Network Code on Cybersecurity
The EU Network Code on Cybersecurity (NCCS), EU 2024/1366, is the European framework for sector-specific cybersecurity requirements in the electricity sector. NCCS complements NIS2 for cross-border electricity operations with specific requirements. Each Member State must designate a national competent authority to identify, supervise, and enforce compliance among high- and critical-impact entities.
EU NCCS was adopted in the EU in March 2024 through the Commission Delegated Regulation (EU) 2024/1366, supplementing the existing EU regulation 2019/943 by establishing cybersecurity rules for cross-border electricity flows. While NCCS complements NIS2, there are areas where requirements are deeper than NIS2 with a different focus.
Note the NCCS is a complex topic still in flux throughout the EU. This content is a draft for discussion.
NCCS (EU 2024/1366)
Security in the Energy sector
The NCCS entered into force in May 2024 and is directly applicable across the EU. It sets binding cybersecurity rules for the electricity sector.
Although the NCCS is legally in force, its practical application depends on the national transposition of the NIS2 Directive. While Member States were obligated to transpose NIS2 into national law by 17 October 2024, this has not yet occurred in all jurisdictions.The NCCS builds on NIS2 by specifying sector-specific obligations and relies on key elements of NIS2 (e.g. designation of essential and important entities, the establishment of supervisory authorities, and risk management frameworks) that must exist in national law. As a result, full enforcement of the NCCS remains uneven across the EU until NIS2 is fully implemented.
Specifically, NCCS establishes binding sector-specific cybersecurity rules for the EU electricity sector. It mandates risk-based security measures, coordinated threat responses, and regulatory oversight across borders to enhance the resilience of critical energy infrastructure:
- Entities: Applies to electricity TSOs (Transmission System Operator), DSOs ( Distribution System Operator), significant generation assets, and ICT service providers with high or critical impact.
- Cybersecurity: Energy entities must implement comprehensive cybersecurity measures, including risk management, incident response, supply chain controls, compliance verification, and information sharing.
- Controls: Minimum and advanced cybersecurity controls must be implemented depending on entity impact level, including for ICT supply chains.
- Timeline: Gradual rollout through 2025–2026, starting with provisional designations and risk assessments, followed by compliance deadlines (12–24 months).
- Supervision: Compliance monitored by national competent authorities, supported by ENTSO-E, EU DSO Entity, and CSIRTs.
NCCS establishes a national and coordinated oversight structure for the EU electricity sector.
- Member States must designate a competent regulatory or energy authority by 13 December 2024, like BNetzA in Germany Art. 4
- The designated competent authority coordinates with national CSIRTs and cybersecurity agencies (e.g. BSI in Germany) Art. 5
- Compliance with NCCS may serve as evidence of NIS2 compliance, and vice versa Recital 15
Like NIS2, NCCS relies on national competent authorities for enforcement. However, it explicitly mandates closer coordination between sectoral regulators, CSIRTs, and cybersecurity agencies to reflect the systemic and cross-border nature of electricity flows.
Obligations in NCCS
EU NCCS imposes a broad set of obligations on designated high-impact and critical-impact entities to strengthen cybersecurity across the electricity sector.
| Obligation | Article | Requirement |
|---|---|---|
| Cybersecurity management | 27‛29 | Establishment of a CSMS (ISMS equivalent), risk-based asset scoping, and implementation of minimum and advanced security controls. |
| Supply chain security | 33–35 | Cybersecurity requirements in procurement processes and verification of supplier compliance using security-certified products or internal assurance. |
| Incident handling | 32 Art. 38–41 | Early warning obligations, mandatory reporting, and participation in coordinated response procedures. |
| Auditing and compliance | 14 | Competent authorities may conduct inspections, audits, documentation reviews, and technical security scans. |
| Monitoring and benchmarking | 12–13 | Participation in periodic benchmarking exercises to assess and compare cybersecurity maturity. |
Scope
Energy entities
The Network Code on Cybersecurity (NCCS) applies only to entities that are formally designated as high-impact or critical-impact. Art. 24 This designation is carried out by national competent authorities, based on criteria such as the entity’s relevance for the security of cross-border electricity flows, the potential impact of a disruption, and other factors related to system stability.
