Institutions and legislation
Institutions and legislation
The Strategy defines general cybersecurity policies and measures. Critical information infrastructure of energy operators has been identified, but the information on designated operators is not available and an energy-specific policy framework is missing. A national computer incident response team (CIRT-ME) is established and the energy sector is included in its competences.
Requirements for operators and NRA
Requirements for operators and energy regulatory authority
The risk assessment criteria are insufficient and too general, specific security and reporting requirements for the energy operators need to be introduced. The energy regulatory authority does not have the role or power to monitor the implementation of cybersecurity measures.
State of implementation
Cybersecurity planning in Montenegro is well advanced and the environment is gradually being developed. There are still gaps in transposition of the cybersecurity acquis – including the designation of critical energy infrastructure and services, requirements for operators, cybersecurity risk assessment and regional cooperation.
The Strategy 2018 - 2021 identifies risks and responsible institutions mainly in the context of combating cybercrime. Main objectives include defining the institutional and organisational structure in cybersecurity, development of the national cyber defence potential and incident response capacity, protection of critical information infrastructure, public-private partnership and raising public awareness. It also provides a roadmap of implementation activities. Monitoring and annual reporting is provided by the Information Security Council. There are no energy-specific policies in the Strategy.
The Law on designation and protection of critical infrastructure adopted in 2019 transposes Directive 2008/114/EC in a general manner, defining the powers of the Ministry of Interior and leaving specific criteria for designation and measures for protection to the sectoral ministries. The Law requires the development of general security plans and imposes obligations for administrative reporting of critical assets, with no cybersecurity-specific criteria for essential services, requirements for operators, risk assessment or obligation for incident reporting.
The Methodology and Action Plan for selection of critical information infrastructure adopted in 2014, include the infrastructure used in production, transmission, system operation and distribution of electricity and natural gas, storage of gas, and production, refining, storage, and distribution of oil and derivatives. Supply of electricity, gas and oil are identified as essential services. Amendments to the Law on Information Security of 2016 oblige the Government to specify the critical infrastructures and the means of protection and of the Ministry of Public Administration to implement the measures. No specific policies applicable to energy are available. The Law on Information Security governed the establishment of the computer incident response team (CIRT-ME) in 2016.
The Decree on Information Security Measures of 2010 defines basic features of risk management and general data protection. General implementing measures for cybersecurity risk assessment are foreseen in the Strategy, with almost no consideration of energy-specific risks. The Law on Information Security provides rather a general structure for information security risk definition and management, but a risk assessment methodology applicable for energy is missing. The gap is bridged by the CIRT, which provides the cyber defence services in the energy sector. Likewise, the cybersecurity requirements and reporting obligations of the energy operators are defined in the Law on information security in a general manner. The Ministry declared ISO/ IEC 27001 and 27002 standards as required in implementation of information security measures.
The energy regulatory authority REGAGEN does not have competences in the context of cybersecurity in the energy sector.