INTRODUCTION

The electricity system is undergoing a double transition: rapid decarbonisation and increasing digitalisation. These two transitions are intimately linked. The supply and demand of electricity must be balanced at all times, but the growing share of renewable energy technologies, with complex and intermittent generation patterns, means that this task can only be performed through digital processes. Digitalisation is thus a precondition for the operation of the future decarbonised electricity grid. However, the digitalisation of the electricity grid also renders it more vulnerable to cyberattacks. A cyberattack on the electricity system could cause significant economic damage. In the worst-case scenario, it could lead to prolonged power outages, causing widespread disruption, and putting human lives at risk. While the EU's electricity system has not yet been hit by a large-scale cyberattack, the risk is far from hypothetical. In 2015 and 2016 cyberattacks on substations in the Ukrainian electricity grid caused blackouts that left over 225,000 people without power. There is evidence of intrusions in the computer systems of energy companies in the European Union and the United States. In addition, during the Covid-19 pandemic several other critical infrastructure systems fell victim to cyberattacks.

Cyberattacks are a relatively new threat to the electricity system. As a result, the policy and regulatory landscape of cybersecurity for the electricity system is new and developing quickly.