The Energy Regulatory Authority (ERE), with the aim of creating a secure internal market, has reviewed the 2020 regulation on cybersecurity of critical infrastructures in the electricity sector and determined the operators that will need to be equipped with a security certificate.

According to the ERE, the purpose of this regulation is to determine the rules and measures that must be taken by entities licensed by the ERE in the natural gas sector and the energy sector, which have the responsibility to guarantee cybersecurity in the critical infrastructures they own and operate.

The regulation stipulates that operators of critical infrastructures in the electricity and natural gas sectors must be equipped with certification with the ISO 27001 security standard within 18 months from the entry into force of this regulation.

Critical Information Infrastructure Operators, including Kurum International sh.a, Dragobia Energy, Prell Energy sh.p.k, Power Elektrik Slabinje, Seka Hydropower, Devoll Hydropower sh.a and Trans Adriatic Pipeline (TAP), are required to obtain certification according to the ISO 27001 security standard within 18 months from the entry into force of these changes to the regulation.

The obligation includes the Electricity Distribution System Operator, Vlora Power Plant, and Vlushe HPP, which are also required to obtain certification according to the ISO 27001 security standard within 18 months from the entry into force of these changes to the regulation.

The new regulation stipulates that critical information infrastructure operators (CIIOs) in the electricity and natural gas sectors shall report immediately and no later than 4 hours from the moment of detection of the security incident for any case that constitutes a breach/interference that has compromised the cybersecurity of critical infrastructures that the licensee owns or operates, as well as any other service that the operator has in use by third parties.

ERE, upon submission of information by the licensee in the event of reported incidents, will review the reported case with the licensee to assess whether the incident occurred due to the actions or inactions of the operator.

It will also discuss the need for the revision of regulatory acts or the need for support from other law enforcement institutions for the proposed actions in order to avoid, prevent, or reduce the number of incidents.

Within 30 days of the occurrence of an incident in critical infrastructures, the operator must submit a general report to the ERE.

Within 90 days of the occurrence of an incident in critical infrastructures, the operator must submit to the ERE a detailed incident investigation report.

The ERE may also request OIKI to submit audited reports regarding the investigation of a cybersecurity incident.

Traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks. This increasing digitalization of the energy system makes it smarter and enables consumers to better benefit from innovative energy services.

At the same time, digitalization creates significant risks as an increased exposure to cyberattacks and cybersecurity incidents potentially jeopardises the security of energy supply and the privacy of consumer data.