1.   This Regulation applies to cybersecurity aspects of cross-border electricity flows in the activities of the following entities, if they are identified as high-impact or critical-impact entities in accordance with Article 24:

2.   The following authorities are, as part of their current mandates, responsible to perform tasks assigned in this Regulation:

3.   This Regulation shall also apply to all entities who are not established in the Union but who deliver services to entities in the Union, provided they have been identified as high or critical-impact entities by the competent authorities in accordance with Article 24(2).

4.   This Regulation is without prejudice to the Member States’ responsibility for safeguarding national security and their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and maintaining law and order.

5.   This Regulation is without prejudice to the Member States’ responsibility for safeguarding national security with respect to activities in the production of electricity from nuclear powers plants, including activities within the nuclear value chain, in accordance with the Treaties.

6.   Entities, the competent authorities, the single points of contact at entity level and the CSIRTs shall process personal data to the extent necessary for the purposes of this Regulation and in accordance with Regulation (EU) 2016/679, in particular such processing shall rely on Article 6 thereof.

1.   As soon as possible and in any event by 13 December 2024, each Member State shall designate a national governmental or regulatory authority responsible for carrying out the tasks assigned to it in this Regulation (‘competent authority’). Until the competent authority has been assigned with carrying out the tasks under this Regulation, the regulatory authority designated by each Member State pursuant to Article 57(1) of Directive (EU) 2019/944 shall carry out the tasks of the competent authority in accordance with this Regulation.

2.   Member States shall, without delay, notify the Commission, ACER, ENISA, the NIS Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555 and the Electricity Coordination Group set up under Article 1 of Commission Decision of 15 November 2012 (17) and communicate to them the name and the contact details of their competent authority designated pursuant to paragraph 1 of this article and any subsequent changes thereto.

3.   Member States may allow their competent authority to delegate tasks assigned to it in this Regulation to other national authorities with the exception of the tasks listed in Article 5. Each competent authority shall monitor the application of this Regulation by the authorities to whom it has delegated tasks. The competent authority shall communicate the name, contact details, assigned tasks and any subsequent changes thereto of the authorities to whom a task has been delegated to the Commission, to ACER, to the Electricity Coordination Group, to ENISA and to the NIS Cooperation Group.

1.   TSOs shall develop, in cooperation with the EU DSO entity, proposals for the terms and conditions or methodologies pursuant to paragraph 2, or for plans pursuant to paragraph 3.

2.   The following terms and conditions or methodologies and any amendments thereof shall be subject to approval by all competent authorities:

3.   The proposals for the regional cybersecurity risk mitigation plans pursuant to Article 22 shall be subject to approval by all competent authorities of the concerned system operation region.

4.   The proposals for terms and conditions, methodologies listed in paragraph 2, or for plans listed in paragraph 3, shall include a proposed timescale for their implementation and a description of their expected impact on the objectives of this Regulation.

5.   The EU DSO entity may provide a reasoned opinion to the concerned TSOs until 3 weeks before the deadline to submit the proposal for terms and conditions or methodologies or plans to the competent authorities. TSOs responsible for the proposal for terms and conditions or methodologies or plans shall take into consideration the reasoned opinion of the EU DSO entity prior to its submission for competent authorities’ approval. TSOs shall provide reasoning where the EU DSO entity opinion is not taken into account.

6.   When jointly developing terms, conditions and methodologies and plans, the participating TSOs shall closely cooperate. TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall regularly inform competent authorities and ACER about the progress of developing the terms and conditions or methodologies, or plans.

1.   Where TSOs deciding on proposals for terms and conditions or methodologies are not able to reach an agreement, they shall decide by qualified majority voting. A qualified majority for such proposals shall be calculated as follows:

2.   A blocking minority for decisions on proposals for terms and conditions or methodologies listed in Article 6(2) shall include TSOs representing at least four Member States, failing of which the qualified majority shall be deemed attained.

3.   Where TSOs of a system operation region deciding on proposals for plans listed in Article 6(2) are not able to reach an agreement, and where the system operation region concerned is composed of more than five Member States, TSOs shall decide by qualified majority voting. A qualified majority for proposals listed in Article 6(2) shall require the following majority:

4.   A blocking minority for decisions on proposals for the plans shall include at least a minimum number of TSOs representing more than 35 % of the population of the participating Member States, plus TSOs representing at least one additional Member State concerned, failing of which the qualified majority shall be deemed attained.

5.   For TSO decisions on proposals for terms and conditions or methodologies pursuant to Article 6(2), one vote shall be attributed per Member State. If there is more than one TSO in the territory of a Member State, the Member State shall allocate the voting powers among the TSOs.

6.   If TSOs, in cooperation with the EU DSO entity, fail to submit an initial or amended proposal for terms and conditions or methodologies, or for plans, to the relevant competent authorities within the deadlines set out in this Regulation, they shall provide the relevant competent authorities and ACER with the relevant drafts of the terms and conditions or methodologies, or of the plans. They shall explain what has prevented an agreement. The competent authorities shall jointly take the appropriate steps for the adoption of the required terms and conditions or methodologies, or of the required plans. This may be done for instance by requesting amendments to the drafts pursuant to this paragraph, by revising and completing those drafts, or, where no drafts have been provided, by defining and approving the required terms and conditions or methodologies or plans.

1.   TSOs shall submit the proposals for terms and conditions or methodologies, or for plans for approval to the relevant competent authorities within the respective deadlines set out in Articles 18, 23, 29, 33, 34, 35 and 37. The competent authorities may jointly prolong these deadlines in exceptional circumstances, notably in cases where a deadline cannot be met due to circumstances external to the sphere of TSOs or of the EU DSO entity.

2.   Proposals for terms and conditions, methodologies or for plans pursuant to paragraph 1, shall be submitted for information to ACER at the same time that they are submitted to the competent authorities.

3.   Upon a joint request of the NRAs, ACER shall issue an opinion on the proposal for terms and conditions or methodologies, or for the plans, within six months of the receipt of the proposals for terms and conditions or methodologies, or for plans and notify NRAs and competent authorities of the opinion. NRAs, CS-NCAs and any other authorities designated as competent authorities shall coordinate with each other before the NRAs requests an opinion to ACER. ACER may include recommendations in such opinion. ACER shall consult ENISA before issuing an opinion on the proposals listed in Article 6(2).

4.   The competent authorities shall consult and closely cooperate and coordinate with each other in order to reach an agreement on the proposed terms and conditions, methodologies, or plans. Before approving the terms and conditions or methodologies, or the plans, they shall revise and complete the proposals where necessary, after consulting the ENTSO for Electricity and the EU DSO entity, in order to ensure that the proposals are in line with this Regulation and contribute to a high common level of cybersecurity across the Union.

5.   The competent authorities shall decide on the terms and conditions or methodologies or on the plans within six months following the receipt of the terms and conditions or methodologies or of the plans by the relevant competent authority or, where applicable, by the last relevant competent authority concerned.

6.   Where ACER issues an opinion, the relevant competent authorities shall take that opinion into account and shall take their decisions within six months from the receipt of ACER’s opinion.

7.   Where the competent authorities jointly require an amendment to the proposed terms and conditions or methodologies, or the plans, in order to approve them, the TSOs shall develop, in cooperation with the EU DSO entity, a proposal for such amendment to the terms and conditions or methodologies, or the plans. The TSOs shall submit the amended proposal for approval within two months following the request of the competent authorities. The competent authorities shall decide on the amended terms and conditions or methodologies, or plans, within two months following their submission.

