This document is an excerpt from the EUR-Lex website
Document 02024R1366-20250914
Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (Text with EEA relevance)
Consolidated text: Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (Text with EEA relevance)
Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (Text with EEA relevance)
02024R1366 — EN — 14.09.2025 — 001.003
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
|
COMMISSION DELEGATED REGULATION (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (OJ L 1366 24.5.2024, p. 1) |
Amended by:
|
|
|
Official Journal |
||
|
No |
page |
date |
||
|
COMMISSION DELEGATED REGULATION (EU) 2025/1759 of 19 June 2025 |
L 1759 |
1 |
25.8.2025 |
|
Corrected by:
|
Corrigendum, OJ L 90383, 19.5.2026, p. 1 ((EU) 2024/13662024/1366) |
COMMISSION DELEGATED REGULATION (EU) 2024/1366
of 11 March 2024
supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows
(Text with EEA relevance)
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter
This Regulation establishes a network code which lays down sector-specific rules for cybersecurity aspects of cross-border electricity flows, including rules on common minimum requirements, planning, monitoring, reporting and crisis management.
Article 2
Scope
This Regulation applies to cybersecurity aspects of cross-border electricity flows in the activities of the following entities, if they are identified as high-impact or critical-impact entities in accordance with Article 24:
electricity undertakings as defined in Article 2(57) of Directive (EU) 2019/944;
nominated electricity market operators (‘NEMOs’) as defined in Article 2(8) of Regulation (EU) 2019/943;
organised market places or ‘organised markets’ as defined in Article 2(4) of Commission Implementing Regulation (EU) No 1348/2014 ( 1 ) that arrange transactions on products relevant to cross-border electricity flows;
critical ICT service providers as referred to in Article 3, point (9) of this Regulation;
the ENTSO for Electricity established pursuant to Article 28 of Regulation (EU) 2019/943;
the EU DSO entity established pursuant to Article 52 of Regulation (EU) 2019/943;
balancing responsible parties as defined in Article 2, point (14) of Regulation (EU) 2019/943;
operators of recharging points as defined in Annex I to Directive (EU) 2022/2555;
regional coordination centres (‘RCCs’) as established pursuant to Article 35 of Regulation (EU) 2019/943;
managed security service providers (‘MSSP’) as defined in Article 6(40) of Directive (EU) 2022/2555;
any other entity or third party to whom responsibilities have been delegated or assigned pursuant to this Regulation.
The following authorities are, as part of their current mandates, responsible to perform tasks assigned in this Regulation:
the European Union Agency for the Cooperation of Energy Regulators (‘ACER’) established by Regulation (EU) 2019/942 of the European Parliament and of the Council ( 2 );
national competent authorities responsible for carrying out the tasks assigned to them under this Regulation and designated by Member States pursuant to Article 4, or ‘competent authority’;
national regulatory authorities (‘NRAs’) designated by each Member State pursuant to Article 57(1) of Directive (EU) 2019/944;
competent authorities for risk preparedness (‘RP-NCAs’) established pursuant to Article 3 of Regulation (EU) 2019/941;
computer security incident response teams (‘CSIRTs’) as designated or established pursuant to Article 10 of Directive (EU) 2022/2555;
competent authorities responsible for cybersecurity (‘CS-NCAs’) as designated or established pursuant to Article 8 of Directive (EU) 2022/2555;
the European Union Agency for Cybersecurity established pursuant to Regulation (EU) 2019/881;
any other authorities or third party to whom responsibilities have been delegated or assigned pursuant to Article 4(3).
Article 3
Definitions
The following definitions apply:
‘asset’ means any information, software or hardware in the network and information systems either tangible or intangible, that has value to an individual, an organisation or a government;
‘competent authority for risk preparedness’ means the competent authority designated pursuant to Article 3 of Regulation (EU) 2019/941;
‘computer security incident response team’ means a team responsible for risk and incident handling in accordance with Article 10 of Directive (EU) 2022/2555;
‘critical-impact asset’ means an asset that is necessary to carry out a critical-impact process;
‘critical-impact entity’ means an entity that carries out a critical-impact process and that is identified by the competent authorities in accordance with Article 24;
‘critical-impact perimeter’ means a perimeter defined by an entity referred to in Article 2(1) that contains all critical-impact assets and on which access to these assets can be controlled and that defines the scope where the advanced cybersecurity controls apply;
‘critical-impact process’ means a business process carried out by an entity for which the electricity cybersecurity impact indices are above the critical-impact threshold;
‘critical-impact threshold’ means the values of the electricity cybersecurity impact indices referred to in Article 19(3)b, above which a cyber-attack on a business process will cause critical disruption of cross-border electricity flows;
‘critical ICT service provider’ means an entity which provides an ICT service, or ICT process that is necessary for a critical-impact or high-impact process affecting cybersecurity aspects of cross-border electricity flows and that, if compromised, may cause a cyber-attack with impact above the critical-impact or high-impact threshold;
‘cross-border electricity flow’ means a cross-border flow as defined in Article 2(3) of Regulation (EU) 2019/943;
‘cyber-attack’ means an incident as defined in Article 3, point (14), of Regulation (EU) 2022/2554;
‘cybersecurity’ means cybersecurity as defined in Article 2, point (1) of Regulation (EU) 2019/881;
‘cybersecurity control’ means the actions or procedures carried out with the purpose of avoiding, detecting, counteracting, or minimising cybersecurity risks;
‘cybersecurity incident’ means an incident as defined in Article 6, point (6) of Directive (EU) 2022/2555;
‘cybersecurity management system’ means the policies, procedures, guidelines, and associated resources and activities, collectively managed by an entity, in the pursuit of protecting its information assets from cyber threats systematically establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s network and information system security;
‘cybersecurity operation centre’ means a dedicated centre where a technical team consisting of one or more experts, supported by cybersecurity IT systems, performs security-related tasks (Cybersecurity operation center (‘CSOC’) services) such as handling of cyber-attacks and security configuration errors, security monitoring, log analysis, and cyber-attack detection;
‘cyber threat’ means a cyber threat as defined in Article 2, point (8) of Regulation (EU) 2019/881;
‘cybersecurity vulnerability management’ means the practice of identifying and addressing vulnerabilities;
‘entity’ means entity as defined in Article 6, point (38) of Directive (EU) 2022/2555;
