Implementation indicators

  • Institutions and legislation

    Institutions and legislation

    Cybersecurity risk assessment and obligations for energy operators are not directly included in the law. The Energy Regulatory Commission has taken initiative to provide acts on risk management, obligations and other cybersecurity mechanisms in the electricity domain

  • Requirements for operators and energy regulatory authority

    Requirements for operators and energy regulatory authority

    There is no adopted regulation on risk assessment and requirements for critical infrastructure operators in energy. The draft act of the energy regulator ERC addressing cybersecurity-related obligations for public and private energy operators is yet to be adopted. The competences of ERC in cybersecurity should be legally strengthened.

State of implementation

The Cybersecurity Strategy 2018 - 2022 developed by the Ministry of Information Society and Administration aims to provide resilient information and communication technology (ICT) infrastructures, and boost cybersecurity capacity and culture, cyber defence, international cooperation and exchange of information. Specific targets include the transposition of Directive (EU) 2016/1148 (NIS Directive), legal enforcement for critical infrastructures in sectoral laws and establishment of a National Cybersecurity Council.

The Strategy for Information Society of 2005 and the Law on Electronic Communications, as amended in 2021, provide the basic legal framework for security management of ICT infrastructures, applicable also to energy. There is no compliant cybersecurity law in force. The draft Law on Security of Network and Information Systems that transposes the NIS Directive, developed in 2019 and updated in 2021, is not adopted.

The protection of critical infrastructure lacks clear criteria for identification and designation applicable to the energy sector. The draft Law on Security of Network and Information Systems contains provisions addressing the criteria for critical ICT infrastructures.

Based on the Law on Electronic Communications, the responsible authority is the Agency for Electronic Communications, hosting the MKD-CIRT. The CIRT acts as the point of contact for reporting and coordination in dealing with security incidents in ICT systems, providing a coordinated response, education and risk analysis, including for the operators of critical infrastructure and large enterprises in the energy sector.

The methodology for cybersecurity risk assessment and rules on reporting obligations addressing the energy sector are not applied. MKD-CIRT performs assessments of threats in the ICT domain and communicates with stakeholders. The CIRT has established an incident reporting mechanism, which is mandatory for all public bodies and utilities. Security risk management and operators’ obligations related to the supply chain for critical ICT components are enforced by the law.

Amendments to the Energy Law addressing cybersecurity mechanisms in the energy sector, enforcing identification and designation of critical energy infrastructures and providing cybersecurity competences to the energy regulatory authority, are in preparation. The establishment of a specific energy CIRT is foreseen in a draft Cybersecurity Law.

The Energy Regulatory Commission (ERC) has adopted Recommendations including criteria for identification of critical energy infrastructures in the electricity sector in cooperation with MKDCIRT and the Ministry of Economy. ERC is drafting a cybersecurity strategy of the energy sector including requirements and obligations for public and private operators, application of ISO 27001 standards and methodologies for risk assessment and critical asset management.