8.   Where the competent authorities have not been able to reach an agreement within the period referred to in paragraph 5 or 7, they shall inform the Commission. The Commission may take appropriate steps to make possible the adoption of the required terms and conditions or methodologies, or plans.

9.   TSOs, with the assistance of the ENTSO for Electricity, and the EU DSO entity shall publish the terms and conditions or methodologies, or the plans, on their websites following approval by the relevant competent authorities, except where such information is considered as confidential in accordance with Article 47.

10.   The competent authorities may jointly request proposals for amendments of the approved terms and conditions or methodologies, or of the approved plans, from TSOs and the EU DSO entity and determine a deadline for the submission of those proposals. TSOs, in cooperation with the EU DSO entity, may propose amendments to the competent authorities also on its own initiative. The proposals for amendment to the terms and conditions or methodologies, or for the amendments to the plans, shall be developed and approved in accordance with the procedure set out in this Article.

11.   At least every three years after the first adoption of the respective terms and conditions or methodologies, or the respective adopted plans, TSOs in cooperation with the EU DSO entity, shall review the effectiveness of the adopted terms and conditions or methodologies, or the adopted plans, and shall report the findings of the review to the competent authorities and ACER without undue delay.

1.   TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity shall consult stakeholders, including ACER, ENISA and the competent authority of each Member State, on the draft proposals for terms and conditions or methodologies listed in Article 6(2) and for plans referred to in Article 6(3). The consultation shall last for a period of not less than one month.

2.   The proposals for terms and conditions or methodologies listed in Article 6(2) submitted by the TSOs, in cooperation with the EU DSO entity, shall be published and submitted to consultation at Union level. The proposals for plans listed in Article 6(3) submitted by the relevant TSOs, in cooperation with the EU DSO entity, at regional level shall be submitted to consultation at least at regional level.

3.   TSOs, with the assistance of the ENTSO for Electricity, and the EU DSO Entity responsible for the proposal for terms and conditions or methodologies or plans shall duly take into account the views of stakeholders resulting from the consultations undertaken in accordance with paragraph 1, prior to its submission for regulatory approval. In all cases, a sound justification for including or not including the views resulting from the consultation shall be provided together with the submission and published in a timely manner before or simultaneously with the proposal for terms and conditions or methodologies.

1.   The costs borne by TSOs and DSOs subject to network tariff regulation and stemming from the obligations laid down in this Regulation, including the costs borne by the ENTSO for Electricity and the EU DSO entity, shall be assessed by the relevant NRA of each Member State.

2.   Costs assessed as reasonable, efficient and proportionate shall be recovered through network tariffs or other appropriate mechanisms, as determined by the relevant NRA.

3.   If requested by the relevant NRAs, TSOs and DSOs referred to in paragraph 1 shall, within a reasonable period determined by the NRA, provide the information necessary to facilitate the assessment of the costs incurred.

1.   ACER shall monitor the implementation of this Regulation in accordance with Article 32(1) of Regulation (EU) 2019/943 and Article 4(2) of Regulation (EU) 2019/942. In carrying out this monitoring, ACER may cooperate with ENISA and request support from the ENTSO for Electricity and the EU DSO entity. ACER shall regularly inform the Electricity Coordination Group and the NIS Cooperation Group on the implementation of this Regulation.

2.   ACER shall publish a report at least every three years after the entry into force of this Regulation to:

3.   By 13 June 2025, ACER, in cooperation with ENISA and after consultation of the ENTSO for Electricity and the EU DSO entity, may issue guidance on the relevant information to be communicated to ACER for the monitoring purposes as well as the process and frequency for the collection, based on the performance indicators defined in accordance with paragraph 5.

4.   The competent authorities may have access to the relevant information held by ACER, which it has collected in accordance with this Article.

5.   ACER in cooperation with ENISA and with the support of the ENTSO for Electricity and the EU DSO entity, shall issue non-binding performance indicators for the assessment of operational reliability that are related to cybersecurity aspects of cross-border electricity flows.

6.   The entities listed in Article 2(1) of this Regulation shall submit to ACER the information required for ACER to perform the tasks listed in paragraph 2.

1.   By 13 June 2025, ACER, in cooperation with ENISA, shall establish a non-binding cybersecurity benchmarking guide. The guide shall explain to NRAs the principles of benchmarking of the implemented cybersecurity controls pursuant to paragraph 2 of this Article, taking into consideration the costs of implementing the controls and the effectiveness of the function played by processes, products, services, systems and solutions used to implement such controls. ACER shall take into account existing benchmarking reports when establishing the non-binding cybersecurity benchmarking guide. ACER shall submit the non-binding cybersecurity benchmarking guide to the NRAs for information.

2.   Within 12 months after the establishment of the benchmarking guide pursuant to paragraph 1, the NRAs shall carry out a benchmarking analysis to assess whether current investments in cybersecurity:

3.   For the benchmarking analysis, the NRAs may take into account the non-binding cybersecurity benchmarking guide established by ACER, and shall assess in particular:

4.   Any information related to benchmarking analysis shall be handled and processed pursuant to data classification requirements of this Regulation, the minimum cybersecurity controls and the cross-border electricity cybersecurity risk assessment report. The benchmarking analysis referred to in paragraphs 2 and 3 shall not be made public.

5.   Without prejudice to the confidentiality requirements in Article 47 and to the need to protect the security of entities subject to the provisions of this Regulation, the benchmarking analysis referred in paragraphs 2 and 3 of this Article shall be shared with all NRAs, all competent authorities, ACER, ENISA and the Commission.

1.   Within 18 months after the entry into force of this Regulation, TSOs of a system operation region that is neighbouring to a third country shall endeavour to conclude agreements with TSOs of the neighbouring third country that are in accordance with relevant Union law and that set out the basis for cooperation on cybersecurity protection and the cybersecurity cooperation arrangements with those TSOs.

2.   TSOs shall inform the competent authority of the agreements concluded pursuant to paragraph 1.

1.   Entities who do not have an establishment in the Union, but who deliver services to entities in the Union and have been notified as being high-impact or critical-impact entities in accordance with Article 24(6), shall, within three months after the notification, designate, in writing, a representative in the Union and inform the notifying competent authority accordingly.

2.   This representative shall be mandated for the purpose of being addressed by any competent authority or a CSIRT in the Union in addition to or instead of the high-impact or critical-impact entity with regard to the obligations of the entity under this Regulation. The high-impact or critical-impact entity shall provide their legal representative with the necessary powers and sufficient resources to guarantee their efficient and timely cooperation with the relevant competent authorities or CSIRTs.

3.   The representative shall be established in one of the Member States where the entity offers its services. The entity shall be deemed to be under the jurisdiction of the Member State where the representative is established. High-impact or critical-impact entities shall notify the name, postal address, email address and telephone number of their legal representative to the competent authority in the Member State where that legal representative resides or is established.

4.   It shall be possible for the designated legal representative to be held liable for non-compliance with obligations under this Regulation, without prejudice to the liability and legal actions that could be initiated against the high-impact or critical-impact entity itself.

5.   In the absence of a representative within the Union designated under this Article, any Member State in which the entity provides services may take legal action against the entity for non-compliance with the obligations under this Regulation.

6.   The designation of a legal representative within the Union pursuant to paragraph 1 shall not constitute an establishment in the Union.

