Network Code on Cybersecurity
The Network Code on Cybersecurity (NCCS), EU 2024/1366, is the EU sector-specific framework for cybersecurity requirements in the electricity sector. NCCS complements NIS2 for cross-border electricity operations with specific requirements. Each Member State must designate a national competent authority to identify, supervise, and enforce compliance among high- and critical-impact entities.
EU NCCS was adopted in the EU in March 2024 through the Commission Delegated Regulation (EU) 2024/1366, supplementing the existing EU regulation 2019/943 by establishing cybersecurity rules for cross-border electricity flows. While NCCS complements NIS2, there are areas where requirements are deeper than NIS2 with a different focus.
Note the NCCS is a complex topic still in flux throughout the EU. This content is a draft for discussion.
NCCS (EU 2024/1366)
Security in cross-border electricity
EU NCCS entered into force in 2024 and is directly applicable across the EU with binding cybersecurity rules for entities in the EU electricity sector.
NCCS application depends on the national transposition of EU NIS2 and EU NCCS builds on NIS2 by specifying sector-specific obligations and relies on key elements of NIS2 (designation of entities, supervisory authorities, risk management frameworks) that must exist in national law.
Specifically, NCCS establishes binding sector-specific cybersecurity rules for the EU electricity sector. It mandates risk-based security measures, coordinated threat responses, and regulatory oversight across borders to enhance the resilience of critical energy infrastructure:
- Entities: Applies to electricity TSOs (Transmission System Operator), DSOs ( Distribution System Operator), significant generation assets, and ICT service providers with high or critical impact.
- Cybersecurity: Energy entities must implement comprehensive cybersecurity measures, including risk management, incident response, supply chain controls, compliance verification, and information sharing.
- Controls: Minimum and advanced cybersecurity controls must be implemented depending on entity impact level, including for ICT supply chains.
- Timeline: Gradual rollout through 2025–2026, starting with provisional designations and risk assessments, followed by compliance deadlines (12–24 months).
- Supervision: Compliance monitored by national competent authorities, supported by ENTSO-E, EU DSO Entity, and CSIRTs.
NCCS establishes a national and coordinated oversight structure for the EU electricity sector.
- Member States must designate a competent regulatory or energy authority by 2024. Art. 4
- That authority coordinates with national CSIRTs and cybersecurity agencies. Art. 5
- Compliance with NCCS may serve as evidence of NIS2 compliance, and vice versa. Recital 15
EU NCCS imposes a broad set of obligations on designated high-impact and critical-impact entities to strengthen cybersecurity across the electricity sector.
| Obligation | Article | Requirement |
|---|---|---|
| Cybersecurity management | 27‑29 | Establishment of a CSMS (ISMS equivalent), risk-based asset scoping, and implementation of minimum and advanced security controls. |
| Supply chain security | 33–35 | Cybersecurity requirements in procurement processes and verification of supplier compliance using security-certified products or internal assurance. |
| Incident handling | 32 Art. 38–41 | Early warning obligations, mandatory reporting, and participation in coordinated response procedures. |
| Auditing and compliance | 14 | Competent authorities may conduct inspections, audits, documentation reviews, and technical security scans. |
| Monitoring and benchmarking | 12–13 | Participation in periodic benchmarking exercises to assess and compare cybersecurity maturity. |
Scope
Energy entities
NCCS applies to entities that are designated by authorities as high-impact or critical-impact. Art. 24
National competent authorities are responsible for designating high-impact and critical-impact entities based on ECII criteria. Art. 24(1) Criteria take into account the entity’s relevance for the security of cross-border electricity flows, the potential impact of a disruption, and system stability.
| Groups | Entities covered by NCCS |
|---|---|
| Electricity system operators and market actors |
Electricity undertakings (as per Directive (EU) 2019/944) Transmission System Operators (TSOs) Distribution System Operators (DSOs) Nominated Electricity Market Operators (NEMOs) Organised electricity market platforms (e.g. power exchanges) Balancing responsible parties Regional Coordination Centres (RCCs) Operators of recharging points |
| Service and governance entities | Critical ICT service providers Managed Security Service Providers (MSSPs) Delegated or assigned third-party operators ENTSO-E (European Network of Transmission System Operators for Electricity) EU DSO Entity (EU-level association of DSOs) |
| Third-country actors | Any non-EU entity whose services affect EU cross-border electricity flows — subject to designation by competent authorities Art. 3(3), 24(2) |
While these entity types are listed in the NCCS, they are not automatically covered. Only those entities explicitly designated by national authorities fall under its binding cybersecurity obligations.