NCCS lists several entity groups that fall under its scope if designated: Art. 2(1)
| Electricity system operators and market actors |
Electricity undertakings (as per Directive (EU) 2019/944) Transmission System Operators (TSOs) Distribution System Operators (DSOs) Nominated Electricity Market Operators (NEMOs) Organised electricity market platforms (e.g. power exchanges) Balancing responsible parties Regional Coordination Centres (RCCs) Operators of recharging points |
| Service and governance entities | Critical ICT service providers Managed Security Service Providers (MSSPs) Delegated or assigned third-party operators ENTSO-E (European Network of Transmission System Operators for Electricity) EU DSO Entity (EU-level association of DSOs) |
| Third-country actors | Any non-EU entity whose services affect EU cross-border electricity flows — subject to designation by competent authorities Art. 3(3), 24(2) |
While these entity types are listed in the NCCS, they are not automatically covered. Only those entities explicitly designated by national authorities fall under its binding cybersecurity obligations.
Entities under ECII
The classification of electricity sector entities as "high-" or "critical-impact" under the NCCS is based on their potential to disrupt cross-border electricity flows in the event of a cyber incident. Determination of criticality is made by national authorities using thresholds defined through ECII, Electricity Cybersecurity Impact Index. Art. 24
| Impact Level | Definition | Article |
|---|---|---|
| High-impact | Disruption causes major impact on cross-border electricity flows | 3(24), 19(3) |
| Critical-impact | Disruption leads to critical interruption or destabilisation | 3(7), 3(8) |
NCSS and NIS2
Entities in both regulations
Several entities in the electricity sector are subject to both the NCCS and the NIS2 Directive. While NIS2 sets general cybersecurity obligations for essential and important entities, NCCS introduces sector-specific requirements for high- and critical-impact actors. In cases of overlap, Recital 15 clarifies that compliance with one regulation may serve as evidence of compliance with the other.
NCSS-specific obligations include a classification based on the Electricity Cybersecurity Impact Index (ECII) Art. 24, implementation of minimum and advanced cybersecurity controls, including supply chain measures Art. 29, 33 and the development of a sector-specific Cybersecurity Management System and a mapping matrix aligned with international standards .Art. 32, 34
DSOs, TSOs and ICT
NCCS complements and, in some areas, deepens NIS2 requirements, affecting primarily TSOs, DSOs, and ICT service providers that operate critical systems in the electricity sector. These fall under the scope of both NIS2 and the NCCS due to their essential role in cross-border electricity flows and their designation as high- or critical-impact entities under Art. 2(1) NCCS and Annex I of NIS2.
| NCCS entities |
NIS2 entities |
NCCS obligations | NIS2 scope |
|---|---|---|---|
| Transmission System Operators (TSOs) | Energy | Sector-specific risk management, ECII classification, minimum and advanced cybersecurity controls | “Essential entity” under Annex I (energy sector) |
| Distribution System Operators (DSOs) | Energy | Obligations tied to impact level Art. 24 implementation of CSMS and supply chain controls | Covered if size and relevance thresholds are met |
| Electricity market operators, balancing service providers | Energy | Subject to NCCS if designated as high- or critical-impact Art. 2(1) | May qualify as “important entities” under Annex II |
| Critical ICT service providers (e.g. SCADA, EMS) |
ICT in Energy | Specific security controls including supply chain requirements Art. 33 | Covered under NIS2 depending on criticality and service scope |
ECII thresholds
Provisional ECII thresholds have been developed and published by ENTSO-E and the EU DSO Entity, allowing Member States to identify and notify candidate entities. Formal designations will follow once the final ECII is adopted on the basis of a Union-wide risk assessment.
