The European Commission adopted the Network Code for Cybersecurity (NCCS) in March. The network code on cybersecurity for the electricity sector regulates the process of security assessments on cross-border connections. The code is part of the upcoming European Cyber Act (NIS2), for which Dutch legislation is being prepared. The European transmission system operators are enthusiastic about the network code, but see the long implementation time as a concern.
History
In March and April 2022, the European wind energy sector suffered a series of digital attacks. Hackers managed to disable IT systems, meaning that wind turbines could no longer be controlled remotely. Ultimately, it turned out that it was not the wind turbines themselves, but three suppliers in Germany that were affected. However, the situation has led to parliamentary questions about the digital security of wind turbines.
In response, Minister Jetten quoted, among other things, from the Dutch government's Cyber Security Assessment Netherlands 2022 report. In this report, the National Coordinator for Counterterrorism and Security (NCTV) and the National Cyber Security Center (NCSC) write that the risk of social disruption is high.
The minister then sent the Electricity Risk Preparedness Plan to the House of Representatives. It states that a cyber attack on a grid operator, large electricity producer or large industrial power consumer poses the most real risk of large-scale power outages in the Netherlands and surrounding countries. Other scenarios that must be seriously taken into account are extreme weather, a physical attack on critical network elements and failure of ICT systems. The plan states, among other things, who has what responsibility when a crisis situation arises and which procedures then come into effect.
Finally, in 2022, the minister referred to the 'Netcode on Cybersecurity' that was being worked on in Brussels, intended as a supplementary package of measures to the upcoming Network and Information Security directive (NIS2) , the new European cyber law.
The new cyber law focuses on increasing digital resilience and limiting the consequences of cyber incidents in the EU. The NIS2 is the successor to the NIS, which was implemented in the Netherlands in 2019 as the Wbni (Network and Information Systems Security Act) . The National Digital Infrastructure Inspectorate (RDI) is currently the supervisor of compliance with the Wbni for the energy sector, the digital infrastructure and for digital service providers.
The NIS2 is currently being converted into Dutch law by the Ministry of Justice and Security (JenV).
Network Code for Cybersecurity (NCCS)
The European Network Code that Minister Jetten referred to was adopted by the European Commission in March. The Network Code for Cybersecurity (NCCS) aims to establish a recurring process of cybersecurity risk assessments in the electricity sector and includes rules for:
- cyber risk assessment
- common minimum requirements
- cybersecurity certification of products and services
- monitoring
- report
- crisis management
The network code provides a clear definition of the roles and responsibilities of the various stakeholders for each activity. The European Commission speaks of an "important step to improve the cyber resilience of critical energy infrastructure and services in the EU."
The European transmission system operators (ENTSO-E) contributed to the development of the network code. They believe that this will “make an essential contribution to a safer European electricity system” but see the implementation time as a concern. The European Commission expects the Member States to implement the measures within 8 years. The European Commission did not comment on questions from ENTSO-E about this period.
Competent authority
The NCCS requires member states to appoint or designate a “competent authority” that will be responsible for overseeing the implementation of the various tasks entailed by the code. In anticipation of this, this responsibility will fall to the national electricity market regulator. In the Netherlands this is the Netherlands Authority for Consumers and Markets (ACM) .
ACM has now indicated that it “does not have the resources and knowledge to carry out the tasks assigned to the competent authority in the NCCS”. The regulator previously recommended to the European Commission to change the code text in this area. In the version published last week, this did not happen.
Next steps
The file is now submitted to the Council and the European Parliament to examine the text and the rules will enter into force once this period is over. The further implementation of the network code will be the responsibility of the European Parliament and the Energy Council, on which outgoing Minister Jetten sits on behalf of the Netherlands. Both agencies have two months to object to the NCCS. This is followed by the implementation phase.
For the Dutch version of the new cyber law, the internet consultation is expected to start in May 2024: the phase in which organizations can respond to the legal texts resulting from the translation of the NIS2 guideline.
An important difference with the first NIS guideline is that organizations automatically fall under the NIS2 guideline if they are active in certain sectors. A distinction is made between organizations that are seen as 'essential' or 'important' for the functioning of society and/or the economy. The NIS2 guideline also sets stricter security standards (duty of care) and reporting requirements (duty to report) for incidents.
NIS2 - Quick scan
The government launched a quick scan in February for organizations that want to know how they can prepare for the arrival of the new cyber law. The NIS2 Quickscan is mainly intended for ICT and cybersecurity specialists and managers within organizations. The quick scan also offers perspectives for action: technical or organizational measures are proposed per theme that can contribute to the digital resilience of organizations and to the preparation for the NIS2.
Bekijk al het nieuws