The European Commission has just published a report with key findings on how the EU cybersecurity rules under the NIS Directive are implemented in the crucial Energy sector, in particular in electricity, gas and oil areas.

The report takes stock of the implementation of the main NIS Directive requirements across the EU, notably on the ways to identify the so-called Operators of Essential Service (OES), security measures, incident notification requirements.

This is the first sector-specific report produced by the Cooperation Group established under the Directive on Security of Network and Information Systems (EU) 2016/1148 (NIS Directive), the first horizontal piece of legislation on cybersecurity at EU level. The Group gathers national cybersecurity authorities, Commission and ENISA, the EU agency for Cybersecurity.

The report includes information on governance models chosen, lessons learnt and best practices at national level and presents cybersecurity capabilities of EU associations, organisations and bodies with a role in the energy sector. In addition, it provides an overview of the different public-private collaboration schemes in place across the EU.

In line with the Commission Recommendation of 3.4.2019 on cybersecurity in the energy sector, the document supports Member States in addressing energy sector specificities, such as real-time security requirements, cascading effects and the combination of legacy and state-of-the-art technologies, when implementing the NIS Directive. More specifically, the report maps the Commission Recommendation against international standards (e.g. ISO) and good practices.

Next steps

The document will serve as a basis for future work of the Cooperation Group, which should focus primarily on the implementation of the Commission Recommendation. The Recommendation requires Member States to communicate to the Commission, through the NIS Cooperation Group, detailed information regarding the state of implementation within 12 months after its adoption.

Related documents: