Perimeters

12 months after the approval of the minimum and advanced cybersecurity controls under NCCS Article 8 Paragraph 5 or their update under NCCS Article 8 Paragraph 10, the organizations listed in NCCS Article 2 Paragraph 1 of the NCCS and identified as critical impact or high impact entities under NCCS Article 24 of the NCCS shall, in accordance with NCCS Article 26 Paragraph 5 of the NCCS, apply minimum cybersecurity controls within the high-impact perimeter and advanced cybersecurity controls within the critical-impact perimeter when developing their entity-level risk mitigation plan.

Critical impact perimeter

The physical and/or logical segregation defined by the entity (e.g., fencing, server rooms, firewalls, proxy servers, etc.), which includes all high-impact and critical-impact devices, as well as any other devices that are within this segregation.

ci
High impact perimeter

The physical and/or logical segregation defined by the entities (e.g., fencing, server rooms, firewalls, proxy servers, etc.), which includes all high-impact devices and any other devices that are within this segregation.

hi

The transmission system operators (TSOs), with the assistance of ENTSO-E and the DSO Entity, will develop a proposal for the minimum and advanced cybersecurity controls.

The competent authorities will then have six months to make a decision on the minimum and advanced cybersecurity controls based on the proposal.

Subsequently, in January 2028, critical-impact and high-impact entities will apply the minimum cybersecurity controls within the high-impact perimeter, and the advanced cybersecurity controls within the critical-impact perimeter.