Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows
Commission Delegated Regulation (EU) 2024/1366of 11 March 2024supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows(Text with EEA relevance) THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2019/943 of the European Parliament and of the Council of 5 June 2019 on the internal market for electricityOJ L 158, 14.6.2019, p. 54., in particular Article 59(2), point (e) thereof,Whereas:(1)Cybersecurity risk management is crucial for maintaining security of electricity supply and for ensuring a high level of cybersecurity in the electricity sector.(2)Digitalisation and cybersecurity are decisive to provide essential services and therefore of strategic relevance for critical energy infrastructure.(3)Directive (EU) 2022/2555 of the European Parliament and of the CouncilDirective (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80). lays down measures for a high common level of cybersecurity across the Union. Regulation (EU) 2019/941 of the European Parliament and of the CouncilRegulation (EU) 2019/941 of the European Parliament and of the Council of 5 June 2019 on risk-preparedness in the electricity sector and repealing Directive 2005/89/EC (OJ L 158, 14.6.2019, p. 1). complements Directive (EU) 2022/2555 by ensuring that cybersecurity incidents in the electricity sector are properly identified as a risk and that the measures taken to address them are properly addressed in the risk-preparedness plans. Regulation (EU) 2019/943 complements Directive (EU) 2022/2555 and Regulation (EU) 2019/941 by setting out specific rules for the electricity sector at Union level. Furthermore, this Delegated Regulation complements the provisions of Directive (EU) 2022/2555 regarding the electricity sector, whenever cross-border electricity flows are concerned.(4)In a context of interlinked electricity digitalised systems, prevention and management of electricity crisis related to cyber-attacks cannot be considered to be a solely national task. More efficient and less costly measures through regional and Union cooperation should be developed to its full potential. Therefore, a common framework of rules and better coordinated procedures are needed in order to ensure that Member States and other actors are able to cooperate effectively across borders, in a spirit of increased transparency, trust and solidarity between Member States and competent authorities responsible for electricity and cybersecurity.(5)Cybersecurity risk management within the scope of this Regulation requires a structured process including, among others, the identification of risks for cross-border flows of electricity stemming from cyber-attacks, the related operational processes and perimeters, the corresponding cybersecurity controls and verification mechanisms. While the timeframe for the whole process is spread over years, each step of it should contribute to a high common level of cybersecurity in the sector and the mitigation of cybersecurity risks. All participants in the process should make their best efforts to develop and agree on the methodologies as soon as possible without undue delay, and in any case, no later than the deadlines defined in this Regulation.(6)The cybersecurity risk assessments at Union, Member State, regional and entity level in this Regulation may be limited to those resulting from cyber-attacks as defined in Regulation (EU) 2022/2554 of the European Parliament and of the CouncilRegulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1)., therefore excluding, for instance, physical attacks, natural disasters and outages due to loss of facilities or human resources. Union-wide and regional risks related to physical attacks or natural disasters in the electricity domain are already covered by other existing Union legislation, including Article 5 of Regulation (EU) 2019/941, or the Commission Regulation (EU) 2017/1485Commission Regulation (EU) 2017/1485 of 2 August 2017 establishing a guideline on electricity transmission system operation (OJ L 220, 25.8.2017, p. 1). establishing a guideline on electricity transmission system operation. Similarly, Directive (EU) 2022/2557 of the European Parliament and of the CouncilDirective (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, p. 164). on the resilience of critical entities aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities and covers all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and hybrid threats or other antagonistic threats, including terrorist offences, criminal infiltration and sabotage.(7)The notion of "high-impact and critical-impact entities" in this Regulation is fundamental to define the scope of entities that will be subject to the obligations described in this Regulation. The risk-based approach outlined in the different provisions aims to identify the processes, supporting assets and the entities operating them that affect the cross-border electricity flows. Depending on the degree of impact of possible cyber-attacks in their operations of cross-border flows of electricity, they may be considered as "high-impact" or "critical-impact". Article 3 of Directive (EU) 2022/2555 lays down the notions of essential and important entities and the criteria to identify entities with those categories. While many of them will be considered and identified simultaneously as "Essential" in the sense of Article 3 of Directive (EU) 2022/2555 and high-impact or critical-impact pursuant to Article 24 of this regulation, the criteria laid down in this Regulation refers only to their role and impact in the electricity processes affecting cross-border flows without any consideration to the criteria defined in Article 3 of Directive (EU) 2022/2555.(8)The entities in the scope of this regulation, considered high-impact or critical-impact pursuant to Article 24 of this Regulation and subject to the obligations laid down therein, are primarily those that have a direct impact on cross-border flows of electricity in the EU.(9)This Regulation makes use of existing mechanisms and instruments, already established in other legislations, to ensure efficiency and avoid duplication in the achievement of the objectives.