The following section presents the process of reporting a cyberattack.
A security incident as defined in Article 3, Paragraph 14 of REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
A malicious ICT-related incident in which a threat actor attempts to destroy, disclose, modify, disable, steal, gain unauthorized access to, or make unauthorized use of an asset.
Every critical-impact and high-impact organization must, without undue delay but no later than four hours after becoming aware that a cyber attack is reportable, share relevant information regarding the reportable cyber attack with its CSIRTs and competent authority, as per (NCCS Article 38 Paragraph 2).
According to (NCCS Article 38 Paragraph 3), information related to a cyber attack is considered reportable if the affected organization’s assessment determines that, based on the classification scale outlined in (NCCS Article 37 Paragraph 8), the attack’s severity ranges from “high” to “critical.” The classification of security incidents is communicated by the single organizational point of contact designated under paragraph 1(c).
Transmission system operators, with the assistance of the electricity market ENTSO-E and in cooperation with EU DSO, shall develop a methodology for the classification scale of cyberattacks by June 13, 2025 (NCCS Article 37).
The methodology categorizes the severity of cyberattacks into five levels, with the two highest levels being "high" and "critical". The classification is based on the evaluation of the following parameters:
the potential impact, considering the exposed assets and scopes identified in accordance with point (c) NCCS Article 26 Paragraph 4; and
the severity of a cyberattack
If a competent authority receives information related to a reportable cyber-attack, that competent authority (NCCS Article 37 Paragraph 1):
(a) shall assess the level of confidentiality of that information and inform the entity about the outcome of its assessment without undue delay and not later than within 24 hours of receipt of the information;
(b) shall attempt to find any other similar cyber-attack in the Union reported to other competent authorities, in order to correlate the information received in the context of the reportable cyber-attack with information provided in the context of other cyber-attacks and enrich existing information, strengthen and coordinate cybersecurity responses;
(c) shall be responsible for the removal of business secrets and the anonymisation of the information in accordance with the relevant national and Union rules;
(d) shall share the information with the national single points of contact, CSIRTs and all competent authorities designated pursuant to Article 4 in other Member States without undue delay and no later than 24 hours after the reception of a reportable cyber-attack and provide updated information on a regular basis to those authorities or bodies;
(e) shall disseminate the information of the cyber-attack, after anonymisation and removal of business secrets pursuant to paragraph 1(c), to critical-impact and high-impact entities in its Member State without undue delay and no later than 24 hours after receiving information according to paragraph 1(a), and provide updated information on a regular basis allowing the entities to organise their defence effectively;
(f) may request the reporting high-impact or critical-impact entity to further disseminate the reportable cyber-attack information in a secure manner to other entities that may be affected, with the aim to generate situational awareness by the electricity sector and to prevent the materialisation of a risk that may escalate in a cross-border cybersecurity electricity incident;
(g) shall share with ENISA a summary report, after anonymisation and removal of business secrets, with the information of the cyber-attack.