| EU Member State | High-impact threshold for NCCS (through ECII) |
Critical-impact threshold for NCCS (through ECII) |
|---|---|---|
| Austria | 500 MW | 3,000 MW |
| Belgium | 1,500 MW | 3,000 MW |
| Bulgaria | 250 MW | 3,000 MW |
| Croatia | 250 MW | 3,000 MW |
| Cyprus | 250 MW | 800 MW |
| Czech Republic | 500 MW | 3,000 MW |
| Denmark | 1,000 MW | 3,000 MW |
| Estonia | 500 MW | 900 MW |
| Finland | 1,500 MW | 3,000 MW |
| France | 1,500 MW | 3,000 MW |
| Germany | 1,500 MW | 3,000 MW |
| Greece | 500 MW | 3,000 MW |
| Hungary | 500 MW | 3,000 MW |
| Ireland | 500 MW | 700 MW |
| Italy | 1,500 MW | 3,000 MW |
| Latvia | 500 MW | 900 MW |
| Lithuania | 500 MW | 900 MW |
| Luxembourg | 1,500 MW | 3,000 MW |
| Malta | 250 MW | 250 MW |
| Netherlands | 1,500 MW | 3,000 MW |
| Poland | 1,000 MW | 3,000 MW |
| Portugal | 250 MW | 3,000 MW |
| Romania | 1,000 MW | 3,000 MW |
| Slovakia | 500 MW | 3,000 MW |
| Slovenia | 1,000 MW | 3,000 MW |
| Spain | 1,000 MW | 3,000 MW |
| Sweden | 1,500 MW | 3,000 MW |
Cybersecurity
Security in NCCS
The binding obligations introudced by the NCCS include risk-based security management, detailed reporting requirements, independent audits, and mandatory controls (many of which go beyond NIS2 in scope and specificity).
Designated entities must submit a comprehensive report to their national authority (e.g. BNetzA in Germany) within 12 months of classification. Art. 27
- Selected and implemented mitigation controls Art. 26(5)
- Risk estimates for all Union-wide critical-impact processes, based on the Art. 19(2) matrix
- A list of critical ICT providers for critical-impact processes
Critical-impact entities must demonstrate compliance with cybersecurity controls and management systems within 24 months via either national verification schemes or third-party audits. Art. 31 NCCS obligations may be recognised as equivalent to NIS2 compliance where applicable. Recital 15 Art. 17
| Requirement | Energy entities | ICT providers* |
|---|---|---|
| Security management Art. 28–34 | ✓ | |
| Incident reporting Art. 27, 38–39 | ✓ | |
| Supply chain Art. 18, 33 | ✓ | ✓ * |
| Audit and compliance Art. 25, 29, 31 | ✓ | |
| Monitoring and benchmarking Art. 12, 13, 17 | ✓ * |
Cybersecurity Management System (CSMS)
All high-impact and critical-impact entities must implement a cybersecurity management system (CSMS) aligned with European and international standards. This system serves as the NCCS equivalent of an ISMS and forms the core of each entity’s risk mitigation obligations. Art. 28
According to Art. 18(1) of the NCCS, TSOs were required to develop harmonised cybersecurity risk assessment frameworks at Union, regional, and Member State level by 13 March 2025. These frameworks must account for risks such as supply chain corruption, legacy systems, cascading effects, and single supplier dependencies, and apply a common EU risk impact matrix to evaluate both impact and likelihood. Art. 18(2) Although many national authorities have not yet designated entities or initiated formal compliance processes, the obligation under Art. 18 remains binding.
This regulatory asymmetry (TSOs are expected to fulfil EU-level planning obligations in the absence of fully operational Member State processes) creates a gap that may require additional coordination between national and EU level. To support compliance with Art. 18, a supporting document was jointly published by ENTSO-E and the EU DSO Entity in 2025, providing background on the rationale, structure, and technical choices underlying the proposed risk assessment frameworks.
The responsibilities for cybersecurity risk assessments under Art. 19–21 and Art. 26 of the NCCS are divided across Union, regional, Member State, and entity level. The table below outlines who is responsible at each level, the legal basis, and how each assessment feeds into the broader regulatory framework.
