Electricity sector, the first network code on EU cybersecurity
The EU wants to lift controls on the cybersecurity of the electricity system
– Traditional energy technologies are becoming increasingly connected, intelligent and digital. This transformation path makes the system much more efficient, environmentally friendly and able to respond better to changes. At the same time, however, the sector’s exposure to new risks increases. Recent cyber attacks in the electricity industry have disabled remote controls of wind farms, disrupted power grids, “knocked down” sites of energy companies and led to recurring data breaches involving names, addresses, and customer information. Attacks have been increasing since the outbreak of the Russian War in Ukraine.
It is time for the European Union to raise the barricades and the first tool to do so is the new network code on cybersecurity of cross-border flows of electricity. The delegated act, adopted yesterday by the European Commission, aims to establish a recurring process of IT risk assessment in the electricity sector. The target? Systematically identify those who run digitized processes with a critical or high impact on cross-border electricity flows, the related IT security risks and therefore the necessary mitigation measures.
The network code on the cybersecurity of electrical flows
Today there are multiple methodologies and standards in the field of IT security, and it is a rapidly evolving field. Therefore, with the aim of harmonizing and ensuring a common baseline while respecting existing practices and investments as much as possible, the network code on cybersecurity establishes a governance model to develop, follow and regularly review the methodologies of the different stakeholders. This model takes into account the current mandates of different bodies both in the computer security system and in the regulation of electricity.
“The delegated act – writes the EU Commission – follows a wide consultation process with stakeholders, including contributions from ENTSO-E , EU DSO Entity and ACER, and 4 weeks for public feedback at the end of last year”. Now the Network Code will pass into the hands of the two co-legislators of the Union. This means that the European Parliament and the Council each have a period of 2 months to oppose this secondary legislation; this period may be extended by 2 months.
