Loading...
Network Code on Cybersecurity for Electricity
First sector-specific EU cybersecurity regulation for the electricity sector. Establishes mandatory cybersecurity risk assessments, incident reporting, and supply chain security requirements for transmission and distribution system operators and critical electricity infrastructure entities.
First
Sector-Specific EU Cyber Code
TSO/DSO
Primary Scope
3yr
Review Cycle
OT+IT
Coverage
14 March 2024
Delegated Regulation adopted by Commission
24 June 2024
Network Code enters into force
June 2025
First national implementation measures due
June 2027
ACER first periodic review
Mandatory risk assessments for cross-border electricity flows covering both IT and OT systems. Must be updated regularly and shared with national competent authorities.
Reporting of cybersecurity attacks, threats, and vulnerabilities affecting electricity grid operations to national authorities and ENISA.
Differentiated requirements for high-impact and critical-impact entities. Includes access control, network segmentation, and incident response capabilities for OT and IT environments.
Cybersecurity requirements for procurement of ICT products and services used in electricity infrastructure. Covers vendor assessment and ongoing monitoring.
Set by Member States
Enforcement delegated to national regulatory authorities. Must align with NIS2 penalty framework for essential entities in the energy sector.
Schedule a consultation with our regulatory experts to assess your NCCS compliance posture and build a practical roadmap.