Institutions and legislation
Institutions and legislation
A cybersecurity strategy and action plan are in place but their implementation is delayed. The responsible computer incident response team (MKD-CIRT) is operational. The necessary legal framework is not in place, the draft law on cybersecurity is still to be adopted.
Requirements for operators and NRA
Requirements for operators and energy regulatory authority
There is no adopted regulation on risk assessment and requirements for critical infrastructure operators in energy. The draft act of the energy regulator ERC addressing cybersecurity-related obligations for public and private energy operators is yet to be adopted. The competences of ERC in cybersecurity should be legally strengthened.
State of implementation
North Macedonia’s cybersecurity in the energy sector is based on the national Strategy for Cybersecurity 2018 - 2022, implemented by the national authority for information security - the Agency for Electronic Communications. Energy-specific policies are defined in the draft rules of the energy regulatory authority ERC and the energy operators. A compliant legal framework is missing.
The strategy developed by the Ministry of Information Society and Administration aims to provide a secure, confidential and resilient digital environment. The strategy is complemented by an action plan for implementation, which calls for transposition of Directive 2016/1148/EC (NIS Directive) and introduction of legal provisions on critical infrastructure in sectoral laws. In 2020, the energy regulatory authority ERC plans to adopt a specific cybersecurity strategy for 2023 for the electricity sector.
A law transposing the NIS Directive drafted in November 2019 awaits adoption. The preparation of general legislation on critical infrastructure has not started yet. A study foreseen in the action plan aiming to identify critical information infrastructure and important information systems was postponed.
The national computer incident response team MKD-CIRT is hosted by the Agency for Electronic Communications. It provides cybersecurity services, education and risk analysis for the public administration and the operators of critical infrastructure and large enterprises in all sectors of the economy, including energy. The establishment of a specific energy CIRT is foreseen in the draft law.
There is no legal basis or methodology for cybersecurity risk assessment or reporting obligations in energy. The national CIRT performs continuous assessment of the threats in general and communicates with stakeholders. The action plan calls for regular audits of risks in the information systems of critical infrastructures and preparedness of operators after 2020, but the methodology and the operational agent are not established yet. Minimum technical and organizational measures for information systems security in each sector, including energy, should be developed by 2021. The CIRT has established channels for voluntary cybersecurity notifications and incident reporting. A governmental decision of 2020 imposes mandatory participation in CIRT’s activities on all public bodies and utilities.
There is no law enforcing cybersecurity requirements or reporting obligations for energy operators. A draft ERC strategy includes a list of general recommendations and requirements for all public and private energy operators. The list refers, inter alia, to the application of an ISO 27000 series of standards, cybersecurity governance, establishment of an information security officer, classification of risks and assets and application of energy-specific cybersecurity measures, as well as reporting obligations.
The Energy Law of 2018 defines the role of ERC in energy security, which is used as an implicit basis for engagement in cybersecurity. Full-scale enforcement and clearly defined cybersecurity powers of the energy regulator still need to be included in the Law.