‘early alert’ means the information necessary to indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
‘electricity cybersecurity impact index’ (‘ECII’) means an index or classification scale that ranks possible consequences of cyber-attacks to business processes involved in cross-border electricity flows;
‘European cybersecurity certification scheme’ means a scheme as defined in Article 2, point (9) of Regulation (EU) 2019/881;
‘high-impact entity’ means an entity that carries out a high-impact process and that is identified by the competent authorities in accordance with Article 24;
‘high-impact process’ means any business process carried out by an entity for which the electricity cybersecurity impact indices are above the high-impact threshold;
‘high-impact asset’ means an asset that is necessary to carry out a high-impact process;
‘high-impact threshold’ means the values of the electricity cybersecurity impact indices referred to in Article 19(3)b, above which a successful cyber-attack on a process will cause high disruption of cross-border electricity flows;
‘high-impact perimeter’ means a perimeter defined by any entity listed in Article 2(1) that contains all high-impact assets and on which access to these assets can be controlled and that defines the scope where the minimum cybersecurity controls apply;
‘ICT product’ means an ICT product as defined in Article 2, point (12) of Regulation (EU) 2019/881;
‘ICT service’ means an ICT service as defined in Article 2, point (13) of Regulation (EU) 2019/881;
‘ICT process’ means an ICT process as defined in Article 2, point (14) of Regulation (EU) 2019/881;
‘legacy system’ means a legacy ICT system as defined in Article 3(3) of Regulation (EU) 2022/2554;
‘national single point of contact’ means the single point of contact designated or established by each Member State pursuant to Article 8(3) of Directive (EU) 2022/2555;
‘NIS cyber crisis management authorities’ means the authorities designated or established pursuant to Article 9, point (1) of Directive (EU) 2022/2555;
‘originator’ means an entity that initiates an information exchange, information sharing or information storage event;
‘procurement specifications’ means the specifications that entities define for the procurement of new or updated ICT products, ICT processes or ICT services;
‘representative’ means a natural or legal person established in the Union who is explicitly designated to act on behalf of a high or critical-impact entity not established in the Union but delivering services to entities in the Union and who may be addressed by a competent authority or a CSIRT in the place of the high or critical-impact entity itself with regard to the obligations of that entity under this Regulation;
‘risk’ means risk as defined in Article 6, point (9) of Directive (EU) 2022/2555;
‘risk impact matrix’ means a matrix used during risk assessment to determine the resulting risk impact level for each risk assessed;
‘simultaneous electricity crisis’ means an electricity crisis as defined in Article 2, point (10) of Regulation (EU) 2019/941;
‘single point of contact at entity level’ means single point of contact at entity level as designated under Article 38(1) point (c);
‘stakeholder’ is any party that has an interest in the success and ongoing operation of an organisation or process such as employees, directors, shareholders, regulators, associations, suppliers and customers;
‘standard’ means a standard as defined in Article 2(1) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council ( 3 );
‘system operation region’ means the system operation regions as defined in Annex I to ACER Decision 05-2022 on the Definition of System Operation Regions, established in accordance with Article 36 of Regulation (EU) 2019/943;
‘system operators’ means ‘distribution system operator’ (DSO) and ‘transmission system operator’ (TSO) as defined in Articles 2(29) and 2(35) of Directive (EU) 2019/944;
‘Union-wide critical-impact process’ means any electricity sector process, possibly involving multiple entities, for which the possible impact of a cyber-attack may be deemed critical during the performance of the Union-wide cybersecurity risk assessment;
‘Union-wide high-impact process’ means any electricity sector process, possibly involving multiple entities, for which the possible impact of a cyber-attack may be deemed high during the performance of the Union-wide cybersecurity risk assessment;
‘unpatched actively exploited vulnerability’ means a vulnerability, which has not yet been publicly disclosed and patched and for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner;
‘vulnerability’ means a vulnerability as defined in Article 6, point (15) of Directive (EU) 2022/2555.
Article 4
Competent authority
Article 5
Cooperation between relevant authorities and bodies at national level
The competent authorities shall coordinate and ensure appropriate cooperation between the competent authorities responsible for cybersecurity, the cyber crisis management authorities, the NRAs, competent authorities for risk preparedness and CSIRTs for the purpose of the fulfilment of the relevant obligations laid down in this Regulation. The competent authorities shall also coordinate with any other bodies or authorities as determined by each Member State, to ensure efficient procedures and avoid duplications of tasks and obligations. The competent authorities shall be able to instruct the respective NRAs to request ACER for an opinion pursuant to Article 8(3).
Article 6
Terms and conditions or methodologies or plans
The following terms and conditions or methodologies and any amendments thereof shall be subject to approval by all competent authorities:
the cybersecurity risk assessment methodologies pursuant to Article 18(1);
the comprehensive cross-border electricity cybersecurity risk assessment report pursuant to Article 23;
the minimum and advanced cybersecurity controls pursuant to Article 29, the mapping of electricity cybersecurity controls against standards pursuant to Article 34, including minimum and advanced cybersecurity controls in the supply chain in accordance with Article 33;
a cybersecurity procurement recommendation pursuant to Article 35;
the cyber-attacks classification scale methodology pursuant to Article 37(8).
Article 7
Voting rules in the TSOs
Where TSOs deciding on proposals for terms and conditions or methodologies are not able to reach an agreement, they shall decide by qualified majority voting. A qualified majority for such proposals shall be calculated as follows:
TSOs representing at least 55 % of the Member States; and
TSOs representing Member States comprising at least 65 % of the population of the Union.
►C1 Where TSOs of a system operation region deciding on proposals for plans listed in Article 6(3) are not able to reach an agreement, and where the system operation region concerned is composed of more than five Member States, TSOs shall decide by qualified majority voting. A qualified majority for proposals listed in Article 6(2) shall require the following majority: ◄
TSOs representing at least 72 % of the Member States concerned; and
TSOs representing Member States comprising at least 65 % of the population of the concerned area.
