The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”).  The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here).  It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.

This Recommendation sets out the main issues related to cybersecurity in the energy sector and identifies actions to enhance cybersecurity preparedness.  The Commission calls on Member States to encourage industry stakeholders to build up knowledge and skills related to cybersecurity and, where appropriate, to include these considerations into their national cybersecurity framework (e.g., through strategies, laws, regulations and other administrative provisions).

  • Address real-time requirements of energy infrastructure components.  The Commission recognizes the challenge of implementing cybersecurity measures in elements of the energy system that need to work under “real-time” conditions (i.e., reacting to commands within milliseconds).  Among other things, the Recommendation encourages energy network operators to take the following particular measures:
    • apply the most recent security standards for new installations, and consider complementary physical security measures where the installed base of old installations cannot be sufficiently protected by cybersecurity measures;
    • implement international standards on cybersecurity and adequate specific technical standards for secure real-time communication as soon as respective products become commercially available; and
    • consider privately owned networks for teleprotection schemes to ensure the quality of service level required in light of real-time constraints (the Recommendation also sets out specific issues to consider when using public communication networks).
  • Implement relevant cybersecurity preparedness measures related to cascading effects in the energy sector.  The Commission recognizes that because electricity grids and gas pipelines are strongly interconnected across Europe, a cyber-attack that creates an outage or disruption in one part of the energy system can trigger “far-reaching cascading effects into other parts of that system.”  Accordingly, the Recommendation encourages Member States to evaluate interdependencies and criticality of power generation and flexible-demand systems, transmission and distribution substations and lines, and the associated impacted stakeholders.  Member States should also ensure that energy network operators have a framework in place to communicate with all key stakeholders in order to share early warning signs and cooperate on crisis management.

For their part, the Recommendation states that energy networks should, in particular:

    • ensure that new devices, including Internet of Things (“IoT”) devices, have and will maintain a level of cybersecurity appropriate to a site’s criticality;
    • adequately consider cyber-physical effects when establishing and periodically reviewing business continuity plans; and
    • establish design criteria and an architecture for a resilient grid.
  • Protect against threats to legacy and state-of-the-art technology.  The Recommendation recognizes that two different types of technologies co-exist in today’s energy system (i.e., “an older technology with a lifespan of 30 to 60 years, designed before cybersecurity considerations, and modern equipment, reflecting state-of-the-art digitalisation and smart devices”).  Particular recommendations include:
    • Member States should encourage energy network operators and technology suppliers to follow the relevant internationally accepted standards on cybersecurity wherever possible;
    • technology suppliers should provide tested solutions for security issues in legacy or new technologies “free of charge and as soon as a relevant security issue becomes known”; and
    • energy network operators should analyse the risks of connecting legacy and IoT equipment; take suitable measures against malicious attacks from bots; establish an automated monitoring and analysis capability for security-related events in legacy and IoT environments; regularly conduct specific cybersecurity risk analysis on all legacy installations; update software and hardware of legacy and IoT systems to the most recent versions; and formulate tenders with cybersecurity in mind.

Member States will be called upon to communicate to the Commission – within 12 months after the adoption of this Recommendation, and every two years thereafter – detailed information regarding the state of implementation of this Recommendation through the NIS Cooperation Group (established under the NIS Directive).  The Commission intends to regularly review this Recommendation in consultation with Member States and relevant stakeholders.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.