Critical infrastructure and cybersecurity
Energy technologies and networks are increasingly digital.
The advantage is evident and the EU is also pushing member states to digitization because it becomes indispensable for a more prudent management of energy resources, with evident benefits both for global savings and for the environment.
However, the digitalised energy sector is also becoming vulnerable and the target of cyber attacks that manage to bring energy grids to their knees.
This risk is enormously amplified in an integrated energy system as the EU rightly wants. Therefore European countermeasures are needed to prevent and manage crisis situations.
Cybersecurity in the energy sector
The EU Security Union Strategy, presented in July 2020, aims to ensure European security in both the physical and digital worlds in all parts of society. Recognizing the need for sector-specific initiatives, particularly in the energy sector, the strategy outlines an upcoming initiative to make critical energy infrastructures more resilient to physical, cyber and hybrid threats. This will ensure a level playing field for energy operators across borders.
In December 2021, the EU Commission presented the third progress report (Main document, Annex I, Annex II) on the implementation of the EU Security Union Strategy. It outlines the EU response in the context of increasingly sophisticated cross-border and cross-sectoral threats. In parallel to the report, the Commission also presented a package of measures to enhance police cooperation, as one of the key actions towards a strong European security ecosystem.
While there is a comprehensive global legal framework for cybersecurity, the energy sector has some particularities that require special attention:
Tackling cybersecurity challenges
To increase awareness and preparedness in the energy sector, the Commission adopted sector-specific guidance in April 2019. This guidance, presented in a Recommendation and a staff working document, helps implement horizontal cybersecurity rules.
Moreover, the Clean energy for all Europeans package, adopted in 2019, will help transform Europe’s energy systems, while also maintaining a high level of security, not least in terms of reinforcing cybersecurity of the digital transformation in the energy sector.
Outside the scope of the package, the Regulation on gas security of supply ((EU) 2017/1938) also includes provisions to consider cybersecurity, as part of EU countries’ national risk assessments.
Network code on cybersecurity
The Regulation EU/2019/941 on Risk Preparedness in the electric sector mandates EU countries to include measures on cybersecurity in their national risk assessment plans.
The Regulation (EU)2019/943 on Internal market for electricity requires the Commission to develop a network code on cybersecurity of cross-border electricity flows.
In 2019, the Smart grids task force expert group 2 published recommendations on the implementation of the regulation. In addition, ACER is also requested to participate in the development and adoption process of the code set for 2022.
To carry out preparatory work on the network code, the Commission set up a drafting team of relevant stakeholders in February 2020.
The work concluded with a technical report that put forward recommendations to the Commission and identifies areas that need to be addressed, such as:
This report, together with the Smart grids task force report, will help develop the network code and is published to ensure full transparency.
For questions or feedback, you can contact the drafting team on email@example.com and firstname.lastname@example.org.
Since cooperation and trust among stakeholders and EU countries is key when it comes to cybersecurity, due to the potential cascading and cross-border effects, the Commission is working to raise awareness and to promote broad discussions in the energy sector.
To that end, the Commission has set up specific work efforts on cybersecurity in the energy sector under the NIS Cooperation Group, which was established in the NIS Directive and which aims to exchange best practices between EU countries on identification, mitigation and management of cyber risks.
EU and Cybersecurity
Cybersecurity and challenges related to it are evolving at a rapid pace, which is why the European Commission has taken a series of measures to tackle it. Key among these is the establishment of a comprehensive legislative framework that builds on: