ACER publishes its Framework Guideline to establish a Network Code on Cybersecurity
What is the Framework Guideline about?
Today, the EU Agency for the Cooperation of Energy Regulators (ACER) has published its non-binding Framework Guideline on sector-specific rules for cybersecurity aspects of cross-border electricity flows.
The Framework Guideline provides high-level principles for the development of a binding Cybersecurity Network Code that will further contribute to maintaining the security and resilience of the electricity system across Europe.
The Framework Guideline covers various security-related topics, such as:
-
governance
-
cross-border risk assessment & management (defining the scope of cross-border electricity flows’ cybersecurity risk assessment)
-
a common electricity cybersecurity framework (defining both the basic and advanced lists of principles and requirements)
-
information sharing and essential information flows
-
incident handling and crisis management (including data collection)
-
an electricity cybersecurity exercise framework
-
protection of information exchange in the context of data processing
-
monitoring, benchmarking and reporting
The journey towards a Network Code on Cybersecurity
In April 2021, ACER ran a public consultation for two months on the draft version of the Framework Guideline, inviting stakeholders to share their views on the document.
ACER received 42 responses to the consultation, the majority from energy industry companies or associations based within EU Member States.
The feedback collected showed:
-
respondents welcome the draft Framework Guideline
-
88% believe the Framework Guideline contributes to further protecting cross-border electricity flows
-
65% say that there are still gaps concerning the cybersecurity of cross-border electricity flows, which the draft Framework Guideline proposal should address.
Main changes to the draft Framework Guideline
Following the feedback received, ACER revised the content of its draft Framework Guideline.
It now includes:
-
An improved risk assessment methodology: tailored for the cybersecurity network code.
-
A more balanced role and governance for ENTSO-E and the EU DSO entity in implementing the risk assessment of cross-border electricity flows, while reducing the role of Regional Coordination Centers.
-
An updated verification methodology to prove compliance with a common cybersecurity framework: allowing the use of three different paths to verification (including certification, government inspection and peer review schemes).
-
The possibility for Computer Security Incident Response Teams (CSIRTs) to withhold information from the information sharing network where dissemination is considered a risk.
-
The right for Cyber Security National Competent Authorities and national energy regulatory authorities to issue derogations for maximum two years for any entities that do not directly or indirectly affect cross-border electricity flows.
-
A possibility for those stakeholders not listed as entities in scope of the network code to still be nominated and covered by it, e.g. small and micro entities.
What are the next steps?
ACER has now submitted the non-binding Framework Guideline to the European Commission.
As a next step, a specific drafting committee for the cooperation of ENTSO-E and the EU DSO entity will prepare a proposal for the network code based on the ACER Framework Guidelines. This proposal shall be submitted to ACER within 12 months after ENTSO-E receives the European Commission’s request.
ACER will then review the proposed network code to ensure compliance with its Framework Guideline and make sure it does not hamper market integration, nor the market’s efficient functioning.
ACER shall submit the revised network code to the European Commission within six months.