| Assessment | Responsible | Article | Risk Basis | Role in NCCS Framework |
|---|---|---|---|---|
| Union-wide | ENTSO-E EU DSO Entity |
19 | Internal mapping of sectoral processes, impact metrics, ECII derivation | Define Union-wide impact thresholds, ECII logic, and risk impact matrix; input to cybersecurity controls (Art. 29, 33) |
| Regional | ENTSO-E EU DSO Entity |
21 | Aggregated Member State assessments using common risk impact matrix | Inform regional mitigation plans, cross-border risk reports, and procurement guidelines |
| Member State-level | National Competent Authority (e.g. BSI) | 20 | Entity-level assessments; cyber threat and incident data (Art. 38) | Contribute to regional aggregation; recommend additional controls; assess national implementation status |
| Entity-level | Designated high-/critical-impact entity | 26 | Own risk environment using EU matrix and thresholds | Feed into Member State report; guide CSMS implementation; report selected controls and risks |
Security requirements
The NCCS defines detailed compliance obligations for high- and critical-impact entities. These include the implementation of technical controls, the setup of a cybersecurity management system, and structured risk management processes. Obligations follow a regular cycle and are aligned with thresholds and responsibilities. Art. 24–34
Entities must perform a structured risk management process every three years, consisting of context establishment, risk assessment, treatment, and acceptance. These processes must be based on a risk impact matrix developed at EU level and include supply chain and legacy system considerations. Art. 26
The selected risk mitigation controls must be reported to the competent authority within 12 months of designation and every three years thereafter. Compliance with the CSMS and associated controls must be demonstrated through independent audits or national verification schemes. Art. 27, 31
| Obligation | Description | Article |
|---|---|---|
| Cybersecurity Management System (CSMS) | Establish a CSMS as part of the common cybersecurity framework alongside minimum/advanced controls and control mapping | 28(1) |
| Minimum and Advanced Controls | Minimum controls apply to high-impact entities; advanced controls apply to critical-impact entities | 28(2)(3) |
| Application of Controls | Controls must be implemented within the entity's designated perimeter according to impact level | 28(2) |
| Controls Development | ENTSO-E and EU DSO Entity, in cooperation with TSOs, develop and update controls based on risk assessments | 29(1)(2) |
| Integration into Risk Mitigation Plans | Controls must be integrated into risk mitigation plans within 12 months of their approval or update | 29(6) |
| Control Verification Options | Compliance may be demonstrated via national verification scheme or third-party audit | 29(3) 25(2) |
| Derogations | Derogations may be granted under strict conditions due to disproportionate cost or alternative safeguards | 30(1)(2) |
| Periodic Compliance Verification | Critical-impact entities must verify and report compliance every three years, covering all critical assets | 31(1)–(5) |
| Supply Chain Controls | Minimum and advanced supply chain controls apply across the full ICT lifecycle (e.g. procurement, design) | 33(1)(2) |
| Procurement Verification | Critical-impact entities must verify compliance of critical ICT assets through certification or assurance | 33(4) |
| Supply Chain Control Timeline | Supply chain controls apply to procurement six months after their approval/update | 33(5) |
| Control-Standards Mapping | Controls are mapped against selected EU/international standards and updated via regional risk assessment | 34(1)‑(3) |
| Risk Management Cycle | Perform full cycle every three years: context, assessment, treatment, risk acceptance | 26 |
| Asset Inventory | Maintain full inventory of ICT systems/assets; subject to inspection, not reporting | 28(2) |
| Risk Assessment Report | Submit triennial report with selected controls, risk levels, and list of critical ICT providers | 27 |
| Initial Compliance Demonstration | Prove compliance within 24 months of designation via audit or verification scheme | 25(1)‑(2) |
Assets and impact
High-impact and critical-impact assets
NCCS defines a critical asset as any asset essential to the operation of the electricity system, including ICT systems, data, and services. Art. 3(2) At the entity level these form the foundation of cybersecurity risk management.
Within this category, NCCS distinguishes between high-impact and critical-impact assets based on the severity of potential disruption to cross-border electricity flows. The classifications are determined using electricity cybersecurity impact indices and thresholds. A high-impact asset is required for executing a high-impact process, defined as process exceeding the high-impact threshold. Art. 19(3)(b), 3(25), 3(26) These assets are located within a high-impact perimeter, which defines the area where minimum cybersecurity controls apply. Art. 3(27)
A critical-impact asset is necessary for a critical-impact process, where impact indices exceed the more stringent critical-impact threshold. Art. 2(4), 2(7) These assets are included in a critical-impact perimeter, which is subject to advanced cybersecurity controls. Art. 2(6) Entities identified as high-impact or critical-impact by national competent authorities must conduct full risk management for all assets within these perimeters every three years. This includes context establishment, risk assessment, treatment planning, and residual risk acceptance. Art. 26(2)
Asset classifications are based on the electricity cybersecurity impact indices and thresholds defined in Art. 19 and referenced in Art. 3. These thresholds determine whether a process qualifies as high-impact or critical-impact, guiding the identification of corresponding assets and the application of minimum or advanced cybersecurity controls.
