Critical energy infrastructure, such as energy networks and power plants, are vital for a well-functioning society and economy. However, these infrastructures are increasingly exposed to risks which have the potential to disrupt the energy supply of several EU countries at the same time. Climate change, for example, is causing more extreme and unpredictable weather conditions, while malicious cyberattacks are increasingly wide reaching.
The EU has therefore taken a series of measures to ensure resilience in the energy sector, including
- a Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (2023/C20/01) which encourages EU countries to support critical energy infrastructure operators in carrying out stress tests to assess the resilience of energy infrastructure against malicious threats.
- the Directive on the Resilience of Critical Entities (EU/2022/2557) which introduced rules to strengthen the resilience of critical entities in several sectors, including energy.
These measures build on existing security of energy supply legislation, which already requires the consideration of malicious attacks in the electricity and gas sectors.
In addition, an EU-NATO task force on resilient infrastructure published a final assessment report in June 2023, that includes several recommendations to strengthen the resilience of critical infrastructure.
Digitalisation and cybersecurity
Traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks. The increasing digitalisation in the energy system makes it smarter and enables consumers to better benefit from innovative energy services, but it also creates significant risks, as an increased exposure to cyberattacks and cybersecurity incidents can jeopardise the security of energy supply and the privacy of consumer data.
The far-reaching EU Security Union Strategy (COM/2020/605), presented in July 2020, aims to ensure European security in both the physical and the digital world in all parts of society. Acknowledging the need for sector specific initiatives, particularly in the energy sector, the strategy outlines an upcoming initiative to make critical energy infrastructure more resilient against physical, cyber and hybrid threats. This will ensure a level playing field for energy operators across borders.
Although there is a comprehensive overall legal framework for cybersecurity, certain aspects of the energy sector require particular attention:
- Real-time requirements: Some energy systems need to react so fast that standard security measures, such as the authentication of a command, or the verification of a digital signature, simply can’t be introduced due to the delay they would cause.
- Cascading effects: Electricity grids and gas pipelines are strongly interconnected across the EU and well beyond. An outage in one country could trigger blackouts or shortages of supply in others.
- Combined legacy systems with new technologies: Many elements of the energy system were designed and built well before cybersecurity considerations came into play. This legacy now needs to interact with the most recent state-of-the-art equipment for automation and control, such as smart meters or connected appliances, and devices from the 'Internet of Things' without being exposed to cyber-threats.
Tackling cybersecurity challenges
The Clean energy for all Europeans package, adopted in 2019, is helping to transform Europe’s energy systems, while also maintaining a high level of security, not least in terms of reinforcing cybersecurity in the digital transformation in the energy sector.
The Regulation on Risk Preparedness (EU/2019/941) in the electricity sector requires malicious attacks to be considered as part of the basic risks for regional electricity crisis scenarios.
To increase awareness and preparedness on cybersecurity in the energy sector, the Commission adopted sector-specific guidance in April 2019. It is presented in a Recommendation and a staff working document aimed to help implementing horizontal cybersecurity rules.
The gas security of supply rules also include provisions to consider cybersecurity, as part of EU countries’ national risk assessments.
Network code on cybersecurity
As required in the Electricity Regulation (EU/2019/943), the first-ever network code on cybersecurity for the electricity sector (C/2024/1366) was published in May 2024.
It lays down sector-specific rules for cyber security aspects of cross-border electricity flows, including on common minimum requirements, planning, monitoring, reporting and crisis management.
While the horizontal cybersecurity framework provides a solid basis, specific characteristics of the energy sector such as the need for fast reaction, risks of cascading effects and the need to combine new digital technology with older technologies necessitate specific legislation.
The network code establishes a recurrent process of cybersecurity risk assessments in the electricity sector. The assessments aim to systematically identify the entities that perform digitalised processes with a critical or high impact on cross-border electricity flows, their cybersecurity risks and the necessary mitigating measures that need to be implemented.
It establishes a governance model to develop, follow and regularly review the methodologies used by stakeholders to promote a harmonised approach in the rapidly evolving knowledge field.
The network code follows an extensive development period with contributions from ENTSO-E, EU DSO Entity and ACER and in-depth consultations with the relevant stakeholders including the NIS Cooperation Group, which exchanges best practices between EU countries on identification, mitigation and management of cyber risks.
Article 4 of the Network Code required all EU countries, by 13 December 2024, to designate a national governmental or regulatory authority to carry out the tasks assigned to it in this regulation.
| EU country | Name of Competent Authority |
|---|---|
| Belgium | General Directorate of Energy of the Federal Public Service Economy, SMEs, Self-Employed and Energy |
| Bulgaria | Ministry of Energy |
| Denmark | Danish Energy Agency |
| Germany | Bundesministerium für Wirtschaft und Klimaschutz |
| Estonia | Estonian Information System Authority (RIA and NCSC-EE) |
| Italy | National Cybersecurity Agency |
| Lithuania | National Energy Regulatory Council |
| Hungary | Hungarian Energy and Public Utility Regulatory Authority (Magyar Energetikai és Közmű-szabályozási Hivatal) |
| Portugal | Centro Nacional de Cibersegurança (CNCS) |
| Slovakia | Regulatory Office for Network Industries (URSO) |
| Finland | Finnish Regulatory Authority |
| Sweden | Swedish Energy Agency |
- Directive on measures for a high common level of cybersecurity across the Union (NIS2) (EU/2022/2555)
- Directive on the resilience of critical entities (CER) (EU/2022/2557)
- Regulation on digital operational resilience for the financial sector (DORA) (EU/2022/2554)
- Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (2023/C 20/01)
- Radio Equipment Directive Delegated Act on cybersecurity (C/2021/7672)
- Regulation on ENISA and on information and communications technology cybersecurity certification (EU Cybersecurity Act) (EU/2019/881)
- Recommendation on cybersecurity in the energy sector and Staff Working Document C(2019) 2400 final
- Commission proposal for a Recommendation on a Blueprint for Critical Infrastructure (COM/2023/526)
- EU Security Union Strategy (COM/2020/605)
- Communication: Digitalising the energy system - EU action plan and Staff Working Document
- Implementing decision establishing priority lists for the development of network codes and guidelines for electricity for the period from 2020 to 2023 and for gas in 2020 (EU/2020/1479)
- Study: Evaluation of risks of cyber-incidents and on costs of preventing cyber-incidents in the energy sector (October 2018)
- Cybersecurity, Digital Single Market
- NIS Cooperation Group, Digital Single Market
- Smart grids task force