Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

This Regulation establishes a network code which lays down sector-specific rules for cybersecurity aspects of cross-border electricity flows, including rules on common minimum requirements, planning, monitoring, reporting and crisis management.

Article 2

Scope

This Regulation applies to cybersecurity aspects of cross-border electricity flows in the activities of the following entities, if they are identified as high-impact or critical-impact entities in accordance with Article 24:

(a) electricity undertakings as defined in Article 2(57) of Directive (EU) 2019/944;

(b) nominated electricity market operators (‘NEMOs’) as defined in Article 2(8) of Regulation (EU) 2019/943;

(c) organised market places or ‘organised markets’ as defined in Article 2(4) of Commission Implementing Regulation (EU) No 1348/2014 (¹) that arrange transactions on products relevant to cross-border electricity flows;

(d) critical ICT service providers as referred to in Article 3, point (9) of this Regulation;

(e) the ENTSO for Electricity established pursuant to Article 28 of Regulation (EU) 2019/943;

(f) the EU DSO entity established pursuant to Article 52 of Regulation (EU) 2019/943;

(g) balancing responsible parties as defined in Article 2, point (14) of Regulation (EU) 2019/943;

(h) operators of recharging points as defined in Annex I to Directive (EU) 2022/2555;

(i) regional coordination centres (‘RCCs’) as established pursuant to Article 35 of Regulation (EU) 2019/943;

(j) managed security service providers (‘MSSP’) as defined in Article 6(40) of Directive (EU) 2022/2555;

(k) any other entity or third party to whom responsibilities have been delegated or assigned pursuant to this Regulation.

The following authorities are, as part of their current mandates, responsible to perform tasks assigned in this Regulation:

(a) the European Union Agency for the Cooperation of Energy Regulators (‘ACER’) established by Regulation (EU) 2019/942 of the European Parliament and of the Council (²);

(b) national competent authorities responsible for carrying out the tasks assigned to them under this Regulation and designated by Member States pursuant to Article 4, or ‘competent authority’;

(c) national regulatory authorities (‘NRAs’) designated by each Member State pursuant to Article 57(1) of Directive (EU) 2019/944;

(d) competent authorities for risk preparedness (‘RP-NCAs’) established pursuant to Article 3 of Regulation (EU) 2019/941;

(e) computer security incident response teams (‘CSIRTs’) as designated or established pursuant to Article 10 of Directive (EU) 2022/2555;

(f) competent authorities responsible for cybersecurity (‘CS-NCAs’) as designated or established pursuant to Article 8 of Directive (EU) 2022/2555;

(g) the European Union Agency for Cybersecurity established pursuant to Regulation (EU) 2019/881;

(h) any other authorities or third party to whom responsibilities have been delegated or assigned pursuant to Article 4(3).

Article 3

Definitions

The following definitions apply:

(1) ‘asset’ means any information, software or hardware in the network and information systems either tangible or intangible, that has value to an individual, an organisation or a government;

(2) ‘competent authority for risk preparedness’ means the competent authority designated pursuant to Article 3 of Regulation (EU) 2019/941;

(3) ‘computer security incident response team’ means a team responsible for risk and incident handling in accordance with Article 10 of Directive (EU) 2022/2555;

(4) ‘critical-impact asset’ means an asset that is necessary to carry out a critical-impact process;

(5) ‘critical-impact entity’ means an entity that carries out a critical-impact process and that is identified by the competent authorities in accordance with Article 24;

(6) ‘critical-impact perimeter’ means a perimeter defined by an entity referred to in Article 2(1) that contains all critical-impact assets and on which access to these assets can be controlled and that defines the scope where the advanced cybersecurity controls apply;

(7) ‘critical-impact process’ means a business process carried out by an entity for which the electricity cybersecurity impact indices are above the critical-impact threshold;

(8) ‘critical-impact threshold’ means the values of the electricity cybersecurity impact indices referred to in Article 19(3)b, above which a cyber-attack on a business process will cause critical disruption of cross-border electricity flows;

(9) ‘critical ICT service provider’ means an entity which provides an ICT service, or ICT process that is necessary for a critical-impact or high-impact process affecting cybersecurity aspects of cross-border electricity flows and that, if compromised, may cause a cyber-attack with impact above the critical-impact or high-impact threshold;

(10) ‘cross-border electricity flow’ means a cross-border flow as defined in Article 2(3) of Regulation (EU) 2019/943;

(11) ‘cyber-attack’ means an incident as defined in Article 3, point (14), of Regulation (EU) 2022/2554;

(12) ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1) of Regulation (EU) 2019/881;

(13) ‘cybersecurity control’ means the actions or procedures carried out with the purpose of avoiding, detecting, counteracting, or minimising cybersecurity risks;

(14) ‘cybersecurity incident’ means an incident as defined in Article 6, point (6) of Directive (EU) 2022/2555;

(15) ‘cybersecurity management system’ means the policies, procedures, guidelines, and associated resources and activities, collectively managed by an entity, in the pursuit of protecting its information assets from cyber threats systematically establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s network and information system security;

