EU Network Code on Cybersecurity for the Electricity Sector
Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 establishing the Network Code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (NCCS) is the EU's first sector-specific cybersecurity network code, adopted under Article 59(2)(e) of Regulation (EU) 2019/943 (the Electricity Regulation). NCCS entered into force on 13 June 2024 and is directly applicable in all Member States; transposition is not required but Member States must designate competent authorities + ensure operational implementation. NCCS establishes: (a) a four-level cybersecurity risk-assessment cascade (Union-wide, regional, Member State, and entity-level) with the Union-wide assessment coordinated by ENTSO-E + the EU DSO Entity supported by ACER and the Member State competent authorities; (b) a classification of in-scope entities into 'high-impact' and 'critical-impact' categories based on contribution to cross-border electricity flows + Annex criteria; (c) common minimum cybersecurity controls + advanced cybersecurity controls for high-impact + critical-impact entities respectively; (d) a verification + mutual-recognition scheme for cross-border conformity assessment; (e) a cyber-attack reporting + early-warning system + crisis management framework supplementing NIS2 (Directive (EU) 2022/2555) + CER Directive (Directive (EU) 2022/2557) + EU Cyber Solidarity Act (Regulation (EU) 2025/38); (f) supply-chain cybersecurity requirements; (g) information protection regime including handling of sensitive electricity-grid information. NCCS is implemented through the ENTSO-E + EU DSO Entity joint methodology (Article 8) submitted to ACER for approval. The first Union-wide cybersecurity risk assessment cycle began in 2024-2025 with the first results expected 2026-2027.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
NCCS: Common Electricity Cybersecurity Framework and Minimum/Advanced Controls
| Code | Title |
|---|---|
| NCCS-Art.29_30_31 | Common electricity cybersecurity framework and minimum cybersecurity controls (NCCS Articles 29-31) - for high-impact entities |
| NCCS-Art.32_33_34 | Advanced cybersecurity controls (NCCS Articles 32-34) - for critical-impact entities |
NCCS: Cross-Border Risk Management and Verification + Mutual Recognition
| Code | Title |
|---|---|
| NCCS-Art.37_38_39 | Cross-border verification and mutual recognition (NCCS Articles 37-39) |
NCCS: Four-Level Cybersecurity Risk Assessment Cascade
| Code | Title |
|---|---|
| NCCS-Art.17 | Union-wide cybersecurity risk assessment (NCCS Articles 17-19) - first level of the cascade |
| NCCS-Art.23_24 | Regional cybersecurity risk assessment (NCCS Articles 23-24) - second level of the cascade |
| NCCS-Art.25_26 | Member State cybersecurity risk assessment (NCCS Articles 25-26) - third level of the cascade |
| NCCS-Art.27_28 | Entity-level cybersecurity risk assessment (NCCS Articles 27-28) - fourth level of the cascade |
NCCS: Governance, Competent Authorities and Coordination with NIS2 / CER / CSA
| Code | Title |
|---|---|
| NCCS-Art.57_58 | Coordination with NIS2 + CER Directive + horizontal cybersecurity regimes (NCCS Articles 57-58) |
| NCCS-Art.59_60 | Penalties, audits and entry into force (NCCS Articles 59-60) |
| NCCS-Art.6_7 | Competent authorities + coordination (NCCS Articles 6-7) |
| NCCS-Art.8 | ENTSO-E and EU DSO Entity joint methodology (NCCS Article 8) |
NCCS: Information Protection, Supply Chain and Audits
| Code | Title |
|---|---|
| NCCS-Art.48_49_50 | Information protection and classification (NCCS Articles 48-50) |
| NCCS-Art.54_55_56 | Supply chain cybersecurity (NCCS Articles 54-56) |
NCCS: Information Sharing, Incident Reporting and Crisis Management
| Code | Title |
|---|---|
| NCCS-Art.44_45_46 | Cybersecurity incident reporting (NCCS Articles 44-46) |
| NCCS-Art.47_48 | Crisis management and Cyber Solidarity Act coordination (NCCS Articles 47-48) |
NCCS: Subject Matter, Scope, Definitions and Entity Classification
| Code | Title |
|---|---|
| NCCS-Art.1_2_3 | Subject matter, scope and definitions (NCCS Articles 1-3) |
| NCCS-Art.4_5 | Entity classification - high-impact and critical-impact entities (NCCS Articles 4-5) |
Your Compliance Coverage
If you comply with EU Network Code on Cybersecurity for the Electricity Sector, you already cover:
Maps to 3 other frameworks
Frequently Asked Questions
What is EU Network Code on Cybersecurity for the Electricity Sector?
EU Network Code on Cybersecurity for the Electricity Sector is a compliance framework from European Union with 7 domains and 17 controls. Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 establishing the Network Code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (NCCS) is the EU's first sector-specific cybersecurity network code, adopted under Article 59(2)(e) of Regulation (EU) 2019/943 (the Electricity Regulation). NCCS entered into force on 13 June 2024 and is directly applicable in all Member States; transposition is not required but Member States must designate competent authorities + ensure operational implementation. NCCS establishes: (a) a four-level cybersecurity risk-assessment cascade (Union-wide, regional, Member State, and entity-level) with the Union-wide assessment coordinated by ENTSO-E + the EU DSO Entity supported by ACER and the Member State competent authorities; (b) a classification of in-scope entities into 'high-impact' and 'critical-impact' categories based on contribution to cross-border electricity flows + Annex criteria; (c) common minimum cybersecurity controls + advanced cybersecurity controls for high-impact + critical-impact entities respectively; (d) a verification + mutual-recognition scheme for cross-border conformity assessment; (e) a cyber-attack reporting + early-warning system + crisis management framework supplementing NIS2 (Directive (EU) 2022/2555) + CER Directive (Directive (EU) 2022/2557) + EU Cyber Solidarity Act (Regulation (EU) 2025/38); (f) supply-chain cybersecurity requirements; (g) information protection regime including handling of sensitive electricity-grid information. NCCS is implemented through the ENTSO-E + EU DSO Entity joint methodology (Article 8) submitted to ACER for approval. The first Union-wide cybersecurity risk assessment cycle began in 2024-2025 with the first results expected 2026-2027. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does EU Network Code on Cybersecurity for the Electricity Sector have?
EU Network Code on Cybersecurity for the Electricity Sector has 17 controls organised across 7 domains. The largest domains are NCCS: Four-Level Cybersecurity Risk Assessment Cascade (4 controls), NCCS: Governance, Competent Authorities and Coordination with NIS2 / CER / CSA (4 controls), NCCS: Common Electricity Cybersecurity Framework and Minimum/Advanced Controls (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does EU Network Code on Cybersecurity for the Electricity Sector map to?
EU Network Code on Cybersecurity for the Electricity Sector maps to 3 other compliance frameworks. The top mapping partners are NIS2 Directive (29% coverage), GDPR (12% coverage), EU Cyber Solidarity Act (Regulation (EU) 2025/38) (12% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with EU Network Code on Cybersecurity for the Electricity Sector compliance?
Start your EU Network Code on Cybersecurity for the Electricity Sector compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about EU Network Code on Cybersecurity for the Electricity Sector requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 17 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required