Article 8
Submission of proposals to the competent authorities
Article 9
Consultation
Article 10
Stakeholder involvement
ACER, in close cooperation with ENTSO for Electricity and the EU DSO entity, shall organise stakeholder involvement, including regular meetings with stakeholders to identify problems and propose improvements related to the implementation of this Regulation.
Article 11
Recovery of costs
Article 12
Monitoring
ACER shall publish a report at least every three years after the entry into force of this Regulation to:
review the status of implementation of the applicable cybersecurity risk management measures with regard to the high-impact and critical-impact entities;
identify whether additional rules on common requirements, planning, monitoring, reporting and crisis management may be necessary to prevent risks for the electricity sector; and
identify areas of improvement for the revision of this Regulation, or determine uncovered areas and new priorities that may emerge due to technological developments.
Article 13
Benchmarking
Within 12 months after the establishment of the benchmarking guide pursuant to paragraph 1, the NRAs shall carry out a benchmarking analysis to assess whether current investments in cybersecurity:
mitigate risks having an impact on cross-border electricity flows;
provide the desired results and engender efficiency gains for the development of the electricity systems;
are efficient and integrated into the overall procurement of assets and services.
For the benchmarking analysis, the NRAs may take into account the non-binding cybersecurity benchmarking guide established by ACER, and shall assess in particular:
the average expenditure related to cybersecurity for mitigating risks having an impact on electricity cross-border flows, especially with respect to the high-impact and critical-impact entities;
in cooperation with the ENTSO for Electricity and the EU DSO entity, the average prices of cybersecurity services, systems and products that contribute to a large extent to the enhancement and maintenance of the cybersecurity risk-management measures in the different system operation regions;
the existence and level of comparability of costs and functions of cybersecurity services, systems and solutions suitable for the implementation of this Regulation, identifying possible measures necessary to foster efficiency in spending, particularly where cybersecurity technological investments may be needed.
Article 14
Agreements with TSOs from outside the Union
Article 15
Legal representatives
Article 16
Cooperation between the ENTSO for Electricity and the EU DSO Entity
The ENTSO for Electricity and the EU DSO entity shall cooperate in performing cybersecurity risk assessments pursuant to Article 19 and Article 21, and in particular the following tasks:
development of the cybersecurity risk assessment methodologies pursuant to Article 18(1);
development of the Comprehensive Cross-border electricity cybersecurity risk assessment report pursuant to Article 23;
development of the common electricity cybersecurity framework pursuant to Chapter III;
development of the cybersecurity procurement recommendation pursuant to Article 35;
development of the cyber-attacks classification scale methodology pursuant to Article 37(8);
development of the provisional electricity cybersecurity impact index (‘ECII’) electricity cybersecurity impact index pursuant to Article 48(1) point (a);
development of the consolidated provisional list of high-impact and critical-impact entities pursuant to Article 48(3);
development of the provisional list of Union-wide high-impact and critical-impact processes pursuant to Article 48(4);
development of the provisional list of European and international standards and controls pursuant to Article 48(6);
performance of the Union-wide cybersecurity risk assessment pursuant to Article 19;
performance of the regional cybersecurity risk assessments pursuant to Article 21;
definition of the regional cybersecurity risk mitigation plans pursuant to Article 22;
development of guidance on European cybersecurity certification schemes for ICT products, ICT services, and ICT processes in accordance with Article 36;
development of guidelines for the implementation of this Regulation in consultation with ACER and ENISA.
Article 17
Cooperation between ACER and the competent authorities
ACER, in cooperation with each competent authority, shall:
monitor the implementation of cybersecurity risk management measures pursuant to Article 12(2) point (a) and reporting obligations pursuant to Article 27 and Article 39; and
monitor the adoption process and the implementation of the terms and conditions, methodologies or plans pursuant to Article 6(2) and (3). The cooperation between ACER, ENISA and each competent authority may take the form of a cybersecurity risk monitoring body.
CHAPTER II
RISK ASSESSMENT AND IDENTIFICATION OF THE RELEVANT CYBERSECURITY RISKS
Article 18
Cybersecurity risk assessment methodologies
The cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level shall include:
a list of cyber threats to be considered, including at least the following supply chain threats:
a severe and unexpected corruption of the supply chain;
the unavailability of ICT products, ICT services, or ICT processes from the supply chain;
cyber-attacks initiated through actors in the supply chain;
leaking of sensitive information through the supply chain, including supply chain tracking;
the introduction of weaknesses or backdoors into ICT products, ICT services, or ICT processes through actors in the supply chain;
the criteria to evaluate the impact of cybersecurity risks as high or critical, using defined thresholds for consequences and likelihood;
an approach to analyse the cybersecurity risks coming from legacy systems, the cascading effects of cyber-attacks and the real-time nature of systems operating the grid;
an approach to analyse the cybersecurity risks coming from the dependency on a single supplier of ICT products, ICT services or ICT processes.
The cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level shall assess cybersecurity risks using the same risk impact matrix. The risk impact matrix shall:
measure the consequences of cyber-attacks based on the following criteria:
loss of load;
reduction of power generation;
loss of capacity in the primary frequency reserve;
loss of capacity for restoration of an electric grid to operation without relying on the external transmission network to recover after a total or partial shutdown (also called ‘black start’);
the expected duration of an electricity outage affecting customers in combination with the scale of the outage in customer numbers; and
any other quantitative or qualitative criteria that could reasonably act as an indicator of the effect of a cyber-attack on cross-border electricity flows;
measure the likelihood of an incident as the frequency of cyber-attacks per year.
Article 19
Union-wide cybersecurity risk assessment
The Union-wide cybersecurity risk assessment report shall include the following elements:
the Union-wide high-impact processes and the Union-wide critical-impact processes;
a risk impact matrix that entities and the competent authorities shall use to assess the cybersecurity risk identified in the cybersecurity risk assessment at Member State level performed pursuant to Article 20 and in the cybersecurity risk assessment at entity level pursuant to Article 26(2) point (b).
