope, taking into account high-impact processes, critical-impact processes, or other processes.
Defining the risk assessment and acceptance criteria (risk impact matrix).
Identification of cybersecurity risks,cyber threats, vulnerabilities, cyberattack scenarios, considering EU-level risk assessments.
Analysis of the probability and consequences of cybersecurity risks using the risk impact matrix.
Classification of assets based on the consequences of potential compromise, as well as the determination of high and critical impact scopes using ECII.
Evaluation of cybersecurity risks by ranking them.
Development of an entity-level risk mitigation plan.
Deciding whether the residual risk is acceptable based on the risk acceptance criteria.
Maintaining an inventory of assets for all assets within the high-impact and critical-impact perimeter. This asset inventory is not part of the risk assessment report.
Results
Entity-level cybersecurity risk assessment reports:
Entity-Level Cybersecurity Risk Assessment Report According to NCCS Article 27m. Every high-impact and critical-impact entities must submit a report to the competent authority within 12 months of identification as a high-impact or critical-impact entity, and subsequently every three years.
The report must include the following information:
A list of selected controls from the entity-level risk mitigation plan, as required by NCCS Article 26 Paragraph 5, along with the current implementation status of each control.
Risk estimation related to the compromise of the confidentiality, integrity, and availability of information and relevant assets for each EU-level, high-impact, or critical-impact process. This risk estimation must follow the risk impact matrix specified in NCCS Article 19 Paragraph 2 .
A list of critical ICT service providers that are essential for their critical-impact processes.
After identifying high and critical-impact entities, an entity-level risk assessment must be conducted within 12 months, and it should be repeated every 3 years.