The energy sector is enduring a tumultuous decade. The COVID pandemic saw oil prices plummet, and in 2021, a ransomware attack forced one of the US’s most significant oil pipelines to shut down for five days, causing a state of emergency in 17 states. Putin’s war in Ukraine has disrupted natural gas supplies across Europe. Now, electricity providers face their own challenges.
On March 11th, the European Commission adopted new cybersecurity rules — the EU network code on cybersecurity for the electricity sector (C/2024/1383) — to establish a recurrent process of cybersecurity risk assessments in the electricity sector. This development is a positive step for cybersecurity professionals but adds to the burdens of electricity providers.
Since 2019, the EU has been enhancing the cybersecurity of critical infrastructure. The Commission adopted sector-specific guidance and the Clean Energy for All Europeans package, reinforcing the cybersecurity of the digital transformation in the energy sector. In 2020, the EU Commission outlined its EU Security Union Strategy, highlighting the need for sector-specific initiatives to make critical energy infrastructure more resilient against various threats.
The new network code is part of this ongoing effort, standardizing cybersecurity risk assessments in the electricity sector. It establishes a governance model that aligns with the EU’s existing Network and Information Security Directive (NIS2) to systematically identify entities performing critical digitalized processes in cross-border electricity flows, assess their cybersecurity risks, and implement necessary mitigating measures.
Electricity providers must now conduct assessments every three years to identify cyber risks and implement protections to prevent significant problems. Suppliers to electricity providers are also subject to these rules, likely enhancing the security of electricity supply chains. Power equipment manufacturers must design equipment with cybersecurity in mind, further stretching the already limited resources of electricity providers.
A notable aspect of the legislation is its information-sharing provisions. The network code mandates that cyber regulators in each EU country share information with other member states within 24 hours of a company disclosing a breach. This includes sharing information about vulnerabilities affecting the electricity sector. This measure is welcomed by cybersecurity professionals as it addresses the problem of siloed information, which is often of little use.
However, these provisions may be unwelcome for some electricity providers, as organizations are often reluctant to share breach information that could advantage competitors. The EU’s network code prevents withholding information that could make competitors more likely to suffer similar attacks.
Despite the challenges for electricity providers in finding resources for compliance, the EU network code on cybersecurity for the electricity sector will significantly improve critical infrastructure cybersecurity at a time when it is crucially needed.