1.   The ENTSO for Electricity and the EU DSO entity shall cooperate in performing cybersecurity risk assessments pursuant to Article 19 and Article 21, and in particular the following tasks:

2.   The cooperation between the ENTSO for Electricity and the EU DSO entity may take the form of a cybersecurity risk working group.

3.   The ENTSO for Electricity and the EU DSO entity shall regularly inform ACER, ENISA, the NIS Cooperation Group and the Electricity Coordination Group on the progress in implementing the Union-wide and regional cybersecurity risk assessments pursuant to Article 19 and Article 21.

1.   By 13 March 2025, the TSOs, with the assistance of the ENTSO for Electricity, in cooperation with the EU DSO entity and following a consultation with the NIS Cooperation Group, shall submit a proposal for the cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level.

2.   The cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level shall include:

3.   The cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level shall assess cybersecurity risks using the same risk impact matrix. The risk impact matrix shall:

4.   The cybersecurity risk assessment methodologies at Union level shall describe how the ECII values for high-impact and critical-impact thresholds will be defined. The ECII shall enable entities to estimate with the help of the criteria referred to in paragraph 2 point (b), the impact of the risks on their business process during the business impact assessments they perform pursuant to Article 26(4) point (c)(i).

5.   The ENTSO for Electricity, in coordination with the EU DSO entity, shall inform the Electricity Coordination Group on the proposals for the cybersecurity risk assessment methodologies that are developed pursuant to paragraph 1.

1.   Within 9 months after the approval of the cybersecurity risk assessment methodologies pursuant to Article 8 and every three years thereafter, the ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the NIS Cooperation Group, shall, without prejudice to Article 22 of Directive (EU) 2022/2555, perform a Union-wide cybersecurity risk assessment and draw up a draft Union-wide cybersecurity risk assessment report. For this purpose, they will use the methodologies developed pursuant to Article 18, and approved pursuant to Article 8, to identify, analyse, and evaluate the possible consequences of cyber-attacks affecting the operational security of the electricity system and disrupting cross-border electricity flows. The Union-wide cybersecurity risk assessment shall not consider the legal, financial or reputational damage of cyber-attacks.

2.   The Union-wide cybersecurity risk assessment report shall include the following elements:

3.   With respect to the Union-wide high-impact processes and the Union-wide critical-impact processes, the Union-wide cybersecurity risk assessment report shall include:

4.   The ENTSO for Electricity, in cooperation with the EU DSO entity, shall submit the draft of the Union-wide cybersecurity risk assessment report with the results of the Union-wide cybersecurity risk assessment to ACER for opinion. ACER shall issue an opinion on the draft report within three months after its receipt. The ENTSO for Electricity and the EU DSO entity shall take utmost account of ACER’s opinion when finalising that report.

5.   Within three months after receipt of ACER’s opinion, the ENTSO for Electricity, in cooperation with the EU DSO entity shall notify the final Union-wide cybersecurity risk assessment report to ACER, the Commission, ENISA and the competent authorities.

1.   Each competent authority shall perform a Member State cybersecurity risk assessment on all high-impact and critical-impact entities in its Member State using the methodologies developed pursuant to Article 18 and approved pursuant to Article 8. The Member State cybersecurity risk assessment shall identify and analyse the risks of cyber-attacks affecting the operational security of the electricity system disrupting cross-border electricity flows. The Member State cybersecurity risk assessment shall not consider the legal, financial or reputational damage of cyber-attacks.

2.   Within 21 months after the notification of the high-and critical-impact entities pursuant to Article 24(6) and every three years after that date, and after consulting the CS-NCA responsible for electricity, each competent authority, supported by the CSIRT, shall provide a Member State cybersecurity risk assessment report to the ENTSO for Electricity and the EU DSO entity, containing the following information for each high-impact and critical-impact business process:

3.   The Member State cybersecurity risk assessment report shall take into account the Member State’s risk preparedness plan established pursuant to Article 10 of Regulation (EU) 2019/941.

4.   The information contained in the Member State cybersecurity risk assessment report pursuant to paragraph 2 points (a) to (d) shall not be linked to specific entities or assets. The Member State cybersecurity risk assessment report shall also include a risk assessment of the temporary derogations issued by the competent authorities in the Member States pursuant to Article 30.

5.   The ENTSO for Electricity and the EU DSO entity may request additional information from the competent authorities in relation to the tasks specified in subparagraph 2 points (a) and (c).

6.   The competent authorities shall ensure that the information they provide is accurate and correct.

1.   The ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the relevant Regional Coordination Centre, shall perform a regional cybersecurity risk assessment for each system operation region using the methodologies developed pursuant to Article 19, and approved pursuant to Article 8, to identify, analyse, and evaluate the risks of cyber-attacks affecting the operational security of the electricity system and disrupting cross-border electricity flows. The regional cybersecurity risk assessments shall not consider the legal, financial or reputational damage of cyber-attacks.

2.   Within 30 months after the notification of the high-impact and critical-impact entities pursuant to Article 24(6), and every three years after that, the ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the NIS Cooperation Group, shall draw up a regional cybersecurity risk assessment report for each system operation region.

3.   The regional cybersecurity risk assessment report shall take into account the relevant information contained in the Union-wide cybersecurity risk assessment reports and in the Member State cybersecurity risk assessments reports.

4.   The regional cybersecurity risk assessment shall consider the regional electricity crisis scenarios related to cybersecurity identified pursuant to Article 6 of the Regulation (EU) 2019/941.

1.   Within 36 months after the notification of the high-and critical-impact entities pursuant to Article 24(6) and no later than 13 June 2031, and every three years after that date, the TSOs, with the assistance of the ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the Regional Coordination Centres and the NIS Cooperation Group, shall develop a regional cybersecurity risk mitigation plan for each system operation region.

2.   The regional cybersecurity risk mitigation plans shall include:

3.   The ENTSO for Electricity shall submit the regional risk mitigation plans to the relevant transmission system operators, to the competent authorities, and to the Electricity Coordination Group. The Electricity Coordination Group may recommend amendments.

4.   The TSOs, with the assistance of the ENTSO for Electricity in cooperation with the EU DSO entity and in consultation with the NIS Cooperation Group shall update the regional risk mitigation plans every three years, unless circumstances warrant more frequent updates.

1.   Within 40 months after the notification of the high-and critical-impact entities pursuant to Article 24(6) and every three years thereafter, TSOs, with the assistance of the ENTSO for Electricity, in cooperation with the EU DSO entity and in consultation with the NIS Cooperation Group, shall provide to the Electricity Coordination Group a report on the outcome of the assessment of cybersecurity risks with regard to cross-border electricity flows (the ‘comprehensive cross-border electricity cybersecurity risk assessment report’).

2.   The comprehensive cross-border electricity cybersecurity risk assessment report shall be based on the Union-wide cybersecurity risk assessment report, on the Member State cybersecurity risk assessment reports and on the regional cybersecurity risk assessment reports and include the following information:

3.   The entities listed in Article 2(1) may contribute to the development of the comprehensive cross-border electricity cybersecurity risk assessment report, respecting the confidentiality of information in accordance with Article 47. The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall consult these entities from an early stage.

4.   The comprehensive cross-border electricity cybersecurity risk assessment report shall be subject to the rules on protection of exchange of information pursuant to Article 46. Without prejudice to Article 10(4) and Article 47(4), the ENTSO for Electricity and the EU DSO entity shall release a public version of that report which shall not contain information that can cause damage to entities listed in Article 2(1). The public version of this report shall only be released with the agreement of the NIS Cooperation Group and the Electricity Coordination Group. The ENTSO for Electricity in coordination with the EU DSO entity shall be responsible for the compilation and the release of the public version of the report.

