European Energy Information Sharing and Analysis Centre
EE-ISAC
The mission of the EE-ISAC is to improve the resilience and security of the European energy infrastructure.
ID: 089154834713-90
Lobbying Activity
Response to Terms and conditions for delaying dissemination of notifications
13 Nov 2025
EE-ISAC welcomes the European Commissions consultation on the Delegated Act defining the conditions under which national CSIRTs may temporarily delay the sharing of vulnerability notifications with other Member States. As the EU strengthens its cyber resilience, it is essential that new rules reflect the operational realities of critical infrastructure operators, particularly in the energy sector. Premature disclosure of sensitive information can increase systemic risk, while excessive delays can hinder coordinated defence. EE-ISAC stresses that vendors must inform their customers as soon as mitigation measures or patches are available to help operators protect critical services. Prolonged or opaque delay procedures could erode trust among stakeholders and Member States; transparency and consistency are therefore essential. Through this consultation, EE-ISAC aims to: - Ensure that the Delegated Act accounts for the specific safety and technical constraints of Operational Technology (OT) and Industrial Control System (ICS) environments. - Promote proportionate, risk-based information-sharing mechanisms to strengthen the resilience of European critical infrastructure. - Support coherence between the Cyber Resilience Act (CRA), the NIS2 Directive, and sectoral cybersecurity rules such as the Network Code on Cybersecurity in the energy sector. The Act must strike a balance between rapid information dissemination and the risk of weaponising vulnerabilities. EE-ISAC advocates for a case-by-case, evidence-based approach in which any delay is justified, limited in scope and duration, and well-documented. This ensures that the Unions overall resilience is prioritised over procedural rigidity. In OT and ICS contexts, patch deployment and mitigation require testing, coordination, and downtime. EE-ISAC recommends: - Disseminating high-level alerts to relevant CSIRTs and operators even when full technical details are temporarily withheld. - Aligning regulatory timelines with realistic industrial patch cycles and safety requirements. - Accompanying any decision to delay sharing with transparent audit trails and clear communication to maintain trust. These measures would protect essential services while ensuring defensive preparedness and stakeholder confidence. CSIRTs will be central to assessing and authorising postponements. They must apply harmonised, risk-based criteria, maintain strict confidentiality, and control access to sensitive information. EE-ISAC supports ENISAs coordinating role in ensuring consistency, interoperability, and continuous monitoring across the EUs CSIRT network. Conclusion: The Delegated Act offers an opportunity to enhance the technical maturity, coherence, and trustworthiness of the EUs cybersecurity ecosystem. By aligning transparency with proportionality and balancing speed with risk awareness, the EU can create a framework that strengthens collective defence without compromising safety or confidence. EE-ISAC reaffirms its commitment to promoting timely information sharing, trust-based cooperation, and pragmatic regulation. The Association stands ready to assist the European Commission and Member States through its operational expertise and intelligence-sharing experience in the energy sector. A well-designed Delegated Act will ensure that the EUs cybersecurity framework delivers resilience, interoperability, and regulatory clarity while supporting innovation and safeguarding essential services.
