Europex comments on draft Network Code for cybersecurity aspects of cross-border electricity flows

The digital transformation of the energy sector as well as society at large is bringing about new challenges, requiring adapted and innovative responses. As the number of cyber-attacks continues to rise, Europex strongly supports the Commission’s goal of building resilience to cyber threats and ensuring citizens and businesses benefit from a secure and digital energy system.

However, to avoid a patchwork of cybersecurity rules for essential services and critical infrastructures, regulators must ensure that the criteria of proportionality, harmonisation and efficiency are always at the core of the development of current and future cybersecurity legislation. These criteria need to be taken into consideration when developing dedicated sectoral approaches such as the sector-specific rules for cybersecurity aspects of cross-border electricity flows.

For the proposed draft network code (status: 14 January 2022) to allow for the needed cross- sectoral standardisation while avoiding a patchwork of different rules applicable to the same entity, we recommend limiting its application to where it directly concerns cross-border electricity flows.

In line with Article 1, the network code should clearly be limited to assets affecting cross- border electricity flows being defined under Article 4(14) as a “physical flow of electricity on a transmission network of a Member State that results from the impact of the activity of producers, customers, or both, outside that Member State on its transmission network as defined in Article 2(3) of Regulation (EU) 2019/943”. Even though it is our understanding that trading venues (as defined under point (4) of Article 2 of the European Market Infrastructure Regulation [EMIR]) and CCPs (as defined under point (1) of Article 2 of EMIR) are already sufficiently covered by existing regulation and should therefore be allowed a derogation under Article 23(b) by the NRAs, we call for legal certainty.

Furthermore, we call for the alignment of the network code on cybersecurity with the current draft regulation of the Digital Operational Resilience Act3 [DORA] as well as the revised Network and Information Security4 [NIS2] Directive. While NIS2 aims at ensuring high levels of cybersecurity across sectors, DORA functions as “lex specialis” for the financial sector. Targeting the financial services industry and banking sector as well as the critical ICT service providers, DORA includes provisions on ICT risk management, cyber incident reporting, digital resilience testing, information sharing arrangements and managing of ICT third-party risk.

In conclusion, CCPs and trading venues are already fulfilling high cybersecurity standards under existing regulation, using international standards and sector-specific guidelines for interpretation. A lack of alignment of the network code on cybersecurity with the two legislative proposals of NIS2 and DORA poses the risk of unnecessary duplications in the financial sector as soon as the two proposals enter into force. Consequently, such a lack of alignment would work against to the overall aim of stronger as well as more harmonised cybersecurity measures within the European Union.