Network Code on Cybersecurity

The Network Code on Cybersecurity (NCCS) aims to set a European standard for the cybersecurity of cross-border electricity flows. It includes rules on cyber risk assessment, common minimum requirements, cybersecurity certification of products and services, monitoring, reporting and crisis management.

This Network Code provides a clear definition of the roles and responsibilities of the different stakeholders for each activity.

To learn more about the different components of the Network Code on Cybersecurity, watch our video series:

Current Status Entered into force Read the Regulation
News & Updates
Play a role in EU electricity cybersecurity: Join cybersecurity stakeholder committee
ACER, in close collaboration with ENTSO-E and DSO Entity are establishing a new European Stakeholder Committee (ESC) on cybersecurity in the electricity sector. What will the cybersecurity committee do? Through this new cybersecurity committee, industry associations will cooperate with each other and with the authorities referred to in the Network Code on Cybersecurity to:
  • identify problems and propose improvements to the implementation of the existing cybersecurity network code;
  • recommend future revisions of the network code;
  • identify whether any additional risk prevention rules may be needed for the electricity sector; and
  • respond to technological developments in the sector.

By tackling these points, the cybersecurity committee will help maintain a high, common level of cyber resilience in Europe’s electricity grid and adapt policy to evolving digital risks. We invite industry associations that could offer a pan-European perspective on cybersecurity aspects of cross-border electricity flows to join.

Deadline to apply is 2 July 2025, with the first meeting planned for autumn 2025. See how to apply.

See the Terms of reference for the cybersecurity committee for electricity.

Deliverables

Archive

Here is a repository of relevant resources related to NCCS.

Frequently Asked Questions (FAQs)

Who are the “all concerned CSIRTs” in art 37.5? All CSIRTs in the Member States? Or all concerned CSIRTs in Europe?

All concerned CSIRTs means all CSIRTs in charge of high- and critical-impact Entities that could be impacted by the specific threat or could provide useful information to high- and critical-impact entities to actively prepare their defenses. The legislation doesn’t apply outside the EU, except if there is a specific agreement (see Art.14).

When should high- and critical-impact Entities start reporting cyber-attacks and sharing information linked (Art.38.3)?

During the transition period, high- and critical-impact entities can apply the NCCS on a voluntary basis. But following Art.38.4 they will need the Cyber-Attack Classification Scale Methodology (Art.37.8) to define if a cyber-attack is reportable or not. In addition, to determine the “potential impact” of a cyber-attack (Art.37.8.a), the methodology may need the result of the Union-Wide Risk Assessment. If a high- or critical-impact Entity reporting an incident through NIS2 estimates that the cross-border electricity flows could be impacted, it should alert its authority of the potential impact.

When should the competent authorities start sharing information related to cyber threats, to unpatched actively exploited vulnerability and to cyber-attacks?

As soon as competent authorities receive information from high- and critical-impact Entities, they should share it according to the NCCS, with full respect of national confidentiality requirements.

Contact us

For any outstanding questions please contact nccs@entsoe.eu

Follow us on LinkedIn, X and YouTube for the latest updates on the Network Code on Cybersecurity (NCCS) and more.

NCCS related Deliverables

European Stakeholder Committee

History & Development of the network code

GET THE MOST POWERFUL NEWSLETTER IN BRUSSELS