1.   Each competent authority shall identify, by using the ECII and high-impact and critical-impact thresholds included in the Union-wide cybersecurity risk assessment report pursuant to Article 19(3), point (b), the high-impact and critical-impact entities in its Member State that are involved in the Union-wide high-impact and critical-impact processes. The competent authorities can request information from an entity in their Member State to determine the ECII values for that entity. If the determined ECII of an entity is above the high-impact or critical-impact threshold, the identified entity shall be listed in the Member State cybersecurity risk assessment report referred to in Article 20(2).

2.   Each competent authority shall identify, by using the ECII and high-impact and critical-impact thresholds included in the Union-wide cybersecurity risk assessment report pursuant to Article 19(3), point (b), the high-impact and critical-impact entities not established in the Union in so far they are active within the Union. The competent authority may request information from an entity not established in the Union to determine the ECII values for the entity.

3.   Each competent authority may identify additional entities in its Member State as high-impact or critical-impact entities if the following criteria are met:

4.   If a competent authority identifies additional entities in accordance with paragraph 3, all processes at these entities for which the ECII aggregated over the group are above the high-impact threshold shall be considered high-impact processes, and all processes at these entities for which the ECII aggregated over the group are above the critical-impact thresholds shall be considered critical-impact processes.

5.   If a competent authority identifies entities referred to in paragraph 3 point (a) in more than one Member State, it shall inform the other competent authorities, the ENTSO for Electricity and the EU DSO entity. The ENTSO for Electricity in cooperation with the EU DSO entity, based on the information received from all competent authorities, shall provide to the competent authorities an analysis of the aggregation of entities in more than one Member State that can create a distributed disturbance to the cross-border electricity flows, and can result in a cyber-attack. Where a group of entities in several Member States is identified as an aggregation whose ECII is above the high-impact or critical-impact threshold, all concerned competent authorities shall identify the entities in such group as high-impact or critical-impact entities for their respective Member State, based on the aggregated ECII for the group of the entities, and the identified entities shall be listed in the Union-wide cybersecurity risk assessment report.

6.   Each competent authority shall, within nine months after being notified by ENTSO for Electricity and EU DSO entity of the Union-wide cybersecurity risk assessment report pursuant to Article 19(5) and in any case no later than 13 June 2028, notify to the entities on the list that they have been identified as a high-impact or critical-impact entity in its Member State.

7.   When a service provider is reported to a competent authority as being a critical ICT service provider pursuant to Article 27 point (c), that competent authority shall notify it to the competent authorities of the Member States in whose territories the seat or representative is situated. The latter competent authority shall notify the service provider that it has been identified as being a critical service provider.

1.   The competent authorities may establish a national verification scheme to verify that critical-impact entities identified pursuant to Article 24(1) have implemented the national legislative framework that is included in the mapping matrix referred to in Article 34. The national verification scheme may be based on an inspection carried out by the competent authority, independent security audits, or on mutual peer reviews by critical-impact entities in the same Member State supervised by the competent authority.

2.   If a competent authority decides to establish a national verification scheme, that competent authority shall ensure that the verification is performed in accordance with the following requirements:

3.   If a competent authority decides to establish a national verification scheme, it shall report to ACER on an annual basis how frequently it has carried out inspections under that scheme.

1.   Each high-impact and critical-impact entity as identified by the competent authorities pursuant to Article 24(1) shall perform cybersecurity risk management for all its assets in its high-impact and critical-impact perimeters. Each high-impact and critical-impact entity shall perform risk management containing the phases in paragraph 2 every three years.

2.   Each high-impact and critical-impact entity shall base its cybersecurity risk management on an approach that aims to protect their network and information systems and that comprises the following phases:

3.   During the context establishment phase, each high-impact and critical-impact entity shall:

4.   During the cybersecurity risk assessment phase, each high-impact and critical-impact entity shall:

5.   During the cybersecurity risk treatment phase, each high-impact and critical-impact entity shall establish an entity-level risk mitigation plan by selecting risk treatment options appropriate to manage the risks and identify the residual risks.

6.   During the cybersecurity risk acceptance phase, each high-impact and critical-impact entity shall decide whether to accept the residual risk based on the risk acceptance criteria established in paragraph 3 point (b).

7.   Each high-impact and critical-impact entity shall register the assets identified in paragraph 1 in an asset inventory. That asset inventory shall not be part of the risk assessment report.

8.   The competent authority may inspect the assets in the inventory during inspections.

1.   The common electricity cybersecurity framework shall be composed of the following controls and cybersecurity management system:

2.   All high-impact entities shall apply the minimum cybersecurity controls pursuant to paragraph 1 point (a) within their high-impact perimeter.

3.   All critical-impact entities shall apply the advanced cybersecurity controls pursuant to paragraph 1 point (b) within their critical-impact perimeter.

4.   Within 7 months after submitting the first draft Union-wide cybersecurity risk assessment report pursuant to Article 19(4), the common electricity cybersecurity framework referred to in paragraph 1 shall be supplemented by the minimum and advanced cybersecurity controls in the supply chain developed pursuant to Article 33.

1.   Within 7 months after submitting the first draft Union-wide cybersecurity risk assessment report pursuant to Article 19(4), the TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO Entity, shall develop a proposal for minimum and advanced cybersecurity controls.

2.   Within 6 months after drawing up each regional cybersecurity risk assessment report pursuant to Article 21(2) the TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO Entity, shall propose an amendment to the competent authority for the minimum and advanced cybersecurity controls. The proposal will be done in accordance with Article 8(10) and will take into account the risks identified in the regional risk assessment.

3.   The minimum and advanced cybersecurity controls shall be verifiable by taking part in a national verification scheme in accordance with the procedure set out in Article 31 or by undergoing independent third-party security audits performed according to the requirements listed in Article 25(2).

4.   The initial minimum and advanced cybersecurity controls developed pursuant to paragraph (1) shall be based on the risks that are identified in the Union-wide cybersecurity risk assessment report referred to in Article 19(5). The amended minimum and advanced cybersecurity controls developed pursuant to paragraph (2) shall be based on the regional cybersecurity risk assessment report referred to in Article 21(2).

5.   The minimum cybersecurity controls shall include controls to protect the information exchanged pursuant to Article 46.

6.   Within 12 months after the approval of the minimum and advanced cybersecurity controls pursuant to Article 8(5), or after each update pursuant to Article 8(10), the entities listed in Article 2(1) and identified as critical-impact and high-impact entities pursuant to Article 24 shall, during the establishment of the entity-level risk mitigation plan pursuant to Article 26(5), apply the minimum cybersecurity controls within the high-impact perimeter and advanced cybersecurity controls within the critical-impact perimeter.

1.   The entities listed in Article 2(1) may request the respective competent authority to grant a derogation from their obligation to apply the minimum and advanced cybersecurity controls referred to in Article 29(6). The competent authority may grant such a derogation on one of the following grounds:

2.   Within three months from the receipt of the request referred to in paragraph 1, each competent authority shall decide whether a derogation from the minimum and advanced cybersecurity controls is to be granted. Derogations from the minimum or advanced cybersecurity controls shall be granted for a maximum of three years, with the possibility of renewal.

3.   Aggregated and anonymised information for the derogations granted shall be included as an annex to the comprehensive cross-border electricity cybersecurity risk assessment report referred to in Article 23. The ENTSO for Electricity and the EU DSO entity shall jointly update the list, where necessary.