The classification of electricity entities as high or critical-impact under NCCS is based on their potential to disrupt cross-border electricity flows in the event of a cyber incident. Determination of criticality is made by national authorities using ECII, Electricity Cybersecurity Impact Index. Art. 24
| Impact level | Definition | Article |
|---|---|---|
| High-impact | Disruption causes major impact on cross-border electricity flows | 3(24), 19(3) |
| Critical-impact | Disruption leads to critical interruption or destabilisation | 3(7), 3(8) |
NCCS and NIS2
Entities in both regulations
Several entities in the electricity sector are subject to both the NCCS and the NIS2 Directive. While NIS2 sets general cybersecurity obligations for essential and important entities, NCCS introduces sector-specific requirements for high- and critical-impact actors. In cases of overlap, Recital 15 clarifies that compliance with one regulation may serve as evidence of compliance with the other.
NCCS-specific obligations include a classification based on the Electricity Cybersecurity Impact Index (ECII) Art. 24, implementation of minimum and advanced cybersecurity controls, including supply chain measures Art. 29, 33 and the development of a sector-specific Cybersecurity Management System and a mapping matrix aligned with international standards .Art. 32, 34
Deepened requirements
NCCS complements and, in some areas, deepens NIS2 requirements, affecting primarily TSOs, DSOs, and ICT service providers that operate critical systems in the electricity sector. These fall under the scope of both NIS2 and the NCCS due to their essential role in cross-border electricity flows and their designation as high- or critical-impact entities under Art. 2(1) NCCS and Annex I of NIS2.
| NCCS entities |
NIS2 entities |
NCCS obligations | NIS2 scope |
|---|---|---|---|
| Transmission System Operators (TSOs) | Energy | Sector-specific risk management, ECII classification, minimum and advanced cybersecurity controls | “Essential entity” under Annex I (energy sector) |
| Distribution System Operators (DSOs) | Energy | Obligations tied to impact level Art. 24 implementation of CSMS and supply chain controls | Covered if size and relevance thresholds are met |
| Electricity market operators, balancing service providers | Energy | Subject to NCCS if designated as high- or critical-impact Art. 2(1) | May qualify as “important entities” under Annex II |
| Critical ICT service providers (e.g. SCADA, EMS) |
ICT in Energy | Specific security controls including supply chain requirements Art. 33 | Covered under NIS2 depending on criticality and service scope |
Cybersecurity
NCCS obligations
The binding obligations introudced by the NCCS include risk-based security management, detailed reporting requirements, independent audits, and mandatory controls (many of which go beyond NIS2 in scope and specificity).
Designated entities must submit a comprehensive report to their national authority (e.g. BNetzA in Germany) within twelve months of classification. Art. 27
- Selected and implemented mitigation controls Art. 26(5)
- Risk estimates for all Union-wide critical-impact processes, based on the Art. 19(2) matrix
- A list of critical ICT providers for critical-impact processes
Critical-impact entities must demonstrate compliance with cybersecurity controls and management systems within 24 months via either national verification schemes or third-party audits. Art. 31 NCCS obligations may be recognised as equivalent to NIS2 compliance where applicable. Recital 15 Art. 17
| Requirement | Energy entities | ICT providers* |
|---|---|---|
| Security management Art. 28–34 | ✓ | |
| Incident reporting Art. 27, 38–39 | ✓ | |
| Supply chain Art. 18, 33 | ✓ | ✓ * |
| Audit and compliance Art. 25, 29, 31 | ✓ | |
| Monitoring and benchmarking Art. 12, 13, 17 | ✓ * |
Cybersecurity Management System (CSMS)
All high-impact and critical-impact entities must implement a cybersecurity management system (CSMS) aligned with European and international standards. This system serves as the NCCS equivalent of an ISMS and forms the core of each entity’s risk mitigation obligations. Art. 28
TSOs are required to develop harmonised cybersecurity risk assessment frameworks at EU, regional, and national level by March 2025. Risks need to include supply chains, legacy systems, cascading effects and single supplier dependencies, and apply a common EU risk impact matrix to evaluate impact and likelihood. Art. 18
Although many national authorities have not yet designated entities or initiated formal compliance processes, the obligation under Art. 18 remains binding.
