The European Union’s electricity sector faces an increasingly complex and sophisticated landscape of cyber threats. As digitalization intensifies and cross-border electricity flows become more interconnected, robust cybersecurity investments are paramount.

In response to this critical need, the Agency for the Cooperation of Energy Regulators (ACER) has recently issued a guide on Benchmarking Cybersecurity Investments in the EU Electricity Sector. This guide, developed under the mandate of the EU-wide network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows, aims to provide national energy regulators with a consistent framework for evaluating the effectiveness and efficiency of cybersecurity spending.

Why benchmarking matters

The ACER guide marks a significant step towards a harmonized and resilient European electricity grid. By providing a common methodology for benchmarking, it seeks to:

• Enhance comparability: Establish a consistent approach for national regulators to compare costs and functions of cybersecurity products and services across different entities and Member States. This is the first EU-wide analysis of its kind.
• Improve spending efficiency: Identify opportunities for electricity sector entities to optimize their cybersecurity investments, ensuring that resources are allocated effectively to mitigate the most pressing risks.
• Inform regulatory decisions: Provide national regulatory authorities with the necessary data and insights to make informed decisions regarding cybersecurity investment allowances within regulatory frameworks.
• Strengthen overall resilience: Ultimately contribute to a higher, common level of cyber resilience across Europe’s interconnected power systems by promoting best practices and addressing vulnerabilities systematically.

Key recommendations and analysis

ACER’s guide offers practical recommendations for conducting national benchmarking analyses.

• Consistent approach: Emphasizes the need for a unified methodology across national analyses to ensure data comparability and meaningful insights. This will facilitate a holistic understanding of the EU’s cybersecurity posture in the electricity sector.
• Stakeholder engagement: Highlights the importance of identifying and engaging relevant stakeholders who can provide the necessary data for benchmarking. This underscores the collaborative nature of cybersecurity, requiring input from grid operators, IT/OT providers, and security experts.
• Reference lists for benchmarking: Recommends developing clear reference lists of items, such as assets relevant for Union-wide high and critical impact processes. This will help standardize the scope of benchmarking exercises.
• Application of accounting principles: Stresses the application of general accounting principles to assess the costs of benchmarked items, ensuring accuracy and transparency in financial reporting related to cybersecurity.
• Inclusion of macroeconomic factors: Advises incorporating macroeconomic factors, such as inflation, into the analysis to ensure that cost comparisons remain relevant over time.
• Simplified effectiveness evaluation: Recognizes that this benchmarking assessment does not require the same level of detail as comprehensive security assessments. Therefore, it suggests simplifying the evaluation of investment effectiveness while still aligning with the network code’s objectives.
• Exploring diverse comparison approaches: Encourages the exploration of different approaches for comparing the costs and functions of cybersecurity products and services, fostering flexibility and adaptability in the benchmarking process.

Regulatory landscape

The ACER guide is developed under the framework of the Network Code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (NCCS), which came into force in June 2024. The NCCS is a cornerstone of the EU’s broader cybersecurity strategy for the energy sector, complementing horizontal legislation such as the NIS2 Directive (Directive on measures for a high common level of cybersecurity across the Union) and the Directive on the Resilience of Critical Entities (CER Directive).

Compliance implications

• Mandatory benchmarking: The NCCS mandates national energy regulators to conduct this benchmarking analysis. Following the publication of ACER’s guide, national regulatory authorities have one year to carry out their respective cybersecurity benchmarking analyses.
• Risk assessment and reporting: The NCCS sets common rules for performing cybersecurity risk assessments, reporting cyber-attacks, threats, and vulnerabilities, and establishing robust cybersecurity risk management. The benchmarking exercise will feed directly into these ongoing compliance efforts by providing data on the efficacy of implemented measures.
• Interoperability and cooperation: The overarching aim of the NCCS, and by extension the ACER guide, is to foster a high, common level of cybersecurity for cross-border electricity flows. This necessitates enhanced cooperation and information sharing between Member States and relevant entities. The benchmarking results will contribute to identifying areas where greater harmonization or investment might be needed to support this cross-border resilience.
• Evolution of standards: The EU’s cybersecurity regulatory landscape is dynamic, with continuous developments like the Cyber Resilience Act (CRA) setting new cybersecurity standards for hardware and software products. The benchmarking process will need to remain adaptable to these evolving standards, ensuring that investments align with the latest regulatory requirements.
• Demonstrating due diligence: For electricity sector entities, participation in and adherence to the benchmarking framework will be crucial for demonstrating their commitment to cybersecurity and fulfilling their regulatory obligations under the NCCS and other relevant EU legislation.