Read full responseResponse to Digital package – digital omnibus
14 Oct 2025
The European Energy Information Sharing and Analysis Centre (EE-ISAC) welcomes the ECs Digital Package and Omnibus initiative as a key step to simplify and harmonise the EUs digital regulatory environment. As digital technologies now underpin all aspects of Europes critical energy infrastructure, from data management and automation to AI and cross-border coordination, the alignment of digital, data, AI, and cybersecurity frameworks with operational realities is vital for ensuring security and resilience. EE-ISACs mission to enhance cybersecurity preparedness, promote trusted information sharing, and foster collaboration across the European energy ecosystem aligns directly with the aims of this initiative. Through its contribution, EE-ISAC seeks to: - Shape the harmonisation of cybersecurity reporting obligations to better reflect the realities of operational technology. - Advocate regulatory coherence between horizontal digital legislation and sector-specific cybersecurity frameworks (e.g. NIS2, NCCS). - Reinforce its role as a trusted partner for regulators and policymakers to ensure that simplification strengthens the EUs energy resilience. 1. Harmonisation of cybersecurity reporting obligations - Reduce fragmentation: Current reporting requirements under instruments such as NIS2, CER, GDPR, and the Network Code are scattered and inconsistent. Harmonisation should simplify compliance without losing operational effectiveness. - Operational feasibility: Reporting obligations must reflect the technical realities of OT systems, including detection limits, remediation timelines, and cross-border dependencies. - Integration with information sharing: Streamlined frameworks should connect to existing sharing mechanisms to avoid duplication and enable rapid, actionable intelligence exchange. 2. Alignment with sector-specific security frameworks - Policy coherence: Digital legislation must align with sectoral cybersecurity rules to prevent overlap and ensure consistent expectations for essential service operators. - Leverage existing mechanisms: Build upon established NIS2 and CER processes for reporting, certification, and risk management. - Engage sectoral expertise: Communities such as EE-ISAC should engage in developing alignment strategies to resilience outcomes. 3. Information sharing and cross-border coordination - Secure, lawful data exchange: The new framework must clarify how simplified digital rules interact with structured threat-intelligence and incident-response platforms. - Confidentiality and liability: Clear safeguards are essential to encourage the sharing of sensitive information between trusted partners. - Interoperability across Member States: Common definitions, taxonomies, and thresholds are needed to enable meaningful cross-border coordination. 4. Integration with AI, data, and digital identity frameworks - Security-by-design in AI and data systems: Implementation of the AI Act and data governance rules should strengthen infrastructure resilience. - Digital identity and trust services: The European Digital Identity framework must meet the operational and security needs of critical sectors. - Proportional compliance: Simplification should ensure obligations match the risk level of operators, avoiding unnecessary administrative burdens. 5. Reducing administrative complexity while enhancing security outcomes -Risk-based simplification: Focus obligations on security outcomes, i.e. detection, reporting, and mitigation, rather than rigid procedural rules. - Clarity and predictability: Consolidated guidance will improve compliance and allow operators to prioritise resilience. - Continuous dialogue: Ongoing engagement with expert communities such as EE-ISAC will help adapt the framework as threats evolve. Conclusion: This Omnibus can deliver a simpler, stronger digital framework that enables innovation and resilience. EE-ISAC supports this goal and offers its expertise to help the EU strengthen security.
Read full responseResponse to Revision of the EU’s energy security framework
13 Oct 2025
The European Energy Information Sharing and Analysis Centre (EE-ISAC) welcomes the European Commissions initiative to revise the EU Energy Security Framework as a crucial step toward a resilient, future-proof European energy system. EE-ISAC highlights that growing digitalisation, cross-border interconnections, and hybrid threats require integrated approaches combining cybersecurity, coordinated response, and trusted public-private cooperation. As a collaborative platform uniting utilities, technology providers, public authorities, and academia, EE-ISAC contributes operational insight and strategic value by: - Delivering cross-border cyber threat intelligence and incident-sharing capabilities. - Aligning cybersecurity practices in the energy sector with EU legislation such as NIS2 and the Network Code on Cybersecurity. - Acting as a trusted partner bridging policy and operations, grounded in real-world expertise. Through its participation, EE-ISAC seeks to embed these principles into the revised framework, ensuring it balances strategic priorities with operational realities. 1. Cybersecurity & operational resilience - Resilience-by-design: Cybersecurity must be integrated from early planning, procurement, and deployment of critical infrastructure. - Cyber readiness criteria: Introduce security maturity assessments in EU funding, certification, and strategic project designations. - Hybrid threat preparedness: Expand risk models to address cyber-physical-geopolitical intersections, especially in cross-border systems. 