Traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks. This increasing digitalisation of the energy system makes it smarter and enables consumers to better benefit from innovative energy services.
At the same time, digitalisation creates significant risks as an increased exposure to cyberattacks and cybersecurity incidents potentially jeopardises the security of energy supply and the privacy of consumer data.
Key among the Commission actions is the establishment of a comprehensive legislative framework that builds on
- the EU Cybersecurity strategy (JOIN/2013/01)
- the Directive on Security of Network and Information Systems (the NIS Directive) EU/2016/1148
- the Cybersecurity Package (JOIN/2017/450 final) from September 2017, which also includes the Cybersecurity Act
Cybersecurity in the energy sector
The far-reaching EU Security Union Strategy, presented in July 2020, aims to ensure European security in both the physical and the digital world in all parts of society. Acknowledging the need for sector specific initiatives, particularly in the energy sector, the strategy outlines an upcoming initiative to make critical energy infrastructure more resilient against physical, cyber and hybrid threats. This will ensure a level playing field for energy operators across borders.
Although there is a comprehensive overall legal framework for cybersecurity, the energy sector presents certain particularities that require particular attention:
Real-time requirements
Some energy systems need to react so fast that standard security measures, such as authentication of a command, or verification of a digital signature, can simply not be introduced due to the delay these measures impose.
Cascading effects
Electricity grids and gas pipelines are strongly interconnected across Europe and well beyond the EU. An outage in one country might trigger blackouts or shortages of supply in other areas and countries.
Combined legacy systems with new technologies
Many elements of the energy system were designed and built well before cybersecurity considerations came into play. This legacy now needs to interact with the most recent state-of-the-art equipment for automation and control, such as smart meters or connected appliances, and devices from the 'Internet of Things' without being exposed to cyber-threats.
Tackling cybersecurity challenges
To increase awareness and preparedness in the energy sector, the Commission adopted sector-specific guidance in April 2019. This guidance, presented in a Recommendation and a staff working document, helps implement horizontal cybersecurity rules.
Moreover, the Clean energy for all Europeans package, adopted in 2019, will help transform Europe’s energy systems, while also maintaining a high level of security, not least in terms of reinforcing cybersecurity of the digital transformation in the energy sector.
Outside the scope of the package, the Regulation on gas security of supply (EU/2017/1938) also includes provisions to consider cybersecurity, as part of EU countries’ national risk assessments.
The Commission also works with the European Energy–Information Sharing Analysis Centre (EE-ISAC), which helps utilities improve the cybersecurity and resilience of their grid by enabling trust-based data and information for sharing.
Network code on cybersecurity
The first-ever network code on cybersecurity for the electricity sector (C/2024/1366) was published in May 2024.
It lays down sector-specific rules for cyber security aspects of cross-border electricity flows, including on common minimum requirements, planning, monitoring, reporting and crisis management.
The Electricity Regulation (EU/2019/943) required a network code for the electricity sector to be adopted by the Commission. While the horizontal cybersecurity framework provides a solid basis, specific characteristics of the energy sector such as the need for fast reaction, risks of cascading effects and the need to combine new digital technology with older technologies necessitate specific legislation.
The network code establishes a recurrent process of cybersecurity risk assessments in the electricity sector. The assessments aim to systematically identify the entities that perform digitalised processes with a critical or high impact on cross-border electricity flows, their cybersecurity risks and the necessary mitigating measures that need to be implemented.
It establishes a governance model to develop, follow and regularly review the methodologies used by stakeholders to promote a harmonised approach in the rapidly evolving knowledge field.
The network code follows an extensive development period with contributions from ENTSO-E, EU DSO Entity and ACER and in-depth consultations with the relevant stakeholders including the NIS Cooperation Group, which exchanges best practices between EU countries on identification, mitigation and management of cyber risks.
Related links
- News announcement: Pan-European exercise to foster preparedness in case of large-scale cyber-attacks in energy sector (20/06/2024)
- Delegated Act on the new Network Code on Cybersecurity (C/2024/1366)
- Implementing decision establishing priority lists for the development of network codes and guidelines for electricity for the period from 2020 to 2023 and for gas in 2020 (EU)2020/1479
- Report: Recommendations on implementation on sector-specific rules for cybersecurity, Smart grids task force expert group 2 (June 2019)
- Commission (SWD/2019/1240) accompanying the Commission Recommendation on cybersecurity in the energy sector (C/2019/2400)
- Report: Cyber security in the energy sector, Energy Expert Cyber Security Platform (February 2017)
- Study: Evaluation of risks of cyber-incidents and on costs of preventing cyber-incidents in the energy sector (October 2018)
- Regulation on gas security of supply ((EU) 2017/1938)
- Cybersecurity, Digital Single Market
- NIS Cooperation Group, Digital Single Market
- Smart grids task force