1.   No later than 24 months after the adoption of the controls referred to in points (a), (b) and (c) of Article 28(1) and the establishment of the cybersecurity management system referred to in point (d) of that Article, each critical-impact entity identified in accordance with Article 24(1) shall be able to demonstrate its compliance with the cybersecurity management system and the minimum or advanced cybersecurity controls at the request of the competent authority.

2.   Each critical-impact entity shall fulfil the obligation referred to in paragraph 1 by undergoing independent third-party security audits in accordance with the requirements listed in Article 25(2) or by taking part in a national verification scheme in accordance with Article 25(1).

3.   The verification that a critical-impact entity complies with the cybersecurity management system and the minimum or advanced cybersecurity controls shall cover all assets within the critical-impact perimeter of the critical-impact entity.

4.   The verification that a critical-impact entity complies with the cybersecurity management system and the minimum or advanced cybersecurity controls shall be regularly repeated at the latest 36 months after the end of the first verification, and every 3 years thereafter.

5.   Each critical-impact entity defined in accordance with Article 24 shall demonstrate its compliance with the controls referred to in points (a), (b) and (c) of Article 28(1) and the establishment of the cybersecurity management system referred to in point (d) of that Article by reporting on the outcome of the compliance verification to the competent authority.

1.   Within 24 months after being notified by the competent authority that they have been identified as a high-impact or critical-impact entity in accordance with Article 24(6), each high-impact and critical-impact entity shall establish a cybersecurity management system, and review it every three years thereafter, to:

2.   The scope of the cybersecurity management system shall include all assets within the high-impact and critical-impact perimeter of the high-impact and critical-impact entity.

3.   The competent authorities shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or international standards and specifications related to management systems and relevant to the security of network and information systems.

1.   Within 7 months after submitting the first draft Union-wide cybersecurity risk assessment report pursuant to Article 19(4), the TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall develop a proposal for minimum and advanced cybersecurity controls in the supply chain that mitigate the supply chain risks identified in the Union-wide cybersecurity risk assessments, supplementing the minimum and advanced cybersecurity controls developed pursuant to Article 29. The minimum and advanced cybersecurity controls in the supply chain shall be developed together with the minimum and advanced cybersecurity controls pursuant to Article 29. The minimum and advanced cybersecurity controls in the supply chain shall cover the entire lifecycle of all ICT products, ICT services and ICT processes inside the high-impact or critical-impact perimeters of a high-impact or critical-impact entity. The NIS Cooperation Group shall be consulted when developing the proposal for minimum and advanced cybersecurity controls in the supply chain.

2.   The minimum cybersecurity controls in the supply chain shall consist of controls for high-impact and critical-impact entities that:

3.   For the cybersecurity specifications in the cybersecurity procurement recommendation referred to in paragraph 2, point (a), high-impact or critical-impact entities shall use the principles of procurement pursuant to Directive 2014/24/EU of the European Parliament and of the Council (19), in accordance with Article 35(4), or define their own specifications based on the results of the cybersecurity risk assessment at entity level.

4.   The advanced cybersecurity controls in the supply chain shall include controls for critical-impact entities to verify, during procurement, that ICT products, ICT services and ICT processes that will be used as critical-impact assets satisfy the cybersecurity specifications. The ICT product, ICT service or ICT process shall be verified either through a European cybersecurity certification scheme referred to in Article 31 or through verification activities selected and organised by the entity. The depth and coverage of the verification activities shall be sufficient to provide assurance that the ICT product, ICT service or ICT process can be used to mitigate the risks identified in the risk assessment at entity level. The critical-impact entity shall document the steps taken to reduce the risks identified.

5.   The minimum and advanced cybersecurity controls in the supply chain shall apply to the procurement of relevant ICT product, ICT services and ICT processes. The minimum and advanced cybersecurity controls of the supply chain will apply to procurement processes in the entities identified as critical-impact and high-impact entities pursuant to Article 24 that starts six months after the adoption or update of the minimum and advanced cybersecurity controls referred to in Article 29.

6.   Within 6 months after drawing up each regional cybersecurity risk assessment report pursuant to Article 21(2) the TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO Entity, shall propose an amendment to the competent authority for the minimum and advanced cybersecurity controls in the supply chain. The proposal will be done in accordance with Article 8(10) and will take into account the risks identified in the regional risk assessment.

1.   Within 7 months after submitting the first draft Union-wide cybersecurity risk assessment report pursuant to Article 19(4), the TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity and in consultation with ENISA, shall develop a proposal for a matrix to map the controls set out in Article 28(1), points (a) and (b) against selected European and international standards as well as relevant technical specifications (‘the mapping matrix’). The ENTSO for Electricity and the EU DSO entity shall document the equivalence of the different controls with the controls set out in Article 28(1), points (a) and (b).

2.   The competent authorities may provide to the ENTSO for Electricity and the EU DSO entity a mapping of the controls set out in Article 28(1), points (a) and (b) with a reference to the related national legislative or regulatory frameworks, including relevant national standards of Member States pursuant to Article 25 of Directive (EU) 2022/2555. If the competent authority of a Member State provides such a mapping, the ENTSO for Electricity and the EU DSO entity shall integrate this national mapping into the mapping-matrix.

3.   Within 6 months after drawing up each regional cybersecurity risk assessment report pursuant to Article 21(2), the TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO Entity and in consultation with ENISA, shall propose an amendment to the competent authority for mapping matrix. The proposal will be done in accordance with Article 8(10) and will take into account the risks identified in the regional risk assessment.

1.   The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall develop, in a work programme to be established and updated each time a regional cybersecurity risk assessment report is adopted, sets of non-binding cybersecurity procurement recommendations that high-impact and critical-impact entities may use as a basis for the procurement of ICT products, ICT services and ICT processes in the high-impact and critical-impact perimeters. This work programme shall include the following:

2.   The ENTSO for Electricity, in cooperation with the EU DSO entity, shall, within 6 months after the adoption or update of the regional cybersecurity risk assessment report provide ACER with a summary of that work programme.

3.   The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall endeavour to ensure that the non-binding cybersecurity procurement recommendations developed based on the relevant regional cybersecurity risk assessment are similar or comparable across system operation regions. The sets of cybersecurity procurement recommendations shall cover at least the specifications referred to in Article 33(2), point (a). Where possible, the specifications shall be selected from European and international standards.

4.   The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall ensure that the sets of cybersecurity procurement recommendations:

1.   The non-binding cybersecurity procurement recommendations developed pursuant to Article 35 may include sector-specific guidance on the use of European cybersecurity certification schemes, whenever a suitable scheme is available for a type of ICT product, ICT service or ICT process used by critical-impact entities, without prejudice to the framework for the establishment of European cybersecurity certification schemes pursuant to Article 46 of Regulation (EU) 2019/881.

2.   The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity shall closely cooperate with ENISA in providing the sector-specific guidance included in non-binding cybersecurity procurement recommendations pursuant to paragraph 1.

1.   If a competent authority receives information related to a reportable cyber-attack, that competent authority:

2.   If a CSIRT becomes aware of an unpatched actively exploited vulnerability, it shall:

3.   If a competent authority becomes aware of an unpatched actively exploited vulnerability, that competent authority shall:

4.   If the competent authority becomes aware of an unpatched vulnerability, without evidence of yet being actively exploited, it shall without undue delay coordinate with the CSIRT for the purposes of coordinated vulnerability disclosure as laid down in Article 12(1) of Directive (EU) 2022/2555.