(10)When applying this Regulation, Member States, relevant authorities and system operators should take into consideration agreed European standards and technical specifications of the European Standardisation Organisations and act in line with Union legislation relating to the placing on the market or putting into service of products covered by that Union legislation.(11)With a view to mitigating cybersecurity risks, it is necessary to establish a detailed rulebook governing the actions of, and the cooperation amongst, relevant stakeholders, whose activities concern cybersecurity aspects of cross-border electricity flows, with the aim of ensuring system security. Those organisational and technical rules should ensure that most electricity incidents with cybersecurity root causes are effectively dealt with at operational level. It is necessary to set out what those relevant stakeholders should do to prevent such crises and what measures they can take should system operation rules alone no longer suffice. Therefore, it is necessary to establish a common framework of rules on how to prevent, prepare for and manage simultaneous electricity crises with a cybersecurity root cause. This brings more transparency in the preparation phase and during a simultaneous electricity crisis and ensures that measures are taken in a coordinated and effective manner together with the competent authorities for cybersecurity in the Member States. Member States and relevant entities should be required to cooperate, at regional level and, where applicable, bilaterally, in a spirit of solidarity. These cooperation and rules are intended to achieve better cybersecurity risk-preparedness at a lower cost, also in line with the objectives of Directive (EU) 2022/2555. It also appears necessary to strengthen the internal electricity market by enhancing trust and confidence across Member States, in particular mitigating the risk of undue curtailment of cross-border flows of electricity, thus reducing the risk of negative spill over effects on neighbouring Member States.(12)Security of electricity supply entails effective cooperation among Member States, Union institutions, bodies, offices and agencies, and relevant stakeholders. Distribution system operators and transmission system operators play a key role in ensuring a secure, reliable, and efficient electricity system in accordance with Articles 31 and 40 of Directive (EU) 2019/944 of the European Parliament and of the CouncilDirective (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU (OJ L 158, 14.6.2019, p. 125).. The different regulatory authorities and other relevant competent national authorities also play an important role in ensuring and monitoring the cybersecurity within the electricity supply, as part of their tasks attributed by Directives (EU) 2019/944 and (EU) 2022/2555. Member States should designate an existing or new entity as their competent national authority for the implementation of this Regulation, with the aim of ensuring the transparent and inclusive participation of all actors involved, the efficient preparation and proper implementation of it, the cooperation among the different relevant stakeholders and competent authorities in electricity and cybersecurity, as well as facilitating the prevention and ex post evaluation of electricity crises with cybersecurity root causes and information exchanges in relation thereto.(13)Where a high-impact or critical-impact entity provides services in more than one Member State, or has its seat or other establishment or a representative in a Member State, but its network and information systems are located in one or more other Member States, those Member States should encourage their respective competent authorities to make their best efforts to cooperate with and assist each other as necessary.(14)Member States should ensure that the competent authorities have the necessary powers, in relation to high-impact and critical-impact entities, to promote compliance with this Regulation. Those powers should allow competent authorities to carry out on-site inspections and off-site supervision. This can include random checks, performing regular audits, targeted security audits based on risk assessments or risk-related available information and security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria and that include requesting information necessary to assess the cybersecurity measures adopted by the entity. That information should include documented cybersecurity policies, access data, documents or any information necessary for the performance of their supervisory tasks, and evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.(15)In order to avoid gaps between or duplications of cybersecurity risk-management obligations imposed on high-impact and critical-impact entities, national authorities under Directive (EU) 2022/2555 and the competent authorities under this Regulation should cooperate in relation to the implementation of cybersecurity risk-management measures and the supervision of compliance with those measures at national level. The compliance of an entity with the cybersecurity risk management requirements laid down in this Regulation could be considered by the competent authorities under Directive (EU) 2022/2555 as ensuring compliance with the corresponding requirements laid down in that Directive, or vice versa.(16)A common approach to simultaneous electricity crisis prevention and management requires a common understanding among Member States as to what constitutes a simultaneous electricity crisis consists of and when a cyber-attack is an important factor in it. In particular, coordination among Member States and relevant entities should be facilitated for the purpose of addressing a situation in which the potential risk of a significant electricity shortage or an impossibility to supply electricity to customers is present or imminent, and this due to a cyber-attack.