Act on enhanced preparedness in the energy sector
This section specifically deals with the Utilities sector.
Act on enhanced preparedness in the energy sector (Bill)
NB! This note is updated continuously and may therefore change form and content when the final law is adopted.
The law covers companies in the electricity, gas, oil, district heating, district cooling and hydrogen sectors, among others. The law will thus cover actors that are not currently subject to emergency regulation in the energy sector.
The Act establishes a framework for resilience and preparedness in relation to natural, man-made and technological threats that may threaten or damage the energy supply.
On this basis, the law lays down rules regarding:
- organizational preparedness,
- physical security and
- cybersecurity.
The law defines resilience as the ability of an entity to prevent, protect against, respond to, withstand, mitigate, absorb, adapt to, and ensure recovery from an incident.
To understand the depth and breadth of the law, it is worth looking at the definition of the term incident. An incident is defined under the law as an event, including a cyber incident, that has the potential to significantly disrupt, or disrupts, the delivery of an essential service, including when it affects national systems that ensure the rule of law. In other words, an incident covers both disruptions to the individual company's energy supply and what could be called ragnarok, i.e. the state where society can no longer maintain the most basic functions due to the incident.
The Act contains a number of measures in Section 6 concerning organisational preparedness, Section 7 concerning physical security and Section 8 concerning cybersecurity. The Minister for Climate, Energy and Utilities will implement the measures in executive orders and guidelines.
The requirements will, among other things, be centered around: requirements for where network and information systems with significance for energy supply (formerly supply-critical systems) can be operated and accessed remotely; preparation of risk and vulnerability assessments for the procurement, design and establishment of energy infrastructure; alarms that can be used to respond to, for example, intrusions; network security including segmentation; overview and management of architecture and data traffic; protection of mobile devices and servers. The requirements will also be graded according to the supply criticality of the companies.
ISO27001
The work of implementing the law should be done by using the ISO27001 standard, since this establishes a management system that has risk assessment as its focal point and is suitable for being adapted over time in line with the development of the threat landscape. In this way, the responsible management comes into control of compliance and has the opportunity to manage the efforts in the organization through the policies that are the core of the information security management system that the use of ISO27001 gives rise to. As is known, ISO27001 easily encompasses organizational preparedness, physical security and cybersecurity.
Management is responsible, but who is management?
Management is the person who has the authority to allocate funds and approve processes that will be responsible for the preparedness and resilience of the company. It will therefore be a specific assessment in the individual company as to who has decision-making authority regarding funds, and who is thus considered to constitute management.
Management training
Management must also be kept informed of the emergency preparedness risks to which the company is exposed. Management must also be able to identify risks in, for example, a project. Therefore, management will generally need to attend a course.
Remember the suppliers!
The energy sector must itself pass on the requirements in the law to its suppliers, including through tenders. It is the companies that must ensure that their suppliers meet the requirements in relation to the goods or services that the company receives.
Categorization
Companies are divided into levels, while facilities are divided into classes. The division will be an administrative decision that can be appealed.
The categorization is used to differentiate which companies must comply with the requirements, so that the more supply-critical companies must comply with more elements of the requirements.
The level classification of companies will be based on the sub-sector in which the company operates and the service that the company provides. If a company provides services in several sub-sectors, for example if it supplies both electricity and heat, the company will only be classified at one level. The company will be classified at the level of the type of supply where the service will be most critical.
The company's overall importance to security of supply will affect the level at which the company will be classified. It will also be important whether the company provides a service that affects or may affect other critical sectors.
The level classification of companies will be made based on a specific assessment based on the total amount of energy the company controls, the company's importance for the energy supply, and whether the company provides services to other critical sectors or carries out tasks critical to society.
The categorization of facilities and systems is done by dividing them into classes. The classification will be based on the service that the facility or systems relate to, the amount of energy that they help support, and their importance for security of supply.
Companies that operate in multiple sub-sectors are placed at the highest level for which the company meets the requirements. If a company has activities in the heating sector corresponding to level 2 and activities in the electricity sector corresponding to level 3, then the company will initially be classified at level 3.
As a starting point, companies will be directly informed of the level they are classified in and how their facilities are classified. However, it must be emphasized that companies are at all times responsible for complying with the regulation to which they are subject. If a company is in doubt as to whether it is subject to the upcoming emergency regulation, the company must contact the Danish Energy Agency's emergency response office for clarification and, if necessary, determination of the company's level.
Duty to notify
The Act and subsequent executive orders include rules on notification and reporting of:
- incidents,
- significant cyber threats and
- near misses.
The Ministry of Climate, Energy and Utilities shall lay down detailed rules on who must be notified, including consumers if applicable, when and in what detail notification must be given. In addition, detailed rules may be laid down for which incidents must be reported.
Finally, it is proposed that the Ministry of Climate, Energy and Utilities may, under certain conditions, inform the public about the significant incident or require the company to do so.
Security clearances and background checks
Persons who have direct access to influence supply in the energy sector must, as a rule, be security cleared. The Minister for Climate, Energy and Utilities shall lay down further rules on this.
The Minister of Climate, Energy and Utilities may also lay down further rules on the conditions under which companies may have background checks carried out on individuals with a view to assessing a potential security risk to the company.
The Danish Energy Agency would also like suppliers to be able to obtain safety approval. This needs to be finally clarified.
You are now ready to continue from the beginning: NIS2 – UNITAS