With respect to the Union-wide high-impact processes and the Union-wide critical-impact processes, the Union-wide cybersecurity risk assessment report shall include:
an assessment of the possible consequences of a cyber-attack using the metrics defined in the cybersecurity risk assessment methodology developed pursuant to Article 18(2), (3) and (4), and approved pursuant to Article 8;
the ECII and high-impact and critical-impact thresholds that the competent authorities shall use pursuant to Article 24(1) and (2) to identify high-impact and critical-impact entities involved in the Union-wide high-impact processes and in the Union-wide critical-impact processes.
Article 20
Member State cybersecurity risk assessment
Within 21 months after the notification of the high-and critical-impact entities pursuant to Article 24(6) and every three years after that date, and after consulting the CS-NCA responsible for electricity, each competent authority, supported by the CSIRT, shall provide a Member State cybersecurity risk assessment report to the ENTSO for Electricity and the EU DSO entity, containing the following information for each high-impact and critical-impact business process:
the implementation status of the minimum and advanced cybersecurity controls pursuant to Article 29;
a list of all cyber-attacks reported in the previous three years pursuant to Article 38(3);
a summary of the cyber threat information reported in the previous three years pursuant to Article 38(6);
for each Union-wide high-impact or critical-impact process, an estimate of the risks of a compromise of the confidentiality, integrity and availability for information and relevant assets;
where necessary, a list of additional entities identified as high-impact or critical-impact pursuant to Article 24(1), (2), (3), and (5).
Article 21
Regional cybersecurity risk assessments
Article 22
Regional cybersecurity risk mitigation plans
The regional cybersecurity risk mitigation plans shall include:
the minimum and advanced cybersecurity controls that high-impact and critical-impact entities shall apply in the system operation region;
the residual cybersecurity risks in the system operation regions after applying the controls referred to in point (a).
Article 23
Comprehensive cross-border electricity cybersecurity risk assessment report
The comprehensive cross-border electricity cybersecurity risk assessment report shall be based on the Union-wide cybersecurity risk assessment report, on the Member State cybersecurity risk assessment reports and on the regional cybersecurity risk assessment reports and include the following information:
the list of Union-wide high-impact and critical-impact processes identified in the Union-wide cybersecurity risk assessment report in accordance with Article 19(2) point (a) including the estimation of likelihood and impact of cybersecurity risks evaluated during the regional cybersecurity risk assessment reports pursuant to Article 21(2) and Article 19(3) point (a);
current cyber threats, with a specific focus on emerging threats and risks for the electricity system;
cyber-attacks for the previous period at Union level, providing a critical overview of how such cyber-attacks may have had an impact on electricity cross-border flows;
overall status of implementation of the cybersecurity measures;
status of implementation of the information flows pursuant to Articles 37 and 38;
list of information or specific criteria for classification of information pursuant to Article 46;
identified and highlighted risks that may derive from insecure supply chain management;
results and accumulated experiences from regional and cross-regional cybersecurity exercises organised pursuant to Article 44;
an analysis of the development of the overall cross-border cybersecurity risks in the electricity sector since the last regional cybersecurity risk assessments;
any other information that may be useful to identify possible improvements of this Regulation or the need for a revision of this Regulation or any of its tools; and
aggregated and anonymised information of derogations granted pursuant to Article 30(3).
Article 24
Identification of high-impact and critical-impact entities
Each competent authority may identify additional entities in its Member State as high-impact or critical-impact entities if the following criteria are met:
the entity is part of a group of entities for which there is a significant risk that they will be affected simultaneously by a cyber-attack;
the ECII aggregated over the group of entities is above the high-impact or critical-impact threshold.
Article 25
National verification schemes
If a competent authority decides to establish a national verification scheme, that competent authority shall ensure that the verification is performed in accordance with the following requirements:
any party performing the peer review, audit or inspection shall be independent from the critical-impact entity being verified, and shall have no conflicts of interest;
the staff performing the peer review, audit or inspection shall have demonstrable knowledge of:
cybersecurity in the electricity sector;
cybersecurity management systems;
the principles of auditing;
cybersecurity risk assessment;
the common electricity cybersecurity framework;
the national legislative and regulatory framework and European and international standards in scope of the verification;
the critical-impact processes in scope of the verification;
the party performing the peer review, audit or inspection shall be allowed sufficient time to perform these activities;
the party performing the peer review, audit or inspection shall take the appropriate measures to protect the information they collect during the verification, in line with its confidentiality level; and
peer reviews, audits or inspections shall be performed at least once every year and cover the full verification scope at least every three years.
Article 26
Cybersecurity risk management at entity level
Each high-impact and critical-impact entity shall base its cybersecurity risk management on an approach that aims to protect their network and information systems and that comprises the following phases:
context establishment;
cybersecurity risk assessment at entity level;
cybersecurity risk treatment;
cybersecurity risk acceptance.
During the context establishment phase, each high-impact and critical-impact entity shall:
define the scope of the cybersecurity risk assessment including the high-impact and critical-impact processes identified by the ENTSO for Electricity and the EU DSO entity, and other processes that may be targets of cyber-attacks with a high-impact or critical-impact on cross-border electricity flows; and
define the criteria for risk evaluation and for risk acceptance in accordance with the risk impact matrix that entities and the competent authorities shall use to assess the cybersecurity risks in the cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level developed by the ENTSO for Electricity and the EU DSO entity in accordance with Article 19(2).
