Cybersecurity

Implementation indicators 

  • Institutions and legislation

    Institutions and legislation

    There is no compliant cybersecurity law covering the energy sector and a policy for designation of critical energy infrastructure is missing. The national computer emergency response team (CERT-GOV-MD) is responsible for energy.

  • Requirements for operators and NRA

    Requirements for operators and NRA

    General frameworks for security requirements and risk management in the public sector, applicable to energy stakeholders, are in place but reporting is missing. Implementation of energy-specific rules, measures and cooperation mechanisms should follow. The energy regulator does not have competences for cybersecurity.

State of implementation

Moldova’s general cybersecurity rules and policies are well developed and the country is gradually increasing its implementation capabilities. The state security authorities are leading in cyber protection. Energy-specific measures are in the planning phase and compliant cybersecurity legislation in the energy sector is yet to be developed.

The 2013 strategy “Digital Moldova 2020” aims to enhance cybersecurity of critical infrastructures and lists measures to identify and protect critical infrastructure including energy networks, harmonize legislation, promote information exchange and international cooperation and strengthen the computer emergency response team (CERT) capacity. The follow-up Cybersecurity Programme 2016 - 2020 goes further by introducing mandatory minimum cybersecurity standards, certification criteria, cybersecurity audit for public communication networks and other critical systems and introduction of penalties for non-compliance. The Information Security Strategy and action plan 2019-2024 provide a roadmap for the development of an integrated cybersecurity and defence platform but they do not contain energy-specific provisions.

EU legislation on cybersecurity is not transposed. The Law on Preventing and Combating Terrorism of 2017 specifies criteria for the identification of critical infrastructures that can be applied to oil and gas storage facilities and pipelines and transport and distribution of electricity, gas and oil. A mechanism for designation of the operators does not exist. CERT-GOV-MD is the national CERT protecting information and communication systems of the public administration and networks, including energy, from cyber threats, implementing risk mitigation measures and responding to security incidents.

The Cybersecurity Guidelines for civil servants published in 2018 by CERT-GOV-MD provide a general framework for risk management and security measures and are applicable to the energy operators. No energy-specific risk assessment methodology and policy exist.

General cybersecurity requirements, applicable also to energy operators, are defined by the Governmental Decision on Mandatory Minimum Cybersecurity Requirements of 2017. The Decision designates the Ministry of Economy and Infrastructure as the responsible authority for implementation of cyber policy in all public sectors, including energy. It addresses security measures and internal cybersecurity systems, data protection, access to information and communication technology, obligations of the service providers and incident recovery aspects. Incident notifications are required but no enforcement measures are in place.

The role of the energy regulator ANRE is limited to approving the expenses required for ensuring anti-terrorism protection. The current legislation fails to grant the regulator competences over cybersecurity.