ACER launches guidance to track cybersecurity performance in EU electricity networks
What is it about?
ACER issues today its guidance on the information to be voluntarily submitted for the monitoring of operational reliability performance indicators related to cybersecurity in the electricity sector, under the Cybersecurity Network Code.
Who is this guidance for?
This guidance is addressed to stakeholders in the electricity sector, including transmission and distribution system operators (TSOs and DSOs), generators, organised markets, nominated electricity market operators (NEMOs) and balancing responsible parties, as well as providers of critical information and communication technology (ICT) services and managed security services.
Why does it matter?
The operational reliability performance indicators for cybersecurity will measure how effectively electricity sector companies protect their digital systems and mitigate cybersecurity risks to cross-border electricity flows. They will track statistical data on high and critical-impact cyber-attacks, reportable cyber-threats and exploited unpatched vulnerabilities.
By submitting the requested data, stakeholders will allow ACER to monitor trends and assess how cybersecurity performance evolves across the EU electricity sector.
What information is ACER requesting?
ACER is requesting the following statistical information, as defined by the operational reliability performance indicators listed in the guidance:
- annual number of reportable cyber threats;
- annual number of reportable cyber-attacks; and
- annual number of exploited unpatched (zero day) vulnerabilities.
What’s the timeline to submit the information?
Starting in 2027, ACER will open a submission window once every three years. In the first submission window in 2027, ACER will request data for 2026. From 2030 onwards, each submission will cover the three preceding years.
Unless communicated otherwise, the submission window will be open each reporting year from 15 January to 1 March.
How will the information be submitted?
To facilitate data collection, ACER will provide access to a secure online tool. More detailed instructions will be made available prior to the first submission window.
What are the next steps?
Looking ahead, ACER will use this collected data (after careful aggregation to protect sensitive information) as an input to its triannual reporting, supporting EU-level monitoring and informing future efforts to strengthen the EU cyber resilience.