Network Code on Cybersecurity

The Network Code on Cybersecurity (NCCS) aims to set a European standard for the cybersecurity of cross-border electricity flows. It includes rules on cyber risk assessment, common minimum requirements, cybersecurity certification of products and services, monitoring, reporting and crisis management.

This Network Code provides a clear definition of the roles and responsibilities of the different stakeholders for each activity.

To learn more about the different components of the Network Code on Cybersecurity, watch our video series:

Current Status Entered into force Read the Regulation

Deliverables

Archive

Here is a repository of relevant resources related to NCCS.

Frequently Asked Questions (FAQs)

Who are the “all concerned CSIRTs” in art 37.5? All CSIRTs in the Member States? Or all concerned CSIRTs in Europe?

All concerned CSIRTs means all CSIRTs in charge of high- and critical-impact Entities that could be impacted by the specific threat or could provide useful information to high- and critical-impact entities to actively prepare their defenses. The legislation doesn’t apply outside the EU, except if there is a specific agreement (see Art.14).

When should high- and critical-impact Entities start reporting cyber-attacks and sharing information linked (Art.38.3)?

During the transition period, high- and critical-impact entities can apply the NCCS on a voluntary basis. But following Art.38.4 they will need the Cyber-Attack Classification Scale Methodology (Art.37.8) to define if a cyber-attack is reportable or not. In addition, to determine the “potential impact” of a cyber-attack (Art.37.8.a), the methodology may need the result of the Union-Wide Risk Assessment. If a high- or critical-impact Entity reporting an incident through NIS2 estimates that the cross-border electricity flows could be impacted, it should alert its authority of the potential impact.

When should the competent authorities start sharing information related to cyber threats, to unpatched actively exploited vulnerability and to cyber-attacks?

As soon as competent authorities receive information from high- and critical-impact Entities, they should share it according to the NCCS, with full respect of national confidentiality requirements.

Contact us

For any outstanding questions please contact nccs@entsoe.eu

Follow us on LinkedIn, X and YouTube for the latest updates on the Network Code on Cybersecurity (NCCS) and more.

NCCS related Deliverables

European Stakeholder Committee

History & Development of the network code

GET THE MOST POWERFUL NEWSLETTER IN BRUSSELS