Critical processes
Critical-impact processes are defined as business operations whose ECII scores exceed the critical threshold. Art. 2(7), 19(3), 24(1) They will be identified in the Union-wide cybersecurity risk assessment, which marks the first step of the NCCS risk cycle and functions as an EU-level business impact assessment. Art. 19
The supporting document by ENTSO-E and the EU DSO Entity provides methodological guidance for this step, including impact metrics related to frequency, voltage, generation capacity, and restoration capability (Annex I, Section 2.1). However, it does not establish a formal list of critical processes as this list will be adopted as part of the Union-wide cybersecurity risk assessment report mandated under. Art. 19(3)
According to the NCCS, the list of Union-wide critical-impact processes will serve as the basis for designating critical-impact entities Art. 24(1), defining the scope of entity-level risk assessments Art. 26(3)(a) and reporting estimated risk levels every three years Art. 27(2)). It also plays a role in crisis management planning Art. 41(9), and a provisional version may be issued to guide voluntary early compliance. Art. 48(4)
Implications for upstream suppliers
While the NCCS formally applies only to designated (high-impact and critical-impact) entities, its implications extend to upstream suppliers, including manufacturers of ICT components, software vendors, and service providers due to the aforementioned requirement for operators to implement comprehensive security measures across the full lifecycle of ICT products, services, and processes under Art. 33(2).
Responsibility for compliance with Art. 33 requirements lies with the operator, not the supplier. However, operators must contractually and procedurally translate NCCS obligations into their procurement and supplier management processes. Consequently, upstream suppliers may be required to meet de facto compliance expectations, such as providing technical assurances, undergoing security certifications, or disclosing development procedures even though they are not directly regulated under the NCCS.
This is particularly relevant for ICT components used in critical-impact processes, such as frequency control, restoration capabilities, or market coordination. In practice, the NCCS, much like NIS2, contributes to a systemic shift in cybersecurity accountability toward the supply chain, making regulatory compliance a shared concern across interconnected actors.
Incident reporting
EU NCCS aligns with the reporting obligations under Art. 23 EU NIS2 and introduces additional requirements for high-impact and critical-impact entities. Where a significant incident is reported under EU NIS2 (Art. 23) and the notification includes the relevant information required by the NCCS, this satisfies NCCS reporting obligations. Art. 38
Additionally, each high-impact and critical-impact entity must, within twelve months after its identification and then every three years, submit a report to the competent authorities. Art. 24(6) Art. 27
Reporting requirements
Incident notifications submitted under Art. 23 EU NIS2 are considered sufficient for NCCS purposes, provided they include all information required under Art. 27 and 38 of NCSS.
