Abstract
Due to increasing cyber-criminal actions security incidents pose a significant threat for society and economy. Such incidents may also affect personal data which could especially concern the exercise of economic activities, produce financial losses and harm the confidence of the users. To ensure the communication of the most serious security incidents there is a need to introduce minimum security requirements at Union level which apply to all communication and information systems. According to this risk the Network and Information Security Directive (NIS-Directive) (directive of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union, Directive (EU) 2016/1148) entered into force in August 2016. But how will this Directive influence the Energy Sector – this question is being examined.
Zusammenfassung
Wegen zunehmender Cyber-Kriminalität stellen Sicherheitsvorfälle eine erhebliche Bedrohung für Gesellschaft und Wirtschaft dar. Angriffe und Vorfälle können die Integrität und Übertragung personenbezogener Daten sowie geschäftlicher Informationen gefährden und dadurch die wirtschaftliche Entwicklung potenziell beeinträchtigen, was zu finanziellen Verlusten und der Gefahr des Vertrauensverlustes in die Informations- und Kommunikationstechnologie (IKT) im Allgemeinen führt. Als allgemeiner Ansatz für alle Sektoren, die in hohem Maße von der IT-Infrastruktur abhängen, wurde nach drei Jahren Verhandlungszeit die Richtlinie über Netz- und Informationssicherheit (NIS-Richtlinie) als erste Rechtsvorschrift zur Bewältigung der Herausforderung der Cyber-Sicherheit auf EU-Ebene verabschiedet. Die NIS-Richtlinie legt einen gemeinsamen EU-Ansatz für die Sicherheit des Internets fest und schreibt Betreibern kritischer Infrastrukturen bestimmte Pflichten vor. Die Bestimmungen sind jedoch generisch und nicht speziell für den Energiesektor konzipiert, weshalb die Vorgaben genauer in Bezug auf den Energiesektor untersucht werden.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Directive of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union, Directive (EU) 2016/1148.
Official Journal of the EU L 2016/194/1.
The two terms “operators of essential services” and “Digital service providers” will be explained later on in the paper.
Art. 4 (1) NIS-Directive.
Art. 1 (2) lit a-e NIS-Directive.
The online public consultation on ‘Improving network and information security in the EU’ ran from 23 July to 15 October 2012.
COM (2013) [2], 48 final, 7.
Anyhow, there is no hint for a special regulation by now.
Art. 5 (2) lit a-c NIS-Directive.
Out of critical sectors such as the energy sector, transport sector, banking sector, financial market infrastructure, health sector, drinking water supply and distribution and digital infrastructure.
The referred list has to provide information about national measures which were used to identify an Operator of Essential Services, a list of entities which may provide such a service, the number of respective Operators identified per sector and thresholds to determine the relevant supply level in accordance with the number of users relying on that service.
Cf. Annex II Sector 1 of NIS-Directive.
Cf. Annex III of NIS-Directive.
Means any party that provides data aggregation services to electricity suppliers. They aggregate data to be submitted into settlements, so that accurate values of what a supplier’s customers have “taken” is allocated to the correct supplier to enable the accurate billing of that supplier for the energy their customers have used (source: http://www.tma.co.uk/services/data-aggregation/ from 20.09.2016).
This platform is called “Cyber Security Platform Austria (CSP).
Cf. Art. 8, par. 6 NIS-Directive.
According to Annex II of NIS-Directive.
European Commission – Fact Sheet “Directive on Security of Network and Information Systems” Brussels, 6 July 2016 [3].
The Computer Emergency Response Team for the EU institutions, agencies and bodies.
The one who receives the notification.
Cf. 15 (4) NIS-Directive.
For Operators of Essential Services.
For Digital Service Providers.
References
European Commission (2016): Commission staff working document – Impact assessment, accompanying the document “Proposal for a regulation of the European Parliament and of the Council concerning measures to safeguard security of gas supply and repealing Council Regulation 994/2010”. SWD(2016) 25.
European Commission (2013): Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures to ensure a high common level of network and information security across the Union. COM(2013), 48 final.
European Commission (2016): Fact sheet “Directive on security of network and information systems”.
Schmidthaler, M., Reichl, J. (2016): Assessing the socio-economic effects of power outages ad hoc. Comput. Sci. Res. Dev., 31, 157.
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is an outcome of the SPARKS project (project-sparks.eu) which has received funding from the European Unions’s Horizon 2020 research and innovation programme under the grant agreement No. 608224.
Rights and permissions
About this article
Cite this article
Holzleitner, MT., Reichl, J. European provisions for cyber security in the smart grid – an overview of the NIS-directive. Elektrotech. Inftech. 134, 14–18 (2017). https://doi.org/10.1007/s00502-017-0473-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00502-017-0473-7