2. Digitalisation, data platforms & interoperability - Secure digitalisation: Incorporate cybersecurity in digital twins, IoT, and predictive analytics. - Interoperable data exchange: Develop EU-wide standards for secure, interoperable data sharing among TSOs, DSOs, and service providers. - Cyber-physical visibility: Integrate anomaly detection and event correlation into energy data platforms for proactive detection and response. 3. Cross-border coordination & information sharing - Structured threat intelligence sharing: Promote trusted, compliant exchange aligned with NIS2 and the Network Code on Cybersecurity. - Enhanced early-warning mechanisms: Strengthen real-time, cross-border situational awareness linking operators, authorities, and EU institutions. - Coordinated response frameworks: Create harmonised protocols for joint incident reporting and coordinated action during large-scale disruptions. 4. Governance & alignment with EU frameworks - Policy coherence: Align the revised framework with NIS2, the CER Directive, and the Digital Networks Act to avoid fragmentation. - Operational expertise in governance: Involve expert communities like EE-ISAC in governance, consultation, and implementation processes for infrastructure protection and threat intelligence. 5. Risk-informed investment & strategic planning - Cyber risk assessment: Make cyber risk analysis mandatory for EU-funded or strategic infrastructure projects. - Resilience as an investment criterion: Evaluate projects based on cybersecurity maturity, intelligence-sharing capabilities, and cross-border readiness. - Scenario-based stress testing: Encourage planning based on combined cyber-physical incident simulations to guide investment and improve preparedness. Conclusion: EE-ISAC views the revision as a pivotal opportunity to embed cybersecurity, resilience, and collaboration into European Unions energy policy. The Association reaffirms its readiness to support the European Commission and Member States through operational expertise, cross-border information sharing, and the co-design of a robust and forward-looking energy security architecture that safeguards Europes energy future.
Read full responseResponse to European grid package
31 Jul 2025
The European Energy Information Sharing and Analysis Centre (EE-ISAC) welcomes the European Commissions initiative to modernise and strengthen the EUs electricity infrastructure through the European Grid Package. The call for evidence demonstrates a forward-looking vision that recognises the growing interdependencies between digitalisation, resilience, and cross-border energy integration. As a trusted platform for collaboration between utilities, technology providers, and public authorities, EE-ISAC offers its perspective on how structured information-sharing and operational coordination can contribute to these goals. The Grid Package outlines significant policy and investment directions, including 584 billion in grid investment by 2030, with 170 billion allocated to digitalisation and observability. It prioritises permitting acceleration, cross-border integration, smart grid innovation, and stakeholder engagement. Critically, the inclusion of resilience against cyber and hybrid threats within both the planning and operational phases strongly aligns with EE-ISACs mission. Although information-sharing is not a central feature of the package, EE-ISAC believes it is a foundational enabler of operational resilience in a digital and interconnected energy system. Drawing on its experience facilitating trusted cyber threat intelligence exchange, EE-ISAC highlights the following areas for the Commissions consideration: Cybersecurity & Resilience: -Encourage the adoption of resilience-by-design principles in grid planning and digital transformation processes. -Promote the inclusion of cyber readiness criteria in infrastructure funding, planning, and certification mechanisms, ensuring security is addressed proactively. Digitalisation & Interoperability: -Support the development of secure and interoperable data exchange standards across TSOs, DSOs, and other actors in the energy ecosystem. -Recommend embedding cybersecurity capabilities, such as anomaly detection and cyber-physical event correlation, into emerging tools like digital twins. Operational coordination and information sharing: -Emphasise the critical role of trusted coordination among grid stakeholders in preparing for and responding to evolving cyber and hybrid threats. -Recommend the development of structured information-sharing mechanisms, consistent with the NIS2 Directive and the Network Code on Cybersecurity, to enhance grid resilience while upholding confidentiality and national responsibilities. Governance & Alignment with existing frameworks: -Encourage coherence with existing EU initiatives, including NIS2, the CER Directive, and the proposed Digital Networks Act, to avoid duplication and regulatory fragmentation. -Suggest leveraging the expertise of operational communities such as EE-ISAC in shaping relevant aspects of the proposed Pact for Engagement, particularly where cybersecurity and infrastructure protection are concerned. Risk-Informed investment planning: -Propose that infrastructure projects seeking EU-level support be required to include basic cyber risk assessment and resilience planning elements. -Recommend that cybersecurity maturity be considered as a criterion when prioritising strategic cross-border grid investments. EE-ISAC supports the European Commissions vision for a resilient, digitised, and future-proof electricity grid and stresses the vital role that information sharing and operational collaboration play in realising this vision. We stand ready to contribute operational insights and facilitate structured dialogue among public and private stakeholders. By embedding cybersecurity and resilience into the core of grid development and governance, the EU can build an electricity infrastructure that is both innovative and secure.