Responsibilities for cybersecurity risk assessments under Art. 19–21 and Art. 26 are divided across EU, national, and entity level. The table below outlines who is responsible at each level, the legal basis, and how each assessment feeds into the broader regulatory framework.
| Assessment | Responsible | Article | Risk Basis | Role in NCCS Framework |
|---|---|---|---|---|
| Union-wide | ENTSO-E EU DSO Entity |
19 | Internal mapping of sectoral processes, impact metrics, ECII derivation | Define Union-wide impact thresholds, ECII logic, and risk impact matrix; input to cybersecurity controls (Art. 29, 33) |
| Regional | ENTSO-E EU DSO Entity |
21 | Aggregated Member State assessments using common risk impact matrix | Inform regional mitigation plans, cross-border risk reports, and procurement guidelines |
| Member State-level | National Competent Authority (e.g. BSI) | 20 | Entity-level assessments; cyber threat and incident data (Art. 38) | Contribute to regional aggregation; recommend additional controls; assess national implementation status |
| Entity-level | Designated high-/critical-impact entity | 26 | Own risk environment using EU matrix and thresholds | Feed into Member State report; guide CSMS implementation; report selected controls and risks |
Security requirements
The NCCS defines detailed compliance obligations for high- and critical-impact entities. These include the implementation of technical controls, the setup of a cybersecurity management system, and structured risk management processes. Obligations follow a regular cycle and are aligned with thresholds and responsibilities. Art. 24–34
Entities must perform regular structured risk management, consisting of context establishment, risk assessment, treatment, and acceptance. These processes must be based on a risk impact matrix developed at EU level and include supply chain and legacy system considerations. Art. 26
The selected risk mitigation controls must be reported to the competent authority within twelve months of designation and every three years thereafter. Compliance with the CSMS and associated controls must be demonstrated through independent audits or national verification schemes. Art. 27, 31
| Obligation | Description | Article |
|---|---|---|
| Cybersecurity Management System (CSMS) | Establish a CSMS as part of the common cybersecurity framework alongside minimum/advanced controls and control mapping | 28(1) |
| Minimum and Advanced Controls | Minimum controls apply to high-impact entities; advanced controls apply to critical-impact entities | 28(2)(3) |
| Application of Controls | Controls must be implemented within the entity's designated perimeter according to impact level | 28(2) |
| Controls Development | ENTSO-E and EU DSO Entity, in cooperation with TSOs, develop and update controls based on risk assessments | 29(1)(2) |
| Integration into Risk Mitigation Plans | Controls must be integrated into risk mitigation plans within twelve months of their approval or update | 29(6) |
| Control Verification Options | Compliance may be demonstrated via national verification scheme or third-party audit | 29(3) 25(2) |
| Derogations | Derogations may be granted under strict conditions due to disproportionate cost or alternative safeguards | 30(1)(2) |
| Periodic Compliance Verification | Critical-impact entities must verify and report compliance every three years, covering all critical assets | 31(1)–(5) |
| Supply Chain Controls | Minimum and advanced supply chain controls apply across the full ICT lifecycle (e.g. procurement, design) | 33(1)(2) |
| Procurement Verification | Critical-impact entities must verify compliance of critical ICT assets through certification or assurance | 33(4) |
| Supply Chain Control Timeline | Supply chain controls apply to procurement six months after their approval/update | 33(5) |
| Control-Standards Mapping | Controls are mapped against selected EU/international standards and updated via regional risk assessment | 34(1)‑(3) |
| Risk Management Cycle | Perform full cycle every three years: context, assessment, treatment, risk acceptance | 26 |
| Asset Inventory | Maintain full inventory of ICT systems/assets; subject to inspection, not reporting | 28(2) |
| Risk Assessment Report | Submit triennial report with selected controls, risk levels, and list of critical ICT providers | 27 |
| Initial Compliance Demonstration | Prove compliance within 24 months of designation via audit or verification scheme | 25(1)‑(2) |
Assets and impact
High-impact and critical-impact assets
NCCS defines a critical asset as any asset essential to the operation of the electricity system, including ICT systems, data, and services. Art. 3(2) At the entity level these form the foundation of cybersecurity risk management. NCCS distinguishes between high-impact and critical-impact assets based on the severity of potential disruption to cross-border electricity flows.
A high-impact asset is required for executing a high-impact process, defined as process exceeding the high-impact threshold. Art. 19(3)(b), 3(25), 3(26) These assets are located within a high-impact perimeter, which defines the area where minimum cybersecurity controls apply. Art. 3(27)
A critical-impact asset is necessary for a critical-impact process. Art. 2(4), 2(7) These assets are included in a critical-impact perimeter, subject to advanced cybersecurity controls. Art. 2(6) Entities identified as high- or critical-impact by national authorities must conduct risk management for all assets in these perimeters. Art. 26(2)
Asset classifications are based on the electricity cybersecurity impact indices and thresholds defined in Art. 19 and referenced in Art. 3. These thresholds determine whether a process qualifies as high-impact or critical-impact, guiding the identification of corresponding assets and the application of minimum or advanced cybersecurity controls.
