Cybersecurity

Implementation indicators

  • Institutions and legislation

    Institutions and legislation

    A cybersecurity strategy for 2021 - 2026 is adopted. The cybersecurity acquis is transposed in national law. The energy sector critical information infrastructure is defined and designated at national level. Energy-specific cybersecurity criteria could be further developed. SRB-CERT covers the energy sector.

  • Requirements for operators and energy regulatory authority

    Requirements for operators and energy regulatory authority

    The risk assessment, security requirements and reporting obligations of energy operators are well established. Energy-specific rules and mechanisms should be considered for increased efficiency. The energy regulator does not have powers in cybersecurity.

State of implementation

The Strategy on the Development of Information Society and Information Security 2021 - 2026 sets targets in the application of security measures with respect to critical information and communication infrastructures, establishment and operation of CERTs and information security audits, handling of threats, and international cooperation. Proposed measures include capacity building, application of new technologies, further digitalization of services and enhanced information security in the public and private domain.

The Law on Information Security, last amended in 2019, transposes the NIS Directive. It promotes risk management, comprehensive protection on all levels and time horizons, application of good practices and development of permanent awareness and competence. It also governs the establishment of a security audit and promotes cooperation between the public and private sector, academic community and civil society through a coordination body. The Ministry of Trade, Tourism and Telecommunications is responsible for its implementation.

The Law identifies the information and communication technology (ICT) systems used in electricity production, transmission and distribution, coal production and processing, oil and derivatives production, processing, transport, distribution and trade, and natural or liquid gas production, processing, transport and distribution, as ICT of Special Significance. The Ministry keeps a registry of specific operators. A Government regulation of 2019 sets a list of activities carried out through ICT systems of special significance including energy activities.

The competent authority is the Regulatory Agency for Electronic Communications and Postal Services (RATEL). It hosts the national computer emergency response team SRB-CERT that covers the ICT security of the energy sector. The CERT acts as a focal point and performs risk assessment, shares risk and incident related information and coordinates prevention and protection activities.

The Law obligates the operators to adopt rules on ICT system security and to set up liaison officers. Risk assessment, testing and reporting is further implemented by the Government Decree on More Detailed Contents of Enhancement on Security of ICT of Special Significance. Security requirements are enhanced by the Decree on Closer Regulation of Protection Measures for ICT of Special Significance, referring to organizational structure, safety in remote operation, identification of assets, classification of data and protection levels, and qualification and responsibility of the personnel. Reporting obligations are detailed in the Decree on Incident Notification Procedure for the ICT of Special Significance, which defines the reporting criteria, content and details for different types of incidents.

The energy regulatory authority AERS does not have any powers or obligations in the domain of cybersecurity.