Read full responseResponse to Digital Networks Act
11 Jul 2025
The European Energy Information Sharing and Analysis Centre (EE-ISAC) welcomes the European Commissions initiative to develop a unified Digital Networks Act (DNA). EE-ISAC recognises the DNAs potential to modernise Europes digital infrastructure through harmonisation, resilience measures, and regulatory simplification, while ensuring alignment with sectoral needs such as energy systems security and operational continuity. As a cross-sectoral platform focused on cybersecurity and resilience within the energy sector, EE-ISACs response highlights the critical interdependencies between digital networks and energy system reliability. Specifically, EE-ISAC emphasises that next-generation digital infrastructure must support the resilience, performance, and security requirements of critical energy systems, which are increasingly on real-time data, remote control, and cross-border operational coordination. From EE-ISACs perspective, cybersecurity and resilience must form a core pillar of the DNA. This includes embedding mandatory security-by-design provisions in network and cloud infrastructure components serving critical sectors, like energy. EE-ISAC recommends integrating operational cyber-resilience benchmarks based on real-world incidents from the energy sector. Moreover, public-private cyber threat intelligence mechanisms such as ISAC models should be explicitly recognised and embedded within the DNAs cybersecurity architecture. These measures would help bridge regulatory intent with operational realities faced by critical infrastructure operators. The energy sectors specific needs must also be considered in network performance and availability requirements. EE-ISAC stresses the dependency of energy systems on low-latency, high-availability digital networks, for example, for smart grids, balancing operations, and critical control systems. Therefore, minimum service continuity guarantees and performance standards should be articulated within the DNA to safeguard critical service provision. Alignment with existing frameworks such as NIS2 and the CER Directive is essential to avoid overlap or regulatory inconsistency, ensuring that the DNA complements rather than complicates existing obligations. EE-ISAC also provides insights into infrastructure and investment aspects. Members report administrative and technical barriers to digital network deployment within energy infrastructure contexts. These include complex permitting processes, fragmented national rules, and challenges in accessing spectrum resources for energy-specific use cases such as IoT and telemetry. The DNA should address these barriers by facilitating smoother infrastructure rollout for sectors underpinning public safety and economic stability. Regarding investment and cost-sharing, EE-ISAC suggests that the DNA considers the realities of how energy-sector actors currently invest in digital infrastructure. While energy operators contribute significantly to digital resilience, support mechanisms and fair cost-sharing models would further incentivise sector-wide upgrades and ensure a level playing field. Insights from EE-ISAC members on existing investment models and challenges could inform balanced solutions in this area. Finally, EE-ISAC supports regulatory simplification as proposed by the DNA, provided it extends to digital regulation affecting critical infrastructure operators. Reducing duplicative reporting and administrative burdens is welcomed. EE-ISAC proposes creating a resilience checklist or guideline for digital infrastructure projects impacting critical sectors, offering both clarity for operators and alignment with public policy objectives. In conclusion, EE-ISAC encourages the European Commission to integrate these sector-specific recommendations into the DNAs final structure. By embedding cybersecurity, resilience, and critical infrastructure considerations, the DNA can effectively modernise Europes digital network
Read full responseResponse to The EU Cybersecurity Act
17 Jun 2025