5.   If a CSIRT receives information related to cyber threats from one or several high-impact or critical-impact entities pursuant to Article 38(6), it shall disseminate that information or any other information of importance for preventing, detecting, responding to or mitigating the related risk to critical-impact and high-impact entities in its Member State and, where appropriate, to all concerned CSIRTs and to its national single point of contact without undue delay and no later than four hours after receiving information.

6.   If a competent authority becomes aware of information related to cyber threats from one or several high-impact or critical-impact entities, it shall forward this information to the CSIRT for the purpose of paragraph 5.

7.   The competent authorities may delegate in full or in part the responsibilities under paragraphs 3 and 4 concerning one or more high-impact or critical-impact entities that operate in more than one Member State to another competent authority in one of those Member States, following an agreement among the concerned competent authorities.

8.   The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity shall develop a cyber-attack classification scale methodology by 13 June 2025. The TSOs, with the assistance of the ENTSO for Electricity and the EU DSO entity may request the competent authorities to consult ENISA and their competent authorities responsible for cybersecurity for assistance in the development of such classification scale. The methodology shall provide the classification for the gravity of a cyber-attack according to five levels, the two highest levels being ‘high’ and ‘critical’. The classification shall be based on the assessment of the following parameters:

9.   By 13 June 2026, the ENTSO for Electricity, in collaboration with the EU DSO entity, shall perform a feasibility study to assess the possibility and the financial costs necessary to develop a common tool enabling all entities to share information with relevant national authorities.

10.   The feasibility study shall address the possibility for such a common tool to:

11.   The ENTSO for Electricity, in cooperation with the EU DSO entity, shall:

12.   The ENTSO for Electricity, in cooperation with the EU DSO entity may analyse and facilitate initiatives proposed by critical-impact and high-impact entities to evaluate and test such tools for information sharing.

1.   Each high-impact and critical-impact entity shall:

2.   ENISA may issue non-binding guidance on establishing such capabilities or subcontracting the service to MSSPs, as part of the task defined in Article 6(2) of Regulation (EU) 2019/881.

3.   Each critical-impact and high-impact entity shall share relevant information related to a reportable cyber-attack with its CSIRTs and its competent authority without undue delay and no later than four hours of becoming aware that the incident is reportable.

4.   Information related to a cyber-attack shall be considered reportable when the cyber-attack is assessed by the affected entity resulting in a criticality ranging from ‘high’ to ‘critical’ following the cyber-attack classification scale methodology pursuant to Article 37(8). The single point of contact at entity level designated pursuant to paragraph 1 point (c) shall communicate the incident classification.

5.   Where critical-impact and high-impact entities notify relevant information related to unpatched actively exploited vulnerabilities to a CSIRT, the latter may forward this information to its competent authority. In light of the level of sensitivity of the notified information, the CSIRT may withhold the information or delay its forwarding based on justified cybersecurity-related grounds.

6.   Each critical-impact and high-impact entity shall provide without undue delay to its CSIRTs any information related to a reportable cyber threat that may have a cross-border effect. Information related to a cyber threat shall be considered reportable when at least one of the following conditions is met:

7.   Each critical-impact entity and high-impact entity shall, when sharing information pursuant to this Article, specify the following:

8.   When a critical or high-impact entity notifies a significant incident pursuant to Article 23 of Directive (EU) 2022/2555 and the incident reporting under that Article contains relevant information as required under paragraph 3 of this Article, the reporting of the entity under Article 23(1) of that Directive shall constitute reporting of information under paragraph 3 of this Article.

9.   Each critical-impact and high-impact entity shall report to its competent authority or CSIRT by clearly identifying specific information that shall only be shared with the competent authority or CSIRT in cases where the information sharing could be source of a cyber-attack. Each critical-impact and high-impact entity shall have the right to provide a non-confidential version of the information to the competent CSIRT.

1.   Critical-impact and high-impact entities shall develop the necessary capabilities to handle detected cyber-attacks with the necessary support from the relevant competent authority, the ENTSO for Electricity and the EU DSO entity. The critical-impact and high-impact entities may be supported by the CSIRT designated in their respective Member State as part of the task assigned to the CSIRTs by Article 11(5), point (a) of Directive (EU) 2022/2555. Critical-impact and high-impact entities shall implement effective processes to identify, classify and respond to cyber-attacks that will or may affect cross-border electricity flows in order to minimise their impact.

2.   If a cyber-attack has an effect on cross-border electricity flows, the single points of contact at entity level of affected critical-impact and high-impact entities shall cooperate to share information among them, coordinated by the competent authority of the Member State in which the cyber-attack was first reported.

3.   Critical-impact and high-impact entities shall:

4.   The tasks referred to in paragraph 1 may be delegated by the Member States also to the Regional Coordination Centres in accordance with Article 37(2) of Regulation (EU) 2019/943.

1.   When the competent authority establishes that an electricity crisis is related to a cyber-attack which has an impact on more than one Member State, the competent authorities from the affected Member States, the CS-NCAs, the RP-NCA and the NIS cyber crisis management authorities from the affected Member States shall jointly create an ad hoc cross-border crisis coordination group.

2.   The ad hoc cross-border crisis coordination group shall:

3.   Where the cyber-attack qualifies or is expected to qualify as a large-scale cybersecurity incident, the ad hoc cross-border crisis coordination group shall immediately inform the national cyber crisis management authorities in accordance with Article 9(1) of Directive (EU) 2022/2555 in the Member States affected by the incident, as well as the Commission and the EU CyCLONe. In such situation, the ad hoc cross-border crisis coordination group shall support the EU CyCLONe concerning sectoral specificities.

4.   Critical-impact and high-impact entities shall develop and have at their disposal capabilities, internal guidelines, preparedness plans, and staff to take part in the detection and mitigation of cross-border crisis. The critical-impact or high-impact entity impacted by a simultaneous electricity crisis shall investigate the root cause of such crisis in cooperation with its competent authority to determine the extent to which the crisis is related to a cyber-attack.

5.   The tasks in paragraph 4 may be delegated by the Member States also to the Regional Coordination Centres in accordance with Article 37(2) of Regulation (EU) 2019/943.

1.   Within 24 months after the notification to ACER of the Union-wide risk assessment report, ACER shall in close cooperation with ENISA, the ENTSO for Electricity, the EU DSO entity, CS-NCAs, competent authorities, RP-NCAs, the NRAs and the NIS national cyber crisis management authorities, develop a Union-level cybersecurity crisis management and response plan for the electricity sector.

2.   Within 12 months after the development by ACER of the Union-level cybersecurity crisis management and response plan for the electricity sector pursuant to paragraph 1, each competent authority shall develop a national cybersecurity crisis management and response plan for cross-border electricity flows taking into account the Union-level cybersecurity crisis management plan and the national risk preparedness plan established in accordance with Article 10 of Regulation (EU) 2019/941. This plan shall be consistent with the large-scale cybersecurity incident and crisis response plan pursuant to Article 9(4) of Directive (EU) 2022/2555. The competent authority shall coordinate with the critical-impact and high-impact entities and with the RP-NCA in its Member State.

3.   The national large-scale cybersecurity incident and crisis response plan required pursuant to Article 9(4) of Directive (EU) 2022/2555 shall be considered as a national cybersecurity crisis management plan under this Article if it includes crisis management and response provisions for the cross-border electricity flows.

4.   The tasks listed in at paragraphs 1 and 2 may be delegated by the Member States also to the Regional Coordination Centres in accordance with Article 37(2) of Regulation (EU) 2019/943.

