Implementation indicators 

  • Institutions and legislation

    Institutions and legislation

    A Law on Cybersecurity is in place but incomplete. A new Strategy is being drafted. Rules on critical information infrastructure apply only to public utilities in the power sector. Private infrastructures and services and the gas sector need to be included. A CIRT for electricity is planned, one for gas is also needed.

  • Requirements for operators and NRA

    Requirements for operators and NRA

    Self-assessment of risks by the energy operators and reporting was requested by ERE; however, a compliant methodology for for the energy sector is needed. Security requirements and obligations for operators are in place. Improvements are needed in the domain of public-private cooperation, regional measures and energy-specific criteria. The powers of the energy regulator in cybersecurity need to be reinforced.

State of implementation

The crosscutting Digital Agenda of Albania 2015 - 2020 and a corresponding Action Plan aim to achieve compliance with EU policies on preventing cybercrime and supporting security of information networks and systems, including the energy sector. A new national Cybersecurity Strategy 2020 - 2025, involving all relevant institutions and sectors is in drafting stage. The Law on Cybersecurity adopted in 2017 partially transposes Directive 2016/1148/EC (NIS Directive) but cross-border aspects and the regional dimension are missing. No energy-specific cybersecurity
provisions are included in the Law.

The National Authority for Electronic Certification and Cyber Security (NAECCS) is tasked to implement the Cybersecurity Law and acts as a focal point, cybersecurity regulator, incident-reporting centre and a national Computer Security Incident Response Team (CSIRT). The Cybersecurity Law requests sectoral CSIRTs, including an energy CSIRT, to be established by the operators of critical infrastructures and coordinated by the responsible
ministry. The energy regulatory authority ERE adopted in 2020 rules on cybersecurity of critical infrastructures in the power sector.

The Law on Cybersecurity creates a category of “critical” infrastructure or service, followed by another category of less stringent, “important” one. In July 2020, the Government approved a list of critical information infrastructure and services in the public domain, including the main information and operation (SCADA) systems and services of the state-owned power companies OST, OSSH and KESH.

NAECCS is responsible for risk assessment but a common, national methodology has not been established yet. In its roadmap published in 2018, NAECCS announced to make an analysis and, supported by ERE, define a compliant methodology for risk assessment in energy. Self-assessment of risk is also required in the rules adopted by ERE. Each operator must define, apply and submit its own risk methodology, action plan and financial impact. The operators’ cybersecurity requirements and reporting obligations cover the following aspect: information protection, risk and incident management, organizational structure, asset and human resources, assessment of new projects and technologies, continuous monitoring, reporting and cybersecurity audit. Notification obligations for cybersecurity incidents are included in the Law on Cybersecurity and enforced by penalties. Cybersecurity competences and powers of the energy regulatory entity ERE are not explicitly enforced by the law. Current activities of ERE are based on its basic competences and security requirements defined in the Power Sector Law of 2015.