Critical processes
Critical-impact processes are defined as business operations whose ECII scores exceed the critical threshold. Art. 2(7), 19(3), 24(1) They will be identified in the EU cybersecurity risk assessment, the first step of the NCCS risk cycle that functions as EU-level business impact assessment. Art. 19
The supporting document by ENTSO-E and the EU DSO Entity provides methodological guidance with impact metrics related to frequency, voltage, generation capacity, and restoration capability. However, it does not establish a formal list of critical processes as this list will be adopted as part of the Union-wide cybersecurity risk assessment report. Art. 19(3)
According to the NCCS, the list of Union-wide critical-impact processes will be the basis for designating critical-impact entities Art. 24(1), defining the scope of entity-level risk assessments Art. 26(3) and reporting of risk levels. Art. 27 (2) It also plays a role in crisis management planning Art. 41(9) and a provisional version may be issued to guide voluntary early compliance. Art. 48 (4)
Implications for upstream suppliers
While the NCCS formally applies only to designated entities, its implications extend to upstream suppliers, including manufacturers of ICT components, software vendors, and service providers due to the comprehensive security measures required by operators across the full lifecycle of ICT products, services, and processes. Art. 33(2)
Responsibility for compliance with Art. 33 requirements lies with the operator, not the supplier. Operators must translate NCCS obligations into their procurement and supplier management.
Consequently, suppliers in the energy sector may be required to meet compliance expectations, such as providing technical assurances, undergoing security certifications, or disclosing development procedures even though they are not directly regulated under the NCCS.
Incident reporting
Reporting obligations
EU NCCS aligns with the reporting obligations under Art. 23 EU NIS2 and introduces additional requirements for high-impact and critical-impact entities. Where a significant incident is reported under Art. 23 EU NIS2 and the notification includes the relevant information required by the NCCS, this satisfies NCCS reporting obligations. Art. 38
Additionally, each high-impact and critical-impact entity must, within twelve months after its identification and then every three years, submit a report to the competent authorities. Art. 24(6) Art. 27
Incident notifications submitted under Art. 23 EU NIS2 are considered sufficient for NCCS purposes, provided they include all information required under Art. 27 and 38 of NCCS.
Risk report
Beyond the incident reporting, each designated high- or critical-impact entity must submit a cybersecurity risk report to the competent authority. This report must contain:
- a list of the selected mitigation controls and their implementation status Art. 26(5)
- an estimate of residual risks to confidentiality, integrity, and availability using the risk impact matrix defined in Art. 19(2)
- a list of critical ICT service providers involved in the operation of critical-impact processes. Art. 27
The first risk report must be submitted within twelve months of the entity’s designation (by the national competent authority) and must be updated every three years thereafter. Art. 24(6), 27
Supply chain
NCCS requires high-impact and critical-impact entities to address ICT supply chain risks in their cybersecurity risk assessments. Art. 18(2) Based on these assessments, binding minimum and advanced cybersecurity controls must be developed and implemented. Art. 33
Security in the supply chain
Minimum and advanced cybersecurity controls must be implemented across the entire lifecycle of ICT products, services, and processes. The supply chain controls must be developed by the TSOs, with the assistance of ENTSO-E and in cooperation with the EU DSO Entity: Art. 33(1)
- Background checks on supplier personnel (if permitted), secure-by-design development principles, enforcement of zero-trust architectures, access restrictions, contractual safeguards, audit rights, and traceability of security requirements across the supply chain lifecycle. Art. 33(2)(a)
- Entities must also consider lock-in risks, ensure supplier diversification, and incorporate results from EU-wide coordinated risk assessments into procurement decisions. Art. 33(2)(b)–(f)
- All requirements must be applied in accordance with public procurement principles or based on tailored specifications derived from entity-level risk assessments. Art. 33(3)
- All supply chain controls become binding for procurement processes launched six months after the controls’ adoption or update Art. 33(5)
- Supply chain controls must be revised regularly based on regional risk assessments. Art. 33(6)
Critical-impact entities are additionally required to verify that critical ICT components meet the defined cybersecurity specifications through either EU certification schemes or internal assurance measures, with sufficient depth to mitigate identified risks. Art. 33(4)
Compliance
Authorities
Each Member State is required to designate a National Competent Authority (NCCS‑NCA) responsible for overseeing high‑ and critical‑impact entities bound to the NCCS. The designation must occur no later than six months after the regulation enters into force, with the authority’s name and contact details notified to the Commission, ACER, and the Electricity Coordination Group. Art. 5
National competent authorities are responsible for designating high-impact and critical-impact entities based on ECII criteria. Art. 24(1) This designation process begins once the EU-wide ECII thresholds are adopted. Member States may provisionally notify candidate entities based on provisional ECII thresholds published by ENTSO-E and the EU DSO Entity. Art. 48(3)
Supervision
NCCS obliges Member States to ensure that national competent authorities have comprehensive supervisory powers over high-impact and critical-impact entities in the electricity sector: on-site inspections and off-site supervision, random checks, regular or risk-based security audits, and targeted assessments. Entities must provide all necessary documentation and evidence.