During the cybersecurity risk assessment phase, each high-impact and critical-impact entity shall:
identify cybersecurity risks by taking into account:
all assets supporting the Union-wide high-impact and critical-impact processes with an assessment of the possible impact on cross-border electricity flows if the asset is compromised;
possible cyber threats taking into account the cyber threats identified in the latest Comprehensive cross-border electricity cybersecurity risk assessment report referred to in Article 23 and supply chain threats;
vulnerabilities, including vulnerabilities in legacy systems;
possible cyber-attack scenarios, including cyber-attacks affecting the operational security of the electricity system and disrupting cross-border electricity flows;
relevant risk evaluations and assessments carried out at Union level, including coordinated risk assessments of critical supply chains in accordance with Article 22 of Directive (EU) 2022/2555; and
existing implemented controls;
analyse the likelihood and consequences of the cybersecurity risks identified in point (a) and determine the cybersecurity risk level using the risk impact matrix used to assess cybersecurity risks in cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level developed by TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity in accordance with Article 19(2);
classify assets according to the possible consequences when cybersecurity is compromised and determine the high-impact and critical-impact perimeter using the following steps:
perform, for all processes covered by the cybersecurity risk assessment, a business impact assessment using the ECII;
classify a process as high-impact or critical-impact if its ECII is above the high-impact or critical-impact threshold respectively;
determine all high-impact and critical-impact assets as the assets needed for the high-impact and critical-impact processes respectively;
define the high-impact and critical-impact perimeters containing all high-impact and critical-impact assets respectively, so that access to the perimeters may be controlled;
evaluate cybersecurity risks by prioritising them through risk evaluation criteria and risk acceptance criteria referred to in paragraph 3 point (b).
Article 27
Reporting on the risk assessment at entity level
Each high-impact and critical-impact entity shall, within 12 months after the notification of the high-and critical-impact entities pursuant to Article 24(6), and every three years thereafter, provide to the competent authority a report containing the following information:
a list of controls selected for the entity-level risk mitigation plan pursuant to Article 26(5) with the current implementation status of each control;
for each Union-wide high-impact or critical-impact process, an estimate of the risk of a compromise of the confidentiality, integrity, and availability of information and relevant assets. The estimate of this risk shall be given in accordance with the risk impact matrix in Article 19(2);
a list of critical ICT service providers for their critical-impact processes.
CHAPTER III
COMMON ELECTRICITY CYBERSECURITY FRAMEWORK
Article 28
Composition, functioning and review of the common electricity cybersecurity framework
The common electricity cybersecurity framework shall be composed of the following controls and cybersecurity management system:
the minimum cybersecurity controls, developed in accordance with Article 29;
the advanced cybersecurity controls, developed in accordance with Article 29;
the mapping matrix, developed in accordance with Article 34, that maps the controls referred to in points (a) and (b) against selected European and international standards and national legislative or regulatory frameworks;
the cybersecurity management system established pursuant to Article 32.
Article 29
Minimum and advanced cybersecurity controls
Article 30
Derogations from the minimum and advanced cybersecurity controls
The entities listed in Article 2(1) may request the respective competent authority to grant a derogation from their obligation to apply the minimum and advanced cybersecurity controls referred to in Article 29(6). The competent authority may grant such a derogation on one of the following grounds:
in exceptional circumstances, where the entity can demonstrate that the costs of implementing the appropriate cybersecurity controls significantly exceed the benefits. ACER and the ENTSO for Electricity in cooperation with the DSO entity may jointly develop a guidance for estimating the costs of cybersecurity controls to help the entities;
where the entity provides an entity-level risk treatment plan that mitigates the cybersecurity risks using alternative controls to a level that is acceptable in accordance with to the risk acceptance criteria referred to Article 26(3), point (b).
Article 31
Verification of the common electricity cybersecurity framework
Article 32
Cybersecurity management system
Within 24 months after being notified by the competent authority that they have been identified as a high-impact or critical-impact entity in accordance with Article 24(6), each high-impact and critical-impact entity shall establish a cybersecurity management system, and review it every three years thereafter, to:
determine the scope of the cybersecurity management system considering interfaces and dependencies with other entities;
ensure that all its senior management is informed of relevant legal obligations and actively contributes to the implementation of the cybersecurity management system through timely decisions and prompt reactions;
ensure that the resources needed for the cybersecurity management system are available;
establish a cybersecurity policy that shall be documented and communicated within the entity and to parties affected by the security risks;
assign and communicate responsibilities for roles relevant to cybersecurity;
perform cybersecurity risk management at entity level as defined in Article 26;
determine and provide the resources required for the implementation, maintenance and continual improvement of the cybersecurity management system, taking into account the necessary competence and awareness of cybersecurity resources;
determine the internal and external communication that is relevant to cybersecurity;
create, update and control documented information related to the cybersecurity management system;
evaluate the performance and effectiveness of the cybersecurity management system;
conduct internal audits at planned intervals to ensure that the cybersecurity management system is effectively implemented and maintained;
review the implementation of the cybersecurity management system at planned intervals; and control and correct non-compliance of the resources and activities with the policies, procedures, guidelines in the cybersecurity management system.
Article 33
Minimum and advanced cybersecurity controls in the supply chain
The minimum cybersecurity controls in the supply chain shall consist of controls for high-impact and critical-impact entities that:
include recommendations for the procurement of ICT products, ICT services, and ICT processes referring to cybersecurity specifications, covering at least:
the background verification checks of the staff of the supplier involved in the supply chain and dealing with sensitive information or with access to the high-impact or critical-impact assets of the entity. Background verification check may include a verification of the identity and background of staff or contractors of an entity in accordance with national law and procedures and relevant and applicable Union law, including Regulation (EU) 2016/679 and Directive (EU) 2016/680 of the European Parliament and of the Council ( 5 ). Background checks shall be proportionate and strictly limited to what is necessary. They shall be carried out for the sole purpose of evaluating a potential security risk to the entity concerned. They need to be proportional to business requirements, the classification of the information to be accessed and the perceived risks, and may be performed by the entity itself, by an external company performing a screening, or through a government clearing;
the processes for secure and controlled design, development and production of ICT products, ICT services and ICT processes, promoting the design and development of ICT products, ICT services, and ICT processes, which include appropriate technical measures to ensure cybersecurity;
design of network and information systems in which devices are not trusted even when they are within a secure perimeter, require verification of all requests they receive and apply the least privilege principle;
the access of the supplier to the assets of the entity;
the contractual obligations on the supplier to protect and restrict access to the entity’s sensitive information;
the underpinning cybersecurity procurement specifications to subcontractors of the supplier;
the traceability of the application of the cybersecurity specifications from the development through production until delivery of ICT products, ICT services or ICT processes;
the support for security updates throughout the entire lifetime of ICT products, ICT services or ICT processes;
the right to audit cybersecurity in the design, development and production processes of the supplier; and
the assessment of the risk profile of the supplier;
require such entities to take into account the procurement recommendations referred to in subparagraph (a) when concluding contracts with suppliers, collaboration partners and other parties in the supply chain, covering ordinary deliveries of ICT products, ICT services and ICT processes as well as unsolicited events and circumstances like termination and transition of contracts in cases of negligence of the contractual partner;
require such entities to take into account the results of relevant coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1) of Directive (EU) 2022/2555;
include criteria to select and contract suppliers that can meet the cybersecurity specifications as stated in paragraph (a) and that possess a level of cybersecurity appropriate to the cybersecurity risks of the ICT product, ICT service, or ICT processes that the supplier delivers;
include criteria to diversify sources of supply for ICT products, ICT services and ICT processes and reduce the risk of a vendor lock-in;
include criteria to monitor, review or audit the cybersecurity specifications for supplier internal operational processes throughout the entire lifecycle of each ICT product, ICT service and ICT process on a regular basis.
