The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”). The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here). It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.

This Recommendation sets out the main issues related to cybersecurity in the energy sector and identifies actions to enhance cybersecurity preparedness. The Commission calls on Member States to encourage industry stakeholders to build up knowledge and skills related to cybersecurity and, where appropriate, to include these considerations into their national cybersecurity framework (e.g., through strategies, laws, regulations and other administrative provisions).

• Address real-time requirements of energy infrastructure components. The Commission recognizes the challenge of implementing cybersecurity measures in elements of the energy system that need to work under “real-time” conditions (i.e., reacting to commands within milliseconds). Among other things, the Recommendation encourages energy network operators to take the following particular measures:

• apply the most recent security standards for new installations, and consider complementary physical security measures where the installed base of old installations cannot be sufficiently protected by cybersecurity measures;
• implement international standards on cybersecurity and adequate specific technical standards for secure real-time communication as soon as respective products become commercially available; and
• consider privately owned networks for teleprotection schemes to ensure the quality of service level required in light of real-time constraints (the Recommendation also sets out specific issues to consider when using public communication networks).

• Implement relevant cybersecurity preparedness measures related to cascading effects in the energy sector. The Commission recognizes that because electricity grids and gas pipelines are strongly interconnected across Europe, a cyber-attack that creates an outage or disruption in one part of the energy system can trigger “far-reaching cascading effects into other parts of that system.” Accordingly, the Recommendation encourages Member States to evaluate interdependencies and criticality of power generation and flexible-demand systems, transmission and distribution substations and lines, and the associated impacted stakeholders. Member States should also ensure that energy network operators have a framework in place to communicate with all key stakeholders in order to share early warning signs and cooperate on crisis management.

For their part, the Recommendation states that energy networks should, in particular:

• ensure that new devices, including Internet of Things (“IoT”) devices, have and will maintain a level of cybersecurity appropriate to a site’s criticality;
• adequately consider cyber-physical effects when establishing and periodically reviewing business continuity plans; and
• establish design criteria and an architecture for a resilient grid.

• Protect against threats to legacy and state-of-the-art technology. The Recommendation recognizes that two different types of technologies co-exist in today’s energy system (i.e., “an older technology with a lifespan of 30 to 60 years, designed before cybersecurity considerations, and modern equipment, reflecting state-of-the-art digitalisation and smart devices”). Particular recommendations include:

• Member States should encourage energy network operators and technology suppliers to follow the relevant internationally accepted standards on cybersecurity wherever possible;
• technology suppliers should provide tested solutions for security issues in legacy or new technologies “free of charge and as soon as a relevant security issue becomes known”; and
• energy network operators should analyse the risks of connecting legacy and IoT equipment; take suitable measures against malicious attacks from bots; establish an automated monitoring and analysis capability for security-related events in legacy and IoT environments; regularly conduct specific cybersecurity risk analysis on all legacy installations; update software and hardware of legacy and IoT systems to the most recent versions; and formulate tenders with cybersecurity in mind.

Member States will be called upon to communicate to the Commission – within 12 months after the adoption of this Recommendation, and every two years thereafter – detailed information regarding the state of implementation of this Recommendation through the NIS Cooperation Group (established under the NIS Directive). The Commission intends to regularly review this Recommendation in consultation with Member States and relevant stakeholders.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.