(16) ‘cybersecurity operation centre’ means a dedicated centre where a technical team consisting of one or more experts, supported by cybersecurity IT systems, performs security-related tasks (Cybersecurity operation center (‘CSOC’) services) such as handling of cyber-attacks and security configuration errors, security monitoring, log analysis, and cyber-attack detection;

(17) ‘cyber threat’ means a cyber threat as defined in Article 2, point (8) of Regulation (EU) 2019/881;

(18) ‘cybersecurity vulnerability management’ means the practice of identifying and addressing vulnerabilities;

(19) ‘entity’ means entity as defined in Article 6, point (38) of Directive (EU) 2022/2555;

(20) ‘early alert’ means the information necessary to indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;

(21) ‘electricity cybersecurity impact index’ (‘ECII’) means an index or classification scale that ranks possible consequences of cyber-attacks to business processes involved in cross-border electricity flows;

(22) ‘European cybersecurity certification scheme’ means a scheme as defined in Article 2, point (9) of Regulation (EU) 2019/881;

(23) ‘high-impact entity’ means an entity that carries out a high-impact process and that is identified by the competent authorities in accordance with Article 24;

(24) ‘high-impact process’ means any business process carried out by an entity for which the electricity cybersecurity impact indices are above the high-impact threshold;

(25) ‘high-impact asset’ means an asset that is necessary to carry out a high-impact process;

(26) ‘high-impact threshold’ means the values of the electricity cybersecurity impact indices referred to in Article 19(3)b, above which a successful cyber-attack on a process will cause high disruption of cross-border electricity flows;

(27) ‘high-impact perimeter’ means a perimeter defined by any entity listed in Article 2(1) that contains all high-impact assets and on which access to these assets can be controlled and that defines the scope where the minimum cybersecurity controls apply;

(28) ‘ICT product’ means an ICT product as defined in Article 2, point (12) of Regulation (EU) 2019/881;

(29) ‘ICT service’ means an ICT service as defined in Article 2, point (13) of Regulation (EU) 2019/881;

(30) ‘ICT process’ means an ICT process as defined in Article 2, point (14) of Regulation (EU) 2019/881;

(31) ‘legacy system’ means a legacy ICT system as defined in Article 3(3) of Regulation (EU) 2022/2554;

(32) ‘national single point of contact’ means the single point of contact designated or established by each Member State pursuant to Article 8(3) of Directive (EU) 2022/2555;

(33) ‘NIS cyber crisis management authorities’ means the authorities designated or established pursuant to Article 9, point (1) of Directive (EU) 2022/2555;

(34) ‘originator’ means an entity that initiates an information exchange, information sharing or information storage event;

(35) ‘procurement specifications’ means the specifications that entities define for the procurement of new or updated ICT products, ICT processes or ICT services;

(36) ‘representative’ means a natural or legal person established in the Union who is explicitly designated to act on behalf of a high or critical-impact entity not established in the Union but delivering services to entities in the Union and who may be addressed by a competent authority or a CSIRT in the place of the high or critical-impact entity itself with regard to the obligations of that entity under this Regulation;

(37) ‘risk’ means risk as defined in Article 6, point (9) of Directive (EU) 2022/2555;

(38) ‘risk impact matrix’ means a matrix used during risk assessment to determine the resulting risk impact level for each risk assessed;

(39) ‘simultaneous electricity crisis’ means an electricity crisis as defined in Article 2, point (10) of Regulation (EU) 2019/941;

(40) ‘single point of contact at entity level’ means single point of contact at entity level as designated under Article 38(1) point (c);

(41) ‘stakeholder’ is any party that has an interest in the success and ongoing operation of an organisation or process such as employees, directors, shareholders, regulators, associations, suppliers and customers;

(42) ‘standard’ means a standard as defined in Article 2(1) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (³);

(43) ‘system operation region’ means the system operation regions as defined in Annex I to ACER Decision 05-2022 on the Definition of System Operation Regions, established in accordance with Article 36 of Regulation (EU) 2019/943;

(44) ‘system operators’ means ‘distribution system operator’ (DSO) and ‘transmission system operator’ (TSO) as defined in Articles 2(29) and 2(35) of Directive (EU) 2019/944;

(45) ‘Union-wide critical-impact process’ means any electricity sector process, possibly involving multiple entities, for which the possible impact of a cyber-attack may be deemed critical during the performance of the Union-wide cybersecurity risk assessment;

(46) ‘Union-wide high-impact process’ means any electricity sector process, possibly involving multiple entities, for which the possible impact of a cyber-attack may be deemed high during the performance of the Union-wide cybersecurity risk assessment;

(47) ‘unpatched actively exploited vulnerability’ means a vulnerability, which has not yet been publicly disclosed and patched and for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner;

(48) ‘vulnerability’ means a vulnerability as defined in Article 6, point (15) of Directive (EU) 2022/2555.

Article 4

Competent authority

Article 5

Cooperation between relevant authorities and bodies at national level

The competent authorities shall coordinate and ensure appropriate cooperation between the competent authorities responsible for cybersecurity, the cyber crisis management authorities, the NRAs, competent authorities for risk preparedness and CSIRTs for the purpose of the fulfilment of the relevant obligations laid down in this Regulation. The competent authorities shall also coordinate with any other bodies or authorities as determined by each Member State, to ensure efficient procedures and avoid duplications of tasks and obligations. The competent authorities shall be able to instruct the respective NRAs to request ACER for an opinion pursuant to Article 8(3).

