Institutions and legislation
Institutions and legislation
The existing cybersecurity framework covers the energy sector, and the mechanism for designating critical infrastructures is established. Energy-specific rules and cross-border cooperation should be further developed. The Strategy for development of information security should be updated.
Requirements for operators and NRA
Requirements for operators and energy regulatory authority
The risk assessment, security requirements and reporting obligations of energy operators are well established. Energy-specific rules and mechanisms should be considered for increased efficiency. The energy regulator does not have powers in cybersecurity.
State of implementation
Cybersecurity in energy is effectively implemented through the concept of information and communication (ICT) systems of special importance. Rules, security measures and reporting obligations of operators are adopted and applied to energy. Energy-specific rules and cooperation mechanisms should still be further developed.
The Strategy for Development of Information Security for the period 2017 - 2020 sets the principles and defines objectives in security of the ICT systems of special importance and the citizens, fight against cybercrime, protection of information, and implementation of Directive 2016/1148/EC (NIS Directive) as the basis for international cooperation. The competent authority for its implementation is the Ministry of Trade, Tourism and Telecommunications. There are no energy-specific policies identified in the Strategy.
The Law on Information Security of 2016 sets the legal and institutional framework for cybersecurity and identifies the energy sector as an area with ICT systems of special importance. It obligates the operators to adopt rules on ICT system security with dedicated protection measures against security risks, supervision, and responsible liaison officer. The Law promotes cooperation of public and private sector, academic community and civil society through establishment of a body for coordination of information security.
The Government Regulation of 2019 laying down a List of Activities in the fields in which activities of general interest are carried out and in which ICT systems of special importance are operated, includes energy activities. The Ministry of Trade, Tourism and Telecommunications (Ministry) keeps a registry of operators of ICT systems of special importance with registered operators in the energy sector and their liaison officers. The Ministry of Mining and Energy does not have any cybersecurity competences.
The national computer emergency response team (SRB-CERT), responsible for the energy sector, operates within the Regulatory Agency for Electronic Communications and Postal Services and the Ministry. It performs continuous risk assessment, shares security risk and incidents information and performs prevention and protection tasks.
Risk assessment is defined in the Law on Information Security and in the Regulation on More Detailed Contents of Enhancement on Security of ICT of Special Significance. Both acts apply to the energy sector, but lack a cross-border component. Security requirements for operators of ICT are provided in the same Law and enhanced by the Regulation on Closer Regulation of Protection Measures for ICT of Special Significance, referring to organizational structure, safety in remote operation, identification of assets, classification of data and its protection level and qualification and responsibility of personnel. Reporting obligations are detailed in the Regulation on Incident Notification Procedure in ICT of Special Significance, which defines the criteria, content and reporting details for different types of incidents. There is a potential of further enhancement of the cybersecurity environment for the energy sector by developing specific rules and mechanisms for direct cooperation between the energy operators.
The energy regulatory authority AERS does not have any powers or obligations in the domain of cybersecurity.