Cyber incident at the EU Agency for Cooperation of Energy Regulators (ACER)

• With the security incident of last year, the Agency remained functional.
• The extranet, which was taken offline for immediate remediation actions, was brought back in January.
• Affected third parties were notified of the alternative business continuity arrangements, which were adopted in early January.
• ACER has undertaken mitigation actions in line with recommendations of the Cyber Security Service for the EU institutions, bodies and agencies (CERT-EU).
• REMIT systems remain fully segregated.
• Our forensic investigation is now closed. We are auditing our systems to identify gaps and further protect them.
• The Agency is committed to learning from this experience. To this end, we are undertaking further security enhancements throughout 2024 to further improve our cybersecurity posture. The Agency is conducting a thorough review of our cybersecurity measures, policies, and training protocols in line with our security-first approach.
• Furthermore, the Agency will strengthen its internal cybersecurity risk management, governance and control framework in line with the new Cybersecurity Regulation (which came into effect on 7 January 2024 and which is applicable to all EU institutions, bodies and agencies). 
• We have established a dedicated e-mail channel DataSecurity@acer.europa.eu to address any concerns.

More specific guidance for stakeholders who interact regularly with ACER

ACER has received queries from stakeholders on the impact of the cyber incident and requests for guidance. ACER offers the following information:

REMIT/LNG data and use of Virtual Private Network (VPN):

• The Agency has secure systems for sensitive data.
• Based on the evidence to date, the data reported by market participants to the Agency, in line with their obligations under the REMIT Regulation and the LNG market data  safeguarded in ACER's REMIT information systems has NOT been impacted.
• Stakeholders should continue to use a secure channel to report their data to the Agency in line with their obligations under the REMIT Regulation and LNG data reporting obligations.
• Stakeholders (and national regulators) that have a Virtual Private Network (VPN) connection with ACER for the exchange of REMIT data should continue to use their VPN. For stakeholders in the process of setting up their VPN connections to ACER, the set up of the VPN connection should continue.
• Sensitive data should not be sent over e-mail to ACER. This has already been our advice and as such it still stands.

E-mails:

• There is no need to stop e-mail communications with ACER.
• For any sensitive information that can only be communicated to ACER via an e-mail (although not recommended), please send it as a password protected zipped file attachment to the e-mail (with very long passwords; passwords are to be shared via other means than email such as SMS or MS Teams message to the intended recipient).

Press contact: Press@acer.europa.eu

Read more:

• Update: 26 January 2024
• Update: 15 December 2023
• Update: 4 December 2023
• Update: 27 November 2023