Institutions and legislation
Institutions and legislation
The Cybersecurity Strategy needs follow-up, including policies for the energy sector. Transposition of the NIS Directive should be completed. The protection of critical infrastructure lacks energy-specific criteria. KOSCERT implicitly covers the energy sector.
Requirements for operators and NRA
Requirements for operators and energy regulatory authority
The general aspects of risk assessment, data security management and threat reporting obligations are in place. Energy-specific cybersecurity competences still need to be introduced.
State of implementation
The National Cybersecurity Strategy of Kosovo* 2016 - 2019 roughly outlines the responsible parties and objectives in cybersecurity management, threat assessment, protection of critical information infrastructure, building institutional capacity for incident response. The Concept Paper on Network and Information Systems Security Measures, adopted by the Government in 2019, defines the responsibilities of different administrative bodies and promotes cross-sectoral cooperation.
The Law on Critical Infrastructure of 2018 transposes Directive 2008/114/EC in detail and provides broad criteria for identification and designation. It appoints the Ministry of Interior as the main focal point and coordinator in critical infrastructure protection. The energy sector is recognized as relevant, with infrastructures used for production, transmission, distribution and storage of electricity, oil and gas identified as critical. There are no provisions for designation of individual companies and their information and communication systems.
The Energy Strategy 2017 - 2026 does not provide specific criteria for identification of critical infrastructures, risk assessment or security measures for information and communication systems in the energy sector. Cybersecurity-related policies are foreseen in the new Energy Strategy currently in drafting stage. The Ministry of Economy has taken steps to transpose Directive (EU) 2016/1148 (NIS Directive) in the draft Law on Network and Information System addressing public utilities governed by the Ministry.
The Regulatory Authority for Electronic and Postal Communications (ARKEP) hosts the national KOS-CERT, acting as the main computer emergency response unit, providing support, notification and exchange of information related to cyber events, also covering the energy sector.
The Law on Critical Infrastructure provides an indicative framework for risk assessment based on range and severity of impact, without addressing specific threats in energy. Obligations for identification of critical assets and development of security plans are included, along with requirements for establishment of incident prevention plans and risk mitigation systems and reporting of security concerns. Cybersecurity in the energy sector requires a specific risk management framework.
The Energy Regulatory Office ERO is not empowered for any specific cybersecurity activities.