Article 34
Mapping matrix for electricity cybersecurity controls against standards
CHAPTER IV
CYBERSECURITY PROCUREMENT RECOMMENDATIONS
Article 35
Cybersecurity procurement recommendations
The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall develop, in a work programme to be established and updated each time a regional cybersecurity risk assessment report is adopted, sets of non-binding cybersecurity procurement recommendations that high-impact and critical-impact entities may use as a basis for the procurement of ICT products, ICT services and ICT processes in the high-impact and critical-impact perimeters. This work programme shall include the following:
a description and classification of the types of ICT products, ICT services and ICT processes used by high-impact and critical-impact entities in the high-impact and critical-impact perimeter;
a list of the types of ICT products, ICT services, and ICT processes for which a set of non-binding cybersecurity recommendations shall be developed based on the relevant regional cybersecurity risk assessment reports and on the priorities of high-impact and critical-impact entities.
The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity, shall ensure that the sets of cybersecurity procurement recommendations:
comply with the principles of procurement pursuant to Directive 2014/24/EU; and
are compatible with and take into account the most recent available European cybersecurity certification schemes relevant to the ICT product, ICT service, or ICT process.
Article 36
Guidance on use of European cybersecurity certification schemes for procurement of ICT products, ICT services and ICT processes
The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity shall closely cooperate with ENISA in providing the sector-specific guidance included in non-binding cybersecurity procurement recommendations pursuant to paragraph 1.
CHAPTER V
INFORMATION FLOWS, CYBER-ATTACKS AND CRISIS MANAGEMENT
Article 37
Rules on information sharing
If a competent authority receives information related to a reportable cyber-attack, that competent authority:
shall assess the level of confidentiality of that information and inform the entity about the outcome of its assessment without undue delay and not later than within 24 hours of receipt of the information;
shall attempt to find any other similar cyber-attack in the Union reported to other competent authorities, in order to correlate the information received in the context of the reportable cyber-attack with information provided in the context of other cyber-attacks and enrich existing information, strengthen and coordinate cybersecurity responses;
shall be responsible for the removal of business secrets and the anonymisation of the information in accordance with the relevant national and Union rules;
shall share the information with the national single points of contact, CSIRTs and all competent authorities designated pursuant to Article 4 in other Member States without undue delay and no later than 24 hours after the reception of a reportable cyber-attack and provide updated information on a regular basis to those authorities or bodies;
shall disseminate the information of the cyber-attack, after anonymisation and removal of business secrets pursuant to paragraph 1(c), to critical-impact and high-impact entities in its Member State without undue delay and no later than 24 hours after receiving information according to paragraph 1(a), and provide updated information on a regular basis allowing the entities to organise their defence effectively;
may request the reporting high-impact or critical-impact entity to further disseminate the reportable cyber-attack information in a secure manner to other entities that may be affected, with the aim to generate situational awareness by the electricity sector and to prevent the materialisation of a risk that may escalate in a cross-border cybersecurity electricity incident;
shall share with ENISA a summary report, after anonymisation and removal of business secrets, with the information of the cyber-attack.
If a CSIRT becomes aware of an unpatched actively exploited vulnerability, it shall:
share it with ENISA via an appropriate secure information exchange channel without delay, unless otherwise specified in other Union law;
support the concerned entity to receive from the manufacturer or provider an effective, coordinated and rapid management of the unpatched actively exploited vulnerability or of effective and efficient mitigation measures;
share available information with the vendor and request the manufacturer or provider, where possible, to identify a list of CSIRTs in Member States concerned by the unpatched actively exploited vulnerability and that shall be informed;
share available information with the CSIRTs identified under the previous point, based on need-to-know principle;
share, where they exist, mitigation strategies and measures to the reported unpatched actively exploited vulnerability.
If a competent authority becomes aware of an unpatched actively exploited vulnerability, that competent authority shall:
share, where they exist, mitigation strategies and measures to the reported unpatched actively exploited vulnerability, in coordination with the CSIRTs in its Member State;
shall share the information with a CSIRT in the Member State where the unpatched actively exploited vulnerability has been reported.
The TSOs, with the assistance of the ENTSO for Electricity, and in cooperation with the EU DSO entity shall develop a cyber-attack classification scale methodology by 13 June 2025. The TSOs, with the assistance of the ENTSO for Electricity and the EU DSO entity may request the competent authorities to consult ENISA and their competent authorities responsible for cybersecurity for assistance in the development of such classification scale. The methodology shall provide the classification for the gravity of a cyber-attack according to five levels, the two highest levels being ‘high’ and ‘critical’. The classification shall be based on the assessment of the following parameters:
the potential impact considering the assets and perimeters exposed determined in accordance with Article 26(4), point (c); and
the severity of the cyber-attack.
