Cybersecurity

Implementation indicators 

  • Institutions and legislation

    Institutions and legislation

    The strategic cybersecurity goals are defined and the main defence mechanisms are implemented. However, the current framework should be amended to address cybersecurity in the energy sector. Critical infrastructure and services in energy have not been designated. The computer emergency response team KOS-CERT is the cybersecurity service provider for energy.

  • Requirements for operators and NRA

    Requirements for operators and NRA

    Risk assessment and security requirements are broadly defined, including operators’ security plans and reporting obligations. However, energy-specific legislation and policies needed by operators to implement the cybersecurity provisions of the acquis are missing. Powers and tasks of the energy regulators should be developed and
    enforced.

State of implementation

The national computer emergency response team (KOS-CERT), along with five complementary CERTs constitute the cyber defence capacity of Kosovo* and cybersecurity policies are gradually developed. The energy sector is not addressed to the level required by the acquis, measures for regional cooperation and energy-specific policies are missing.

The Electronic Communication Sector Policy - Digital Agenda for Kosovo* 2013 - 2020 called for risk awareness in information and network security, creation of a computer emergency response team (CERT) and meeting the cybersecurity requirements of the national critical information infrastructures. It demands to ensure the security and integrity of electronic communication networks and services and to increase public and business confidence in the cyberspace. The Cybersecurity Strategy of Kosovo* 2016 - 2019 called for the identification of critical infrastructure and services and includes references to energy. The follow-up Concept Paper on Network and Information Systems Security Measures, adopted by the Government in 2019, defines the responsibilities of different administrative bodies and promotes cross-sectoral cooperation in cybersecurity. The legislation is largely harmonized with the EU Convention on Cybercrime and implemented through the Ministry of Interior. There is no compliant legislation on cybersecurity for the energy sector yet.

The Law on Critical Infrastructure of 2018 transposes key provisions of Directive 2008/114/EC and recognizes energy production, transmission, distribution and storage of electricity, oil and gas as domains of critical infrastructures. It also provides basic criteria for identification and procedure for designation. The implementation is delayed, however. Operators of critical infrastructure or services in energy are not designated yet. A draft law transposing EU Directive 2016/1148/EC (NIS Directive) is in preparation. The draft law addresses public energy utilities governed by the Ministry of Economy and Environment. KOS-CERT is established and hosted by the Regulatory Authority for Electronic and Postal Communications (ARKEP), under the Law on Electronic Communications. It performs as an incident response coordinating unit, also providing communication, notification and information exchange between the affected parties and security service providers. The draft law will provide a legal basis for the creation of a CERT for Energy in Kosovo*.

The Law on Critical Infrastructure defines a broad set of terms of risk assessment, based on geographical extent and severity. No quantitative criteria or energy-specific references are set. The Law also includes obligations for the development of operator’s security plans including identification of critical assets, resources, risk analysis and interdependencies. The general requirements, without energy-specific considerations, include establishment of incident prevention and risk mitigation systems. Operators of critical infrastructures and services are obliged by the Law to report their security concerns to the responsible CERT and the Ministry of Internal Affairs.

There are no energy-specific reporting obligations or security requirements applied in the currently available regulatory framework. The Energy Regulatory Office ERO is not empowered or responsible for any cybersecurity consideration.