Network Code on Cybersecurity
The Network Code on Cybersecurity (NCCS) aims to set a European standard for the cybersecurity of cross-border electricity flows. It includes rules on cyber risk assessment, common minimum requirements, cybersecurity certification of products and services, monitoring, reporting and crisis management.
This Network Code provides a clear definition of the roles and responsibilities of the different stakeholders for each activity.
To learn more about the different components of the Network Code on Cybersecurity, watch our video series:
Deliverables
- Provisional List Of Union-Wide High-Impact And Critical-Impact Processes
- Supporting document for the Provisional List of Union-wide high-impact and critical-impact processes
- Provisional Electricity Cybersecurity Impact Index (ECII)
- Supporting document for the provisional Electricity Cybersecurity Impact Index (ECII)
Archive
Here is a repository of relevant resources related to NCCS.
- Legal Text
- Mapping to ACER Framework Guidline
- Supporting Document
- ToR for collaboration with Stakeholders
- ACER Revised NCCS
- EC final version of NCCS
- NC Cybersecurity Overview of public consultations comments
- PC Feedback Public
- EDF Group position paper
- NCCS Comments ILR
- Swedish response to draft of NCCS
- BMWi Comments NC Cyber
- WindEurope position paper cybersecurity framework fit for wind energy
Frequently Asked Questions (FAQs)
Who are the “all concerned CSIRTs” in art 37.5? All CSIRTs in the Member States? Or all concerned CSIRTs in Europe?
All concerned CSIRTs means all CSIRTs in charge of high- and critical-impact Entities that could be impacted by the specific threat or could provide useful information to high- and critical-impact entities to actively prepare their defenses. The legislation doesn’t apply outside the EU, except if there is a specific agreement (see Art.14).
When should high- and critical-impact Entities start reporting cyber-attacks and sharing information linked (Art.38.3)?
During the transition period, high- and critical-impact entities can apply the NCCS on a voluntary basis. But following Art.38.4 they will need the Cyber-Attack Classification Scale Methodology (Art.37.8) to define if a cyber-attack is reportable or not. In addition, to determine the “potential impact” of a cyber-attack (Art.37.8.a), the methodology may need the result of the Union-Wide Risk Assessment. If a high- or critical-impact Entity reporting an incident through NIS2 estimates that the cross-border electricity flows could be impacted, it should alert its authority of the potential impact.
When should the competent authorities start sharing information related to cyber threats, to unpatched actively exploited vulnerability and to cyber-attacks?
As soon as competent authorities receive information from high- and critical-impact Entities, they should share it according to the NCCS, with full respect of national confidentiality requirements.
Contact us
For any outstanding questions please contact nccs@entsoe.eu
Follow us on LinkedIn, X and YouTube for the latest updates on the Network Code on Cybersecurity (NCCS) and more.