Institutions and legislation
Institutions and legislation
Energy-specific provisions and cross-border cooperation are missing in the current cybersecurity policy and legal framework. Rules and mechanisms for implementation are to be developed and the designation of critical energy infrastructure and services should be completed.
Requirements for operators and NRA
Requirements for operators and energy regulatory authority
A risk assessment methodology for cybersecurity in energy is missing. The energy network operators develop their cybersecurity environment based on applicable standards. Legal obligations for cyber protection, building the resilience and incident reporting are not specific to the energy sector. The role and necessary powers of the energy regulatory authority NEURC in cybersecurity need to be established.
State of implementation
The cybersecurity landscape in Ukraine is rather complex, and competences are overlapping. Following the Information Security Doctrine approved by the Ukraine President in 2017, the National Security and Defence Council, the Cabinet of Ministers, and the Ministry of Information Policy share the responsibilities. The National Institute for Strategic Studies is also accorded specific powers. The cybersecurity legal framework is fragmented and still in development. In 2020, the Ministry of Energy took the initiative to develop a cybersecurity strategy for the energy sector and to advance critical energy infrastructure resilience through international cooperation.
The four-year Cybersecurity Strategy based on the Convention on Cybercrime was approved in 2016. Its goal is to ensure a safe cyberspace through creation of a legal and institutional cybersecurity system, high capabilities of the stakeholders to counteract cyber threats and efficient protection of critical information infrastructure. Even though energy companies are recognized as targets of cyberattacks, there are no energy-specific policies and measures, and the cross-border component is missing. The development of a new cybersecurity strategy is under way.
The Law on the Basic Principles of Cybersecurity, adopted in 2017, introduced the designation of critical infrastructure in energy and the concept of risk assessment, but left the specification of criteria to sectoral legislation. The Law identifies responsible stakeholders and facilitates cooperation between authorities. A law on protection of critical infrastructure, aiming to transpose Directive 2016/1148/EC (NIS Directive), was drafted in 2018 but its adoption was delayed. The draft is currently under review by the Committee on Digital Transformations of the Verkhovna Rada.
In 2019, the Government adopted the General Requirements for Cybersecurity of Critical Infrastructure, which transpose some aspects of the NIS Directive and apply to energy in a general manner, with no energy-specific references. Among others, the act obligates the operators to establish an information security risk management policy, designate information security officers and develop security plans. The draft Rules of Procedure for Designation of Critical Infrastructure, currently pending adoption by the Government, include the energy sector and provide energy-specific criteria. The independent audit on information security in critical infrastructures is regulated by the corresponding rules adopted by the Government.
The governmental computer emergency response team (CERTUA), established by the State Service for Special Communication and Information Protection, applies its cyber incident response capability since 2009. Its responsibility extends over the energy sector. In 2016, the Security and Defence Council created a National Coordination Centre for Cybersecurity for detecting, preventing and responding to cyber incidents and predicting potential cyber threats, with similar competences as the CERT-UA. The rules on security of electricity supply define the obligation for assessment of supply risks that include cybersecurity but fail to detail a specific risk assessment methodology. Security requirements and obligations for notification of threats are generally imposed by the Cybersecurity Law, with no reference to specific criteria or mechanism for the energy sector.
The energy regulatory authority NEURC does not have any powers or obligations in the domain of cybersecurity.