The feasibility study shall address the possibility for such a common tool to:
support critical-impact and high-impact entities with relevant security related information for operations of cross-border electricity flows, such as near real-time reporting of cyber-attacks, early alerts related to cybersecurity matters and undisclosed vulnerabilities on equipment in use in the electricity system;
be maintained in a suitable and highly trustable environment;
allow for data collection from critical-impact and high-impact entities and facilitate removal of confidential information and anonymisation of the data and their prompt dissemination to critical-impact and high-impact entities.
The ENTSO for Electricity, in cooperation with the EU DSO entity, shall:
consult ENISA and the NIS Cooperation Group, the national single points of contact and the representatives of main stakeholders when assessing the feasibility;
present the results of the feasibility study to ACER and the NIS Cooperation Group.
Article 38
Role of high-impact and critical-impact entities as regards information sharing
Each high-impact and critical-impact entity shall:
establish, for all assets within its cybersecurity perimeter determined pursuant to Article 26(4) point (c), at least the CSOC capabilities to:
ensure that the relevant network and information systems and applications provide security logs for security monitoring to enable the detection of anomalies and collect information on cyber-attacks;
conduct security monitoring, including detecting intrusions and assessing vulnerabilities of network and information systems;
analyse and, if necessary, take all actions required under its responsibility and capacity to protect the entity;
participate in the information collection and sharing described in this Article;
have the right to procure all or parts of these capabilities pursuant to point (a) through MSSPs. Critical-impact and high-impact entities shall remain responsible for MSSPs and supervise their efforts;
designate a single point of contact at entity level for the purpose of information sharing.
Each critical-impact and high-impact entity shall provide without undue delay to its CSIRTs any information related to a reportable cyber threat that may have a cross-border effect. Information related to a cyber threat shall be considered reportable when at least one of the following conditions is met:
it provides relevant information for other critical-impact and high-impact entity for preventing, detecting, responding or mitigating the impact of the risk;
the identified techniques, tactics and procedures used in the context of an attack lead to information such as compromised URL or IP addresses, hashes or any other attribute useful to contextualise and correlate the attack;
a cyber threat may be further assessed and contextualised with additional information provided by service providers or third parties not subject to this Regulation.
Each critical-impact entity and high-impact entity shall, when sharing information pursuant to this Article, specify the following:
that the information is submitted pursuant to this Regulation;
whether the information concerns:
a reportable cyber-attack referred to in paragraph 3;
unpatched actively exploited vulnerabilities not publicly known referred to in paragraph 4;
a reportable cyber threat referred to in paragraph 5;
in the case of a reportable cyber-attack, the level of the cyber-attack according to the cyber-attack classification scale methodology referred to in Article 37(8) and information leading to this classification including at least the criticality of the cyber-attack.
Article 39
Detection of cyber-attacks and handling of related information
Critical-impact and high-impact entities shall:
ensure that their own single point of contact at entity level has access on a need-to-know basis to the information they received from the national single point of contact through their competent authority;
unless already done pursuant to Article 3(4) of Directive (EU) 2022/2555, notify the competent authority of the Member State in which they are established and the national single point of contact with a list of their cybersecurity single points of contact at entity level:
from which that competent authority and national single point of contact may expect to receive information about reportable cyber-attacks;
to which competent authorities and national single points of contact may have to provide information;
establish cyber-attack management procedures for cyber-attacks, including roles and responsibilities, tasks and reactions based on the observable evolution of the cyber-attack within the critical-impact and high-impact perimeters;
test the overall cyber-attack management procedures at least every year by testing at least one scenario affecting directly or indirectly cross-border electricity flows. That annual test may be conducted by critical-impact and high-impact entities during the regular exercises referred to in Article 43. Any live cyber-attack response activity with a consequence classified at least Scale 2, according to the cyber-attack classification scale methodology referred to in Article 37(8) and with a cybersecurity root cause, may serve as an annual test of the cyber-attack response plan.
Article 40
Crisis management
The ad hoc cross-border crisis coordination group shall:
coordinate the efficient retrieval and further dissemination of all relevant cybersecurity information to the entities involved in the crisis management process;
organise the communication between all the entities impacted by the crisis and the competent authorities, in order to reduce overlaps and increase the efficiency in the analyses and technical responses to remedy the simultaneous electricity crises with a cybersecurity root cause;
provide, in cooperation with the competent CSIRTs, the expertise required, including operational advice on the implementation of possible mitigation measures to the entities impacted by the incident;
notify and provide regular updates on the state of the incident to the Commission and the Electricity Coordination Group, following the protection principles laid down in Article 46;
seek advice from relevant authorities, agencies or entities that might be of help to mitigate the electricity crisis.
Article 41
Cybersecurity crisis management and response plans
Critical-impact and high-impact entities shall ensure that their cybersecurity-related crisis management processes:
have compatible cross-border cybersecurity incident handling procedures as defined in Article 6(8) of Directive (EU) 2022/2555 formally incorporated in their crisis management plans;
are part of the general crisis management activities.
Within 12 months after the notification of the high-and critical-impact entities pursuant to Article 24(6), and every three years thereafter, critical impact and high-impact entities shall develop a crisis management plan at entity level for a cybersecurity related crisis which shall be included into their general crisis management plans. This plan shall include at least the following:
rules of declaration of the crisis as set out in Article 14(2) and (3) of the Regulation (EU) 2019/941;
clear roles and responsibilities for crisis management, including the role of other relevant critical-impact and high-impact entities;
up-to-date contact information as well as rules for communication and information sharing during a crisis situation including the connection to the CSIRTs.
The critical-impact and high-impact entities shall include their crisis management plans at entity level into their business continuity plans for the critical-impact and high-impact processes. The crisis management plans at entity level shall include:
processes depending on availability, integrity and reliability of IT services;
all business continuity locations including the locations for hardware and software;
all internal roles and responsibilities connected to business continuity processes.