The European Energy Information Sharing and Analysis Centre (EE-ISAC) welcomes the opportunity to contribute to the European Commissions consultation on the revision of Regulation (EU) 2019/881 (the Cybersecurity Act). EE-ISAC is a trust-based, industry-driven information-sharing network that brings together stakeholders from the energy sector, academia, public authorities, and cybersecurity providers to enhance the cyber resilience of Europes energy critical infrastructure. Since its foundation in 2015, EE-ISAC has actively promoted cross-sectoral and international collaboration, including with ISACs in Japan and the United States, and maintains strong engagement with relevant EU-level initiatives. EE-ISAC supports platforms like the Malware Information Sharing Platform (MISP) and ENISAs Nextcloud instance as important tools for enabling near real-time exchange of threat intelligence. These instruments should be further institutionalised under ENISAs mandate to support secure and efficient information sharing among trusted stakeholders. EE-ISAC welcomes the Commissions initiative to revise the Cybersecurity Act, particularly the efforts to clarify ENISAs mandate and reinforce the European Cybersecurity Certification Framework. However, EE-ISAC highlights a critical operational gap regarding ENISAs role as an effective hub for cybersecurity information exchange. While Articles 3(2) and 7 of the current Act mandate ENISA to facilitate cooperation and information sharing, this role has not been fully implemented in practice. This was evident during recent cross-border energy sector incidents (e.g., those affecting Spain and Portugal), where ISACs and other stakeholders were not supported by coordinated EU-level situational awareness or timely dissemination of threat intelligence. EE-ISAC believes the revised Cybersecurity Act must address this gap decisively. To this end, EE-ISAC recommends that the revised Act should: - Explicitly strengthen ENISAs operational role as a central EU clearinghouse for cybersecurity threat intelligence, especially in cross-border and multi-sector scenarios; - Establish clear legal and procedural mechanisms that allow ENISA to coordinate and share threat information actively with national authorities and trusted communities, including ISACs, in line with the NIS2 Directive (Directive (EU) 2022/2555), notably Articles 7 and 8; - Ensure that ENISA is not only granted the necessary mandate but also the resources, authority, and technical capabilities to serve as a trusted operational node for structured, secure, and timely information exchange. - Enhancing ENISAs proactive coordination capabilities would improve the EUs collective cybersecurity preparedness, build trust across sectors and Member States, and ensure more effective responses to cyber threats affecting critical infrastructure such as energy. EE-ISAC stands ready to support this process and contribute its expertise to a stronger European cybersecurity framework.
Read full responseResponse to Network Code on Cybersecurity
17 Nov 2023
The European Energy - Information Sharing and Analysis Centre (EE-ISAC) welcomes the opportunity to submit its feedback to the European Commission legislative proposal Network Code on Cybersecurity (NCCS), Regulation (EU) 2019/943, aimed at developing sector-specific rules (network code) that address the cybersecurity aspects of cross-border electricity flows. This will help make the EUs electricity system more resilient and secure.
Read full responseResponse to Cyber Solidarity Act
20 Jul 2023
The European Energy - Information Sharing and Analysis Centre (EE-ISAC) welcomes the opportunity to submit its feedback to the European Commission legislative proposal Cyber Solidarity Act (CSA) aimed at enhancing cybersecurity and improving cyber resiliency in the Union. Kindly find enclosed the feedback submission.
Read full responseResponse to Enhancement of European policy on critical infrastructure protection
8 Apr 2021
European Energy - Information Sharing and Analysis Centre (EE-ISAC) welcomes the opportunity to provide feedback on the legislative proposal for the Directive on the resilience of critical entities (CER) The EE-ISAC position can be found enclosed.
Read full responseResponse to Revision of the NIS Directive
18 Mar 2021
European Energy - Information Sharing and Analysis Centre (EE-ISAC) welcomes the opportunity to provide feedback on the proposal for a revised NIS Directive. The EE-ISAC position can be found enclosed.
Read full response