(17)Recital 1 of Regulation (EU) 2019/881 of the European Parliament and of the CouncilRegulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15). recognises the vital role of network and information systems and electronic communications networks and services in keeping the economy running in key sectors such as energy, while recital 44 explains that the European Union Agency for Cybersecurity ("ENISA") should liaise with the European Union Agency for the Cooperation of Energy Regulators ("ACER").(18)Regulation (EU) 2019/943 assigns specific responsibilities with regard to cybersecurity to Transmission System Operators ("TSOs") and Distribution System Operators ("DSOs"). Their European associations, namely the European network of TSOs for electricity ("ENTSO for Electricity") and the European entity for DSOs ("EU DSO entity") shall, pursuant to Articles 30 and 55 of that Regulation respectively, promote cybersecurity in cooperation with relevant authorities and regulated entities.(19)A common approach to prevention and management of simultaneous electricity crises with cybersecurity root causes also requires that all relevant stakeholders use harmonised methods and definitions to identify risks relating to the cybersecurity of electricity supply. It also requires to be in a position to compare effectively how well they and their neighbours perform in that area. Therefore, it is necessary to establish the processes and roles and responsibilities to develop and update risk management methodologies, incident classification scales and cybersecurity measures adapted to the cybersecurity risks impacting the cross-border flows of electricity.(20)Member States through the competent authority designated for this Regulation are responsible for identifying the entities which meet the criteria to qualify as high-impact and critical-impact entities. In order to eliminate divergences among Member States in that regard and ensure legal certainty as regards the cybersecurity risk-management measures and reporting obligations for all relevant entities, a set of criteria should be established that determines the entities falling within the scope of this Regulation. That set of criteria should be defined and regularly updated through the development and adoption process of terms, conditions and methodologies laid down in this Regulation.(21)The provisions of this Regulation should be without prejudice to Union law providing for specific rules on the certification of information and communication technology ("ICT") products, ICT services and ICT processes, in particular without prejudice to Regulation (EU) 2019/881 with regard to the framework for the establishment of European cybersecurity certification schemes. In the context of this Regulation, ICT products should also include technical devices and software that enable direct interaction with the electrotechnical network, in particular industrial control systems that can be used for energy transmission, energy distribution and energy production, as well as for the collection and transmission of related information. The provisions should ensure that the relevant security objectives in Article 51 of Regulation (EU) 2019/881 are met by the ICT products, ICT services and ICT processes to be procured.(22)Recent cyber-attacks show that entities are increasingly becoming the target of supply chain attacks. Such supply chain attacks not only have an impact on individual entities in the scope but can also have a cascading effect on larger attacks on entities to which they are connected in the electricity grid. Provisions and recommendations to help mitigate the cybersecurity risks associated to processes related to the supply chain, notably procurement, with impact on the cross-border flows of electricity have therefore been added.(23)Since the exploitation of vulnerabilities in network and information systems may cause significant energy disruptions and harm for economy and consumers, these vulnerabilities should be swiftly identified and remedied in order to reduce risks. In order to facilitate the effective implementation of this Regulation relevant entities and competent authorities should cooperate to exercise and test activities that are considered to be appropriate for that purpose, including information exchange on cyber threats, cyber-attacks, vulnerabilities, tools and methods, tactics, techniques and procedures, cybersecurity crisis management preparedness and other exercises. Since technology is evolving constantly and digitalisation of the electricity sector is progressing rapidly, the implementation of the provisions adopted should not be detrimental to innovation and not constitute a barrier to access the electricity market and the subsequent use of innovative solutions that contribute to the efficiency and sustainability of the electricity system.(24)The information collected in view of monitoring the implementation of this Regulation should be reasonably limited on a need-to-know principle. Stakeholders should be granted achievable and effective deadlines for submitting such information. Double notification should be avoided.(25)Cybersecurity protection does not stop at the Union’s borders. A secure system requires the involvement of neighbouring third countries. The Union and its Member States should strive to support neighbouring third countries whose electricity infrastructure is connected to the European grid in applying similar cybersecurity rules as set out in this Regulation.(26)In order to improve security coordination early on, to test future binding terms, conditions and methodologies, the ENTSO for Electricity, the EU DSO Entity and the competent authorities should start developing non-binding guidance immediately after the entry into force of this Regulation. This guidance will serve as a baseline for the development of the future terms, conditions and methodologies. In parallel, the competent authorities should identify entities as candidates to high- and critical-impact entities to start, on a voluntary basis, to fulfil the obligations.(27)This Regulation has been developed in close cooperation with ACER, ENISA, the ENTSO for Electricity, the EU DSO entity and other stakeholders, in order to adopt effective, balanced and proportionate rules in a transparent and participative manner.