Article 42
Cybersecurity early alert capabilities for the electricity sector
The ECEAC shall enable ENISA when carrying out the tasks listed in Article 7(7) of Regulation (EU) 2019/881 to:
collect voluntary shared information from:
CSIRTs, competent authorities;
the entities listed in Article 2 of this Regulation;
any other entity that wants to share relevant information on a voluntary basis;
assess and classify collected information;
assess the information ENISA has access to for identifying cyber risk conditions and relevant indicators for aspects of cross-border electricity flows;
identify conditions and indicators that frequently correlate with cyber-attacks within the electricity sector;
define whether further analysis and preventive actions shall be taken through assessment and identification of risk factors;
inform the competent authorities on the identified risks and recommended preventive actions specific to the entities concerned;
inform all relevant entities listed in Article 2 on the results of the information assessed in accordance with points (b), (c) and (d) of this paragraph;
periodically include the relevant information in the situational awareness report, issued in accordance with Article 7(6) of Regulation (EU) 2019/881;
derive, where possible, applicable data that indicates that a potential security breach or cyber-attack (‘indicators of compromise’) from the collected information.
ACER shall monitor the effectiveness of the ECEAC. ENISA shall assist ACER by providing all necessary information, pursuant to Articles 6(2) and 7(1) of Regulation (EU) 2019/881. The analysis of this monitoring activity shall be part of the monitoring pursuant to Article 12 of this Regulation.
CHAPTER VI
ELECTRICITY CYBERSECURITY EXERCISE FRAMEWORK
Article 43
Cybersecurity exercises at entity and Member State levels
By derogation from paragraph 1, the RP-NCA, after consulting the competent authority and the relevant cyber crisis management authority as designated or established in Directive (EU) 2022/2555 under Article 9 may decide to organise a cybersecurity exercise at Member State level as described in paragraph 1 instead of performing the cybersecurity exercise at entity level. In this regard, the competent authority shall inform:
all critical-impact entities of its Member State, the NRA, CSIRTs and the CS-NCA at the latest by 30 June of the year preceding the cybersecurity exercise at entity level;
each entity that shall participate in the cybersecurity exercise at Member State level at the latest 6 months before the exercise is to take place.
Article 44
Regional or cross regional cybersecurity exercises
Article 45
Outcome of cybersecurity exercises at entity, Member State, regional or cross regional levels
The organisers of the cybersecurity exercises referred to in Article 43(1) and (2) and in Article 44(1), with the advice of ENISA if requested by them and pursuant to Article 7(5) of Regulation (EU) 2019/881, shall analyse and finalise the relevant cybersecurity exercise through a report summarising the lessons, addressed to all participants. The report shall include:
the exercise scenarios, meeting reports, main positions, successes and lessons learnt at any level of the electricity value chain;
whether the key success criteria were met;
a list of recommendations for entities participating in the relevant cybersecurity exercise to correct, adapt or change cybersecurity crisis processes, procedures, associated governance models and any existing contractual engagements with critical service providers.
CHAPTER VII
PROTECTION OF INFORMATION
Article 46
Principles for the protection of exchanged information
The entities listed in Article 2(1) shall ensure that all necessary protection measures of organisational and technical nature are in place to safeguard and protect the confidentiality, integrity, availability and non-repudiation of information provided, received, exchanged or transmitted under this Regulation, independently from the means used. The protection measures shall:
be proportionate;
take into consideration cybersecurity risks related to known past and emerging threats to which such information may be subject in the context of this Regulation;
to the extent possible, be based on national, European or international standards and best practices;
be documented.
The entities listed in Article 2(1) shall ensure that access to information provided, received, exchanged or transmitted under this Regulation is limited to individuals:
who are authorised to access that information based on their functions and limited to the execution of the tasks assigned;
for whom the entity was able to assess ethical and integrity principles, as well as for whom there is no evidence of negative outcome from a background verification check to evaluate reliability of the individual in accordance with the best practices and standard security requirements of the entity, and, where necessary, with the national laws and regulations.
An entity listed in Article 2(1) may consider that this information shall be shared without complying with paragraphs 1 and 4 of this Article in order to prevent a simultaneous electricity crisis with a cybersecurity root cause or any cross-border crisis within the Union in another sector. In that case, it shall:
consult and be authorised by the competent authority to share such information;
anonymise such information without losing the elements necessary to inform the public of an imminent and serious risk to cross-border electricity flows and the possible mitigation measures;
safeguard the identity of the originator and of the entities that have been processing such information under this Regulation.
Article 47
Confidentiality of information
CHAPTER VIII
FINAL PROVISIONS
Article 48
Temporary provisions
Until the approval of the terms and conditions or methodologies referred to in Article 6(2) or plans referred to in Article 6(3), the ENTSO for Electricity, in cooperation with the EU DSO entity, shall develop non-binding guidance on the following issues:
a provisional electricity cybersecurity impact index (‘ECII’) pursuant to paragraph 2 of this Article;
a provisional list of Union-wide high-impact and critical-impact processes pursuant to paragraph 4 of this Article; and
a provisional list of European and international standards and controls required by national legislation with relevance for cybersecurity aspects of cross-border electricity flows pursuant to paragraph 6 of this Article.
The provisional list of European and international standards and controls shall include:
European and international standards and national legislation which provide guidance on methodologies for cybersecurity risk management at entity level; and
cybersecurity controls equivalent to the controls that are expected to be part of the minimum and advanced cybersecurity controls.
Article 49
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
( 1 ) Commission Implementing Regulation (EU) No 1348/2014 of 17 December 2014 on data reporting implementing Article 8(2) and Article 8(6) of Regulation (EU) No 1227/2011 of the European Parliament and of the Council on wholesale energy market integrity and transparency (OJ L 363, 18.12.2014, p. 121).
( 2 ) Regulation (EU) 2019/942 of the European Parliament and of the Council of 5 June 2019 establishing a European Union Agency for the Cooperation of Energy Regulators (OJ L 158, 14.6.2019, p. 22).
( 3 ) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
( 4 ) Commission Decision of 15 November 2012 setting up the Electricity Coordination Group (2012/C 353/02) (OJ C 353, 17.11.2012, p. 2).
( 5 ) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
( 6 ) Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).