Article 6

Terms and conditions or methodologies or plans

The following terms and conditions or methodologies and any amendments thereof shall be subject to approval by all competent authorities:

(a) the cybersecurity risk assessment methodologies pursuant to Article 18(1);

(b) the comprehensive cross-border electricity cybersecurity risk assessment report pursuant to Article 23;

(c) the minimum and advanced cybersecurity controls pursuant to Article 29, the mapping of electricity cybersecurity controls against standards pursuant to Article 34, including minimum and advanced cybersecurity controls in the supply chain in accordance with Article 33;

(d) a cybersecurity procurement recommendation pursuant to Article 35;

(e) the cyber-attacks classification scale methodology pursuant to Article 37(8).

Article 7

Voting rules in the TSOs

Where TSOs deciding on proposals for terms and conditions or methodologies are not able to reach an agreement, they shall decide by qualified majority voting. A qualified majority for such proposals shall be calculated as follows:

(a) TSOs representing at least 55 % of the Member States; and

(b) TSOs representing Member States comprising at least 65 % of the population of the Union.

Where TSOs of a system operation region deciding on proposals for plans listed in Article 6(2) are not able to reach an agreement, and where the system operation region concerned is composed of more than five Member States, TSOs shall decide by qualified majority voting. A qualified majority for proposals listed in Article 6(2) shall require the following majority:

(a) TSOs representing at least 72 % of the Member States concerned; and

(b) TSOs representing Member States comprising at least 65 % of the population of the concerned area.

Article 8

Submission of proposals to the competent authorities

Article 9

Consultation

Article 10

Stakeholder involvement

ACER, in close cooperation with ENTSO for Electricity and the EU DSO entity, shall organise stakeholder involvement, including regular meetings with stakeholders to identify problems and propose improvements related to the implementation of this Regulation.

Article 11

Recovery of costs

Article 12

Monitoring

ACER shall publish a report at least every three years after the entry into force of this Regulation to:

(a) review the status of implementation of the applicable cybersecurity risk management measures with regard to the high-impact and critical-impact entities;

(b) identify whether additional rules on common requirements, planning, monitoring, reporting and crisis management may be necessary to prevent risks for the electricity sector; and

(c) identify areas of improvement for the revision of this Regulation, or determine uncovered areas and new priorities that may emerge due to technological developments.

Article 13

Benchmarking

Within 12 months after the establishment of the benchmarking guide pursuant to paragraph 1, the NRAs shall carry out a benchmarking analysis to assess whether current investments in cybersecurity:

(a) mitigate risks having an impact on cross-border electricity flows;

(b) provide the desired results and engender efficiency gains for the development of the electricity systems;

(c) are efficient and integrated into the overall procurement of assets and services.

For the benchmarking analysis, the NRAs may take into account the non-binding cybersecurity benchmarking guide established by ACER, and shall assess in particular:

(a) the average expenditure related to cybersecurity for mitigating risks having an impact on electricity cross-border flows, especially with respect to the high-impact and critical-impact entities;

(b) in cooperation with the ENTSO for Electricity and the EU DSO entity, the average prices of cybersecurity services, systems and products that contribute to a large extent to the enhancement and maintenance of the cybersecurity risk-management measures in the different system operation regions;

(c) the existence and level of comparability of costs and functions of cybersecurity services, systems and solutions suitable for the implementation of this Regulation, identifying possible measures necessary to foster efficiency in spending, particularly where cybersecurity technological investments may be needed.

Article 14

Agreements with TSOs from outside the Union

Article 15

Legal representatives

Article 16

Cooperation between the ENTSO for Electricity and the EU DSO Entity

The ENTSO for Electricity and the EU DSO entity shall cooperate in performing cybersecurity risk assessments pursuant to Article 19 and Article 21, and in particular the following tasks:

(a) development of the cybersecurity risk assessment methodologies pursuant to Article 18(1);

(b) development of the Comprehensive Cross-border electricity cybersecurity risk assessment report pursuant to Article 23;

(c) development of the common electricity cybersecurity framework pursuant to Chapter III;

(d) development of the cybersecurity procurement recommendation pursuant to Article 35;

(e) development of the cyber-attacks classification scale methodology pursuant to Article 37(8);

(f) development of the provisional electricity cybersecurity impact index (‘ECII’) electricity cybersecurity impact index pursuant to Article 48(1) point (a);

(g) development of the consolidated provisional list of high-impact and critical-impact entities pursuant to Article 48(3);

(h) development of the provisional list of Union-wide high-impact and critical-impact processes pursuant to Article 48(4);

(i) development of the provisional list of European and international standards and controls pursuant to Article 48(6);

(j) performance of the Union-wide cybersecurity risk assessment pursuant to Article 19;

(k) performance of the regional cybersecurity risk assessments pursuant to Article 21;

(l) definition of the regional cybersecurity risk mitigation plans pursuant to Article 22;