5.   Critical-impact and high-impact entities shall ensure that their cybersecurity-related crisis management processes:

6.   Within 12 months after the notification of the high-and critical-impact entities pursuant to Article 24(6), and every three years thereafter, critical impact and high-impact entities shall develop a crisis management plan at entity level for a cybersecurity related crisis which shall be included into their general crisis management plans. This plan shall include at least the following:

7.   The measures for crisis management pursuant to Article 21(2), point (c) of Directive (EU) 2022/2555 shall be considered as a crisis management plan at entity level for the electricity sector under this Article if it includes all requirements listed in paragraph 6.

8.   The crisis management plans shall be tested during the cybersecurity exercises referred to in Articles 43, 44 and 45.

9.   The critical-impact and high-impact entities shall include their crisis management plans at entity level into their business continuity plans for the critical-impact and high-impact processes. The crisis management plans at entity level shall include:

10.   The critical-impact and high-impact entities shall update their crisis management plans at entity level at least every three years and whenever necessary.

11.   ACER shall update the Union-level cybersecurity crisis management and response plan for the electricity sector developed pursuant to paragraph (1) at least every three years and whenever necessary.

12.   Each competent authority shall update the national cybersecurity crisis management and response plan for cross-border electricity flows developed pursuant to paragraph (2) at least every three years and whenever necessary.

13.   The critical-impact and high-impact entities shall test their business continuity plans at least once every three years or after major changes in a critical-impact process. The outcome of the business continuity plan tests shall be documented. The critical-impact and high-impact entities may include the test of their business continuity plan in the cybersecurity exercises.

14.   The critical-impact and high-impact entities shall update their business continuity plan whenever necessary and at least once every three years taking into account the outcome of the test.

15.   If a test identifies deficiencies in the business continuity plan, the critical-impact and high-impact entity shall correct those deficiencies within 180 calendar days after the testing and shall conduct a new test to provide evidence that the corrective measures are effective.

16.   Where a critical-impact or high-impact entity cannot correct the deficiencies within 180 calendar days, it shall include the reasons in the report to be provided to its competent authority in accordance with Article 27.

1.   The competent authorities shall cooperate with ENISA to develop Electricity Cybersecurity Early Alert Capabilities (ECEAC) as part as the assistance to Member States pursuant to Articles 6(2) and (7) of Regulation (EU) 2019/881.

2.   The ECEAC shall enable ENISA when carrying out the tasks listed in Article 7(7) of Regulation (EU) 2019/881 to:

3.   The CSIRTs shall disseminate the information received from ENISA to the entities concerned without delay, within their tasks defined in Article 11(3), point (b) of Directive (EU) 2022/2555.

4.   ACER shall monitor the effectiveness of the ECEAC. ENISA shall assist ACER by providing all necessary information, pursuant to Articles 6(2) and 7(1) of Regulation (EU) 2019/881. The analysis of this monitoring activity shall be part of the monitoring pursuant to Article 12 of this Regulation.

1.   By 31 December of the year after the notification of critical-impact entities, and every three years thereafter, each critical-impact entity shall perform a cybersecurity exercise including one or more scenarios with cyber-attacks affecting cross-border electricity flows directly or indirectly and related to the risks identified during the cybersecurity risk assessments at Member State and entity levels in accordance with Article 20 and Article 27.

2.   By derogation from paragraph 1, the RP-NCA, after consulting the competent authority and the relevant cyber crisis management authority as designated or established in Directive (EU) 2022/2555 under Article 9 may decide to organise a cybersecurity exercise at Member State level as described in paragraph 1 instead of performing the cybersecurity exercise at entity level. In this regard, the competent authority shall inform:

3.   The RP-NCA with the technical support of its CSIRTs, shall organise the cybersecurity exercise described in paragraph 2 at Member State level independently or in the context of a different cybersecurity exercise in that Member State. In order to be able to group these exercises, RP-NCA may postpone the cybersecurity exercise at Member State level referred to in paragraph 1 by one year.

4.   The cybersecurity exercises at entity level and at Member State level shall be consistent with the national cybersecurity crisis management frameworks in accordance with Article 9(4), point (d) of Directive (EU) 2022/2555.

5.   By 31 December 2026, and every three years thereafter, the ENTSO for Electricity, in cooperation with the EU DSO entity, shall make available an exercise scenario template to perform the cybersecurity exercises at entity and Member State level referred to in paragraphs 1. This template shall take into account the results of the most recently performed cybersecurity risk assessment at entity and Member State levels and shall include key success criteria. The ENTSO for Electricity and the EU DSO entity shall involve ACER and ENISA in the development of such template.

1.   By 31 December 2029, and every three years thereafter, in each system operation region, the ENTSO for Electricity, in cooperation with the EU DSO entity, shall organise a regional cybersecurity exercise. The critical-impact entities in the system operation region shall participate in the regional cybersecurity exercise. The ENTSO for Electricity, in cooperation with the EU DSO entity, may organise, instead of a regional cybersecurity exercise, a cross regional cybersecurity exercise in more than one system operating regions in the same timeframe. The exercise should take into account other existing cybersecurity risk assessments and scenarios developed at Union level.

2.   ENISA shall support the ENTSO for Electricity and the EU DSO entity in the preparation and organisation of the cybersecurity exercise at regional or at cross-regional level.

3.   The ENTSO for Electricity, in coordination with the EU DSO entity, shall inform the critical-impact entities that shall participate in the regional or cross regional cybersecurity exercise six months before the exercise takes place.

4.   The organiser of a regular cybersecurity exercise at Union level pursuant to Article 7(5) of Regulation (EU) 2019/881, or of any mandatory cybersecurity exercise related to the electricity sector within the same geographic perimeter, may invite the ENTSO for Electricity and the EU DSO entity to participate. In such cases, the obligation in paragraph 1 does not apply, provided that all critical-impact entities in the system operation region take part in the same exercise.

5.   If the ENTSO for Electricity and the EU DSO entity participate in a cybersecurity exercise referred to in paragraph 4, they may postpone the regional or cross-regional cybersecurity exercise referred to in paragraph 1 by one year.

6.   By 31 December 2027, and every three years after that date, the ENTSO for Electricity, in coordination with the EU DSO entity, shall make available an exercise template to perform the regional and cross regional cybersecurity exercises. This template shall take into account the results of the most recently performed cybersecurity risk assessment at regional level and shall include key success criteria. The ENTSO for Electricity shall consult the Commission and may seek advice from ACER, ENISA and the Joint Research Centre on the organisation and execution of the regional and cross regional cybersecurity exercises.

1.   Upon request from a critical-impact entity, critical service providers shall participate in the cybersecurity exercises referred to in Article 43(1) and (2) and in Article 44(1) when they provide services for the critical-impact entity in the area corresponding with the scope of the relevant cybersecurity exercise.

2.   The organisers of the cybersecurity exercises referred to in Article 43(1) and (2) and in Article 44(1), with the advice of ENISA if requested by them and pursuant to Article 7(5) of Regulation (EU) 2019/881, shall analyse and finalise the relevant cybersecurity exercise through a report summarising the lessons, addressed to all participants. The report shall include:

3.   If requested by the CSIRTs network or the NIS Cooperation Group or the EU CyCLONe, the organisers of the cybersecurity exercises referred to in Article 43(1) and (2) and in Article 44(1) shall share the outcome of the relevant cybersecurity exercise. The organisers shall share with each entity participating in the exercises the information referred to in paragraph 2, points (a) and (b) of this Article. The organisers shall share the list of recommendations referred to in that paragraph, point (c) exclusively with the entities addressed in the recommendations.