National authorities may establish a national verification scheme to verify compliance by critical-impact entities. This scheme may involve inspections, independent audits, or peer reviews, and must be supervised by the competent authority. All audits must follow strict procedural and expertise-related requirements to ensure independence, sectoral knowledge, and confidentiality. Art. 25
National authorities for NCCS may also establish a national verification scheme to assess compliance with minimum and advanced cybersecurity controls. Art. 33
Audits
Compliance with cybersecurity must be verified through regular audits, reviews or inspections. Each high- or critical-impact entity must ensure that the entire verification scope is covered at least once every three years, with partial audits taking place annually. Art. 25(2)
Entities can choose to demonstrate compliance either by participating in a national verification scheme or by undergoing an independent third-party audit. Art. 25(1), 25(2), 29(3), 31(2) Where a national verification scheme is used, the authority must report annually to ACER on the frequency of inspections conducted. Art. 25(3)
In addition, critical-impact entities are required to demonstrate compliance with the relevant cybersecurity controls within 24 months of their adoption or update. Art. 31(1)
EU Monitoring
EU ACER, the Agency for the Cooperation of Energy Regulators, is responsible for monitoring the implementation of the NCCS in cooperation with ENISA, ENTSO-E, and the EU DSO entity, and must publish a report at least every three years reviewing implementation status, identifying gaps, and recommending improvements. Art. 12(2)
Entities must submit relevant data to ACER, which may issue guidance on the process and indicators used for monitoring. Art. 12(3,5,6)
NCCS obligates ACER, in cooperation with ENISA, to publish a non-binding cybersecurity benchmarking guide by June 2025. Within twelve months, NRAs must assess whether cybersecurity investments are effective, efficient, and integrated into procurement processes. Art. 13(1, 2) Results are confidential but shared with competent authorities, ACER, ENISA, and the European Commission. Art. 13(5)
ECII thresholds
Provisional ECII thresholds have been developed and published by ENTSO-E and the EU DSO Entity, allowing Member States to identify and notify candidate entities. Formal designations will follow once the final ECII is adopted on the basis of a Union-wide risk assessment.
| EU Member State | High-impact threshold for NCCS (through ECII) |
Critical-impact threshold for NCCS (through ECII) |
|---|---|---|
| Austria | 500 MW | 3,000 MW |
| Belgium | 1,500 MW | 3,000 MW |
| Bulgaria | 250 MW | 3,000 MW |
| Croatia | 250 MW | 3,000 MW |
| Cyprus | 250 MW | 800 MW |
| Czech Republic | 500 MW | 3,000 MW |
| Denmark | 1,000 MW | 3,000 MW |
| Estonia | 500 MW | 900 MW |
| Finland | 1,500 MW | 3,000 MW |
| France | 1,500 MW | 3,000 MW |
| Germany | 1,500 MW | 3,000 MW |
| Greece | 500 MW | 3,000 MW |
| Hungary | 500 MW | 3,000 MW |
| Ireland | 500 MW | 700 MW |
| Italy | 1,500 MW | 3,000 MW |
| Latvia | 500 MW | 900 MW |
| Lithuania | 500 MW | 900 MW |
| Luxembourg | 1,500 MW | 3,000 MW |
| Malta | 250 MW | 250 MW |
| Netherlands | 1,500 MW | 3,000 MW |
| Poland | 1,000 MW | 3,000 MW |
| Portugal | 250 MW | 3,000 MW |
| Romania | 1,000 MW | 3,000 MW |
| Slovakia | 500 MW | 3,000 MW |
| Slovenia | 1,000 MW | 3,000 MW |
| Spain | 1,000 MW | 3,000 MW |
| Sweden | 1,500 MW | 3,000 MW |
Further Information
Literature
- European System of Financial Supervision, European Central Bank, 2024.
- ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification, European Securities and Markets Authority, 17.01.2024.
- Cybersecurity benchmarking guide, EU ACER, 13 June 2025
- Regulation (EU) 2019/943 on XXXTITLEXXX, 5 June 2019
Sources
- Regulation (EU) 2024/1366 on XXXTITLEXXX, 11 March 2024