For the purpose of addressing the challenging topic of upcoming information and cybersecurity regulations, we have asked ourselves a provocative question: “Does the European Union’s security regulation support or undermine the digital transformation in energy sector?”
One of the most valid arguments why the European Union would adopt horizontal security regulations is to address the rising global annual costs of cybercrime, which was estimated at EUR 5.5 trillion in 2021, which is predicted to surpass the EUR 10 trillion in 2025. With this in mind, we can assume that any product or component manufacturers, software developers, cloud or other service providers agree that both technical implementations and implementation of horizontal regulatory acts are needed to address rising and ever-evolving cybersecurity risks. As smart energy products and solutions are an integral part of the critical infrastructure, we have already incorporated several information and cybersecurity standards (e.g. ISO 27001 standard family, ISO/IEC 62443) and existing regulatory requirements (e.g. NIS, GDPR) into our operations, to assure the highest levels of confidentiality, integrity, availability, and trust in smart energy products.
Additionally, the European Union’s requirements on the sustainable, clean, and energy-efficient society have identified the need for digital transformation of the energy sector. Namely, the data access and data management would enable the utilization of smart metering data to improve energy efficiency.
On the one hand, we have the increased information and cybersecurity risks and on the other, the need for data utilization to achieve the desired energy efficiency. How can these important initiatives go hand-in-hand to achieve the best energy efficiency without the risk of increasing the impacts of cybersecurity incidents?
The answer to both topics resides in the European Union security regulations. Namely, the following regulations will ensure the transition towards secure data utilization and minimization of European-Union-wide information and cybersecurity risks:
- The Network and Information Security (NIS 2) directive and Network Code on Cybersecurity (NCCS): the NIS 2 directive is applied to both public and private sectors, to improve the security of networks and information systems to prevent, detect, and respond to the security incidents. The NCCS is an energy-sector-specific regulation proposing sector-specific security controls and procedures to assure the highest level of security of the energy sector and products used by the energy sector and assure that the suppliers’ components are validated before being used as part of the energy critical infrastructure.
- Radio Equipment Directive (RED) new Delegated Act: proposes additional security controls for all radio equipment devices, including electricity smart metering devices.
- Cyber Resilience Act (CRA): a horizontal regulation on cybersecurity requirements for all products with digital elements, to bolster more secure hardware and software products. Classification of products in 3 categories, with different compliance/conformance processes, from self-assessments to European Union Common Criteria (EUCC) certifications. Additionally, the CRA proposes a procedure for efficient and transparent vulnerability management in products with digital elements.
To achieve the desired digitalization of the energy sector in a secure manner, an even playing field and rules must be applied to all entities that are already present or are entering the European Union market. With regulations, this playing field and rules are being set, to offer the full support towards secure digital transformation in energy sector, but the regulators must assure:
- Any overlapping or duplication of requirements are repealed to avoid unnecessary technical or financial impacts on the energy sector.
- The existing smart metering and advanced metering infrastructure certification schemes are recognized as European Union Common Criteria (EUCC) standards and used as proof of conformity with security requirements.
- The harmonization of legislation at the European Union level, to avoid single country adoptions or misinterpretations of the security requirements.
To answer the title question: for now, the European Union and security regulations support the digital transformation in energy sector, but to avoid any negative impacts on the sector, relevant stakeholders have to be included, and their opinion taken into account during the legislative process.