Beyond the incident reporting, each designated high- or critical-impact entity must submit a cybersecurity risk report to the competent authority. This report must contain:
- a list of the selected mitigation controls and their implementation status Art. 26(5)
- an estimate of residual risks to confidentiality, integrity, and availability using the risk impact matrix defined in Art. 19(2)
- a list of critical ICT service providers involved in the operation of critical-impact processes. Art. 27
The first risk report must be submitted within 12 months of the entity’s designation (by the national competent authority) and must be updated every three years thereafter. Art. 24(6), 27
Supply chain
NCCS requires high-impact and critical-impact entities to address ICT supply chain risks—such as component unavailability, supplier-initiated cyberattacks, or data leakage—within their cybersecurity risk assessments. Art. 18(2) Based on these assessments, binding minimum and advanced cybersecurity controls must be developed and implemented. Art. 33
Security in the supply chain
Minimum and advanced cybersecurity controls must be implemented across the entire lifecycle of ICT products, services, and processes. The supply chain controls are intended to mitigate risks identified in the Union-wide cybersecurity risk assessments and must be developed by the TSOs, with the assistance of ENTSO-E and in cooperation with the EU DSO Entity. Art. 33(1)
Minimum controls apply to both high-impact and critical-impact entities and must guide procurement:
- Background checks on supplier personnel (where legally permitted), secure-by-design development principles, enforcement of zero-trust architectures, access restrictions, contractual safeguards, audit rights, and traceability of security requirements across the supply chain lifecycle. Art. 33(2)(a)
- Entities must also consider lock-in risks, ensure supplier diversification, and incorporate results from EU-wide coordinated risk assessments into procurement decisions. Art. 33(2)(b)–(f)
- All requirements must be applied in accordance with public procurement principles or based on tailored specifications derived from entity-level risk assessments. Art. 33(3)
- All supply chain controls become binding for procurement processes launched six months after the controls’ adoption or update Art. 33(5)
- Supply chain controls must be revised regularly based on regional risk assessments. Art. 33(6)
Critical-impact entities are additionally required to verify that critical ICT components meet the defined cybersecurity specifications through either EU certification schemes or internal assurance measures, with sufficient depth to mitigate identified risks. Art. 33(4)
Compliance
Authorities
Each Member State is required to designate a National Competent Authority (NCCS‑NCA) responsible for overseeing high‑ and critical‑impact entities bound to the NCCS. The designation must occur no later than six months after the Regulation enters into force, with the authority’s name and contact details notified to the Commission, ACER, and the Electricity Coordination Group. Art. 5
National competent authorities are responsible for designating high-impact and critical-impact entities based on ECII criteria. Art. 24(1) This designation process begins once the EU-wide ECII thresholds are adopted. Member States may provisionally notify candidate entities based on provisional ECII thresholds published by ENTSO-E and the EU DSO Entity. Art. 48(3)
Supervision
NCCS obliges Member States to ensure that national competent authorities have comprehensive supervisory powers over high-impact and critical-impact entities in the electricity sector: on-site inspections and off-site supervision, random checks, regular or risk-based security audits, and targeted assessments. Entities must provide all necessary documentation, including cybersecurity policies, audit reports, and implementation evidence.
National authorities may establish a national verification scheme to verify compliance by critical-impact entities. This scheme may involve inspections, independent audits, or peer reviews, and must be supervised by the competent authority. All audits must follow strict procedural and expertise-related requirements to ensure independence, sectoral knowledge, and confidentiality. Art. 25
National authorities for NCCS may also establish a national verification scheme to assess compliance with minimum and advanced cybersecurity controls. Art. 33
Audits
Compliance with cybersecurity controls must be verified through regular audits, reviews or inspections.
Each high- or critical-impact entity must ensure that the entire verification scope is covered at least once every three years, with partial audits taking place annually. Art. 25(2) Entities can choose to demonstrate compliance either by participating in a national verification scheme or by undergoing an independent third-party audit. Art. 25(1), 25(2), 29(3), 31(2) Where a national verification scheme is used, the authority must report annually to ACER on the frequency of inspections conducted. Art. 25(3)
In addition, critical-impact entities are required to demonstrate compliance with the relevant cybersecurity controls within 24 months of their adoption or update. Art. 31(1)
EU Monitoring
EU ACER, the Agency for the Cooperation of Energy Regulators, is responsible for monitoring the implementation of the NCCS in cooperation with ENISA, ENTSO-E, and the EU DSO entity, and must publish a report at least every three years reviewing implementation status, identifying gaps, and recommending improvements. Art. 12(2) Entities must submit relevant data to ACER, which may issue guidance on the process and indicators used for monitoring. Art. 12(3,5,6)
NCCS obligates ACER, in cooperation with ENISA, to publish a non-binding cybersecurity benchmarking guide for NRAs by June 2025. Within 12 months, NRAs must assess whether cybersecurity investments are effective, efficient, and integrated into procurement processes. Art. 13(1, 2) Results are confidential but shared with competent authorities, ACER, ENISA, and the European Commission. Art. 13(5)
Further Information
Literature
- European System of Financial Supervision, European Central Bank, 2024.
- ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification, European Securities and Markets Authority, 17.01.2024.
- Cybersecurity benchmarking guide, EU ACER, 13 June 2025
Sources
- REGULATION (EU) 2022/2554 (DORA), on digital operational resilience for the financial sector, 14 December 2022