4.   The organisers of the cybersecurity exercises referred to in Article 43(1) and (2) and in Article 44(1) shall follow up regularly with the entities participating in the exercises on the implementation of the recommendations pursuant to paragraph 2, point (c) of this Article.

1.   The entities listed in Article 2(1) shall ensure that information provided, received, exchanged or transmitted under this Regulation is accessible only on a need-to-know basis and in accordance with relevant Union and national rules on security of information.

2.   The entities listed in Article 2(1) shall ensure that information provided, received, exchanged or transmitted under this Regulation is handled and tracked during the entire life-cycle of that information and that it may be released at the end of its life-cycle only after being anonymised.

3.   The entities listed in Article 2(1) shall ensure that all necessary protection measures of organisational and technical nature are in place to safeguard and protect the confidentiality, integrity, availability and non-repudiation of information provided, received, exchanged or transmitted under this Regulation, independently from the means used. The protection measures shall:

4.   The entities listed in Article 2(1) shall ensure that any individual who is granted access to information provided, received, exchanged or transmitted under this Regulation is briefed on the security rules applicable at entity level and on the measures and procedures relevant to the protection of information. Those entities shall ensure that the concerned individual acknowledges the responsibility to protect the information as instructed during the briefing.

5.   The entities listed in Article 2(1) shall ensure that access to information provided, received, exchanged or transmitted under this Regulation is limited to individuals:

6.   The entities listed in Article 2(1) shall have the written agreement of the natural or legal person that originally created or provided the information, prior to providing that information to a third party that falls outside the scope of this Regulation.

7.   An entity listed in Article 2(1) may consider that this information shall be shared without complying with paragraphs 1 and 4 of this Article in order to prevent a simultaneous electricity crisis with a cybersecurity root cause or any cross-border crisis within the Union in another sector. In that case, it shall:

8.   By derogation from paragraph 6 of this Article, the competent authorities may provide information provided, received, exchanged or transmitted under this Regulation to a third party not listed in Article 2(1) without a written prior consent of the originator of the information but informing the latter at the earliest time possible. Before disclosing any information provided, received, exchanged or transmitted under this Regulation to a third party not listed in Article 2(1), the concerned competent authority shall reasonably ensure that the concerned third party is aware of the security rules in force and shall receive reasonable assurance that the concerned third party can protect the received information in compliance with paragraphs 1 to 5 of this Article. The competent authority shall anonymise such information without losing the elements necessary to inform the public of an imminent and serious risk to cross-border electricity flows and possible mitigations measures and safeguard the identity of the originator of the information. In this case, the third party not listed in Article 2(1) shall protect the received information in accordance with provisions already in force at entity level, or where this is not possible, with the provisions and instructions provided by the relevant competent authority.

9.   This Article does not apply to entities not listed in Article 2(1) that are provided with information pursuant to paragraph 6 of this Article. In this case paragraph 7 of this Article shall be applied, or the competent authority may provide that entity with written provisions to apply in cases where information is received pursuant to this Regulation.

1.   Any information provided, received, exchanged or transmitted pursuant to this Regulation shall be subject to the conditions of professional secrecy laid down in paragraphs 2 to 5 of this Article of this Regulation and requirements as laid down in Article 65 of Regulation (EU) 2019/943. Any information provided, received, exchanged or transmitted among entities listed in Article 2 of this Regulation, for the purposes of implementing this Regulation, shall be protected, considering the confidentiality level of the information applied by the originator.

2.   The obligation of professional secrecy shall apply to the entities listed in Article 2.

3.   The CS-NCAs, the NRAs, the RP-NCAs and the CSIRTs shall exchange all necessary information to carry out their tasks.

4.   Any information received, exchanged or transmitted among entities listed in Article 2(1), for the purposes of implementing Article 23, shall be anonymised and aggregated.

5.   Information received by any entity or authority subject to this Regulation in the course of their duties may not be disclosed to any other entity or authority, without prejudice to cases covered by national law, other provisions of this Regulation or other relevant Union legislation.

6.   Without prejudice to national or Union legislation, an authority, entity or natural person who receives information pursuant to this Regulation may not use it for any other purpose than carrying out its duties under this Regulation.

7.   ACER, after consulting ENISA, all competent authorities, ENTSO for Electricity and the EU-DSO Entity, shall by 13 June 2025 issue guidelines addressing mechanisms for all entities listed in Article 2(1) to exchange information, and in particular envisaged communication flows, and methods to anonymise and to aggregate information for the purpose of implementation of this Article.

8.   Information that is confidential pursuant to Union and national rules shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Regulation. The information exchanged shall be limited to that which is necessary and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of critical-impact or high-impact entities.

1.   Until the approval of the terms and conditions or methodologies referred to in Article 6(2) or plans referred to in Article 6(3), the ENTSO for Electricity, in cooperation with the EU DSO entity, shall develop non-binding guidance on the following issues:

2.   By 13 October 2024, the ENTSO for Electricity, in cooperation with the EU DSO entity, shall develop a recommendation for a provisional ECII. The ENTSO for Electricity, in cooperation with the EU DSO entity, shall notify the recommended provisional ECII to the competent authorities.

3.   Four months of receipt of the recommended provisional ECII, or the latest by 13 February 2025, the competent authorities shall identify candidates for high-impact and critical-impact entities in their Member State based on the recommended ECII and shall develop a provisional list of high-impact and critical-impact entities. The high-impact and critical-impact entities identified in the provisional list may voluntarily fulfil their obligations as laid down in this Regulation based on a precautionary principle. By 13 March 2025, the competent authorities shall notify the entities identified in the provisional list that they have been identified as a high-impact or critical-impact entity.

4.   By 13 December 2024, the ENTSO for Electricity, in cooperation with the EU DSO entity, shall develop a provisional list of Union-wide high-impact and critical-impact processes. The entities notified pursuant to paragraph (3) that voluntarily decide to fulfil their obligations as laid down in this Regulation based on a precautionary principle shall use the provisional list of high-impact and critical-impact processes to determine the provisional high-impact and critical-impact perimeters and to determine which assets are to be included in the first cybersecurity risk assessment at entity level.

5.   By 13 September 2024, each competent authority according to Article 4 (1) shall provide a list of its national legislation with relevance for cybersecurity aspects of cross-border electricity flows to the ENTSO for Electricity and the EU DSO entity.

6.   By 13 June 2025, the ENTSO for Electricity, in cooperation with the EU DSO entity, shall prepare a provisional list of European and international standards and controls required by national legislation with relevance for cybersecurity aspects of cross-border electricity flows, taking into account the information provided by the competent authorities.

7.   The provisional list of European and international standards and controls shall include:

8.   The ENTSO for Electricity and the EU DSO entity shall take into account the views provided by ENISA and ACER when finalising the provisional list of standards. The ENTSO for Electricity and the EU DSO entity shall publish the transitional list of European and international standards and controls on their websites.

9.   The ENTSO for Electricity and the EU DSO entity shall consult ENISA and ACER on the proposals for non-binding guidance developed pursuant to paragraph 1.

10.   Until the minimum and advanced cybersecurity controls are developed pursuant to Article 29 and adopted pursuant to Article 8, all entities listed in Article 2(1) shall strive to progressively apply the non-binding guidance developed pursuant to paragraph 1.