(28)This Regulation complements and enhances the crisis management measures established in the EU Cybersecurity Crisis Response Framework, as set out in Commission Recommendation (EU) 2017/1584Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).. A cyber-attack could also cause, contribute to, or coincide with an electricity crisis as defined in Article 2(9) of Regulation (EU) 2019/941, impacting the cross-border flows of electricity. That electricity crisis could lead to a simultaneous electricity crisis as defined in Article 2(10) of Regulation (EU) 2019/941. Such an incident could also have an impact on other sectors dependent on the security of electricity supply. Should such an incident escalate to a large-scale cybersecurity incident within the meaning of Article 16 of Directive (EU) 2022/2555, provisions in that Article establishing the European cyber crisis liaison organisation network ("EU-CyCLONe") should apply. For crisis management at Union level, relevant parties should rely on the EU Integrated Political Crisis Response arrangements ("IPCR arrangements") under Council Implementing Decision (EU) 2018/1993Council Implementing Decision (EU) 2018/1993 of 11 December 2018 on the EU Integrated Political Crisis Response Arrangements (OJ L 320, 17.12.2018, p. 28)..(29)This Regulation is without prejudice to the competence of Member States to take the necessary measures to ensure the protection of the essential interests of their security, to safeguard policy and public security, and to allow for the investigation, detection and prosecution of criminal offences, in compliance with Union law. In accordance with Article 346 TFEU, no Member State is to be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security.(30)Although this Regulation applies, in principle, to entities carrying out activities in the production of electricity from nuclear power plants, some of those activities may be linked to national security.(31)Union data protection law and Union privacy law should apply to any processing of personal data under this Regulation. In particular, this Regulation is without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the CouncilRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1)., Directive 2002/58/EC of the European Parliament and of the CouncilDirective 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37). and Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).. This Regulation should therefore not affect, inter alia, the tasks and powers of the authorities competent to monitor compliance with the applicable Union data protection law and Union privacy law.(32)Given the importance of international cooperation on cybersecurity, the competent authorities responsible for carrying out the tasks assigned to them under this Regulation and designated by Member States should be able to participate in international cooperation networks. Therefore, for the purpose of carrying out their tasks, the competent authorities should be able to exchange information, including personal data, with the competent authorities of third countries provided that the conditions under Union data protection law for transfers of personal data to third countries, inter alia those of Article 49 of Regulation (EU) 2016/679, are met.(33)The processing of personal data, to the extent necessary and proportionate for the purpose of ensuring security of assets by high-impact or critical-impact entities, could be considered to be lawful on the basis that such processing complies with a legal obligation to which the controller is subject, in accordance with the requirements of Article 6(1), point (c), and Article 6(3) of Regulation (EU) 2016/679. Processing of personal data may also be necessary for legitimate interests pursued by high-impact or critical-impact entities, as well as providers of security technologies and services acting on behalf of those entities, pursuant to Article 6(1), point (f), of Regulation (EU) 2016/679, including where such processing is necessary for cybersecurity information-sharing arrangements or the voluntary notification of relevant information in accordance with this Regulation. Measures related to the prevention, detection, identification, containment, analysis and response to cyber-attacks, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated vulnerability disclosure, the voluntary exchange of information about those cyber-attacks, and cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools may require the processing of certain categories of personal data, such as IP addresses, uniform resources locators (URLs), domain names, email addresses and, where they reveal personal data, time stamps. Processing of personal data by the competent authorities, the single points of contact and the CSIRTs, may constitute a legal obligation or be considered to be necessary for carrying out a task in the public interest or in the exercise of official authority vested in the controller pursuant to Article 6(1), point (c) or (e), and Article 6(3) of Regulation (EU) 2016/679, or for pursuing a legitimate interest of the high-impact or critical-impact entities, as referred to in Article 6(1), point (f), of that Regulation. Furthermore, national law may lay down rules allowing the competent authorities, the single points of contact and the CSIRTs, to the extent that is necessary and proportionate for the purpose of ensuring the security of network and information systems of high-impact or critical-impact entities, to process special categories of personal data in accordance with Article 9 of Regulation (EU) 2016/679, in particular by providing for suitable and specific measures to safeguard the fundamental rights and interests of natural persons, including technical limitations on the re-use of such data and the use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.(34)Personal data are in many cases compromised as a result of cyber-attacks. In that context, the competent authorities should cooperate and exchange information about all relevant matters with the authorities referred to in Regulation (EU) 2016/679 and Directive 2002/58/EC.(35)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 17 November 2023,HAS ADOPTED THIS REGULATION:
Loading ...