The go beyond the news with a dynamic new guide published by the Agency for the Cooperation of Energy Regulators (ACER) on benchmarking of cybersecurity investments, towards harmonization in the context of the European Union’s electricity sector.
This action, which has been prepared for under the binding EU-wide network code on sector-specific rules for the cybersecurity of cross-border electricity flows, marks a major step in enhancing the cyber resilience of Europe’s critical energy infrastructure as the number of cyber threats faced by the energy sector continues to rise.
The guide offers a consistent approach that national energy regulators can use to evaluate the costs and benefits of cybersecurity investments.
This is the first ever EU-wide review of this kind, providing an important instrument to detect where money could be spent more efficiently to increase the union’s overall cyber defence.
ACER’s proposals suggest a common procedural approach at national level for the performance of the analyses, the identification of main stakeholders for the provision of the data and the definition of reference lists for the comparison of the reference values as regards to the relevant assets within the Union-wide processes of high and critical impact.
The guide also recommends that general accounting principles be used to assess cost and macroeconomic factors be considered in the analysis.
As the inherent complexity of EU electricity systems grows, the threat of cyber attacks against them also rises, with an increasing number of digital systems (e.g., smart meters, sensors, automatic monitoring and control systems) being interconnected.
The emergence of assets that are dispersed and can be decentralized, supply chain risk, and an increase in the sophistication of attacks (including from state-sponsored actors) and the use of artificial intelligence in malicious software also pose challenges.
There are reports that ransomware, phishing and malware attacks are on the rise with major events already affecting European energy companies.
ACER -The Agency, which is a key actor in developing the single European energy market and continuously provides advice on European energy legislation, also engages in partnerships with international experts as well as EU institutions on building robust cyber methodologies.
This new manual supports the Network Code on Cybersecurity (NCCS), which took effect from June 2024 and lays down shared rules to raise cyber resilience throughout Europe’s energy networks.
The national regulatory authorities will already have one year to conduct their first analysis of cybersecurity benchmarking based on this comprehensive guidance and with today’s the publication of this guidance we strengthen the common commitment for secure and resilient European electricity grid.”
