On 15 October 2021, the Ministry of Climate and Environment released recommendations on measures to improve cybersecurity in the energy sector and industry guidelines on incident reporting. The recommendations were drawn up on the basis of art. 42(1)(5) of the National Cybersecurity System Act of 5 July 2018, following consultations with CSIRT NASK, CSIRT GOV, and CSIRT MON, and operators of essential services in the energy sector.

The recommendations issued by the Ministry of Climate and Environment list best practices for energy sector undertakings to implement, especially undertakings classified as operators of essential services, to enable comprehensive rules to be formulated concerning many areas of organization, to protect their IT resources.

The recommendations cover areas such as:

  • drawing up risk management procedures,
  • using suppliers,
  • raising personnel awareness,
  • conducting security audits,
  • ensuring continuity of operations, in particular of essential services,
  • physical security, and also network security and IT system security, or for example
  • policies concerning dealing with and reporting incidents.

Each of the spheres described in the Ministry’s document includes recommendations that account for the specific nature of the energy sector.

For suppliers of IT services to energy sector undertakings, the most important guidelines are those on use of third-party services by energy sector undertakings. The recommendations focus in particular on issues that need to be regulated in agreements with IT suppliers whose assistance should be used in mitigating cybersecurity risk. In addition, the Ministry states that energy sector undertakings have to establish internal policies to improve supervision of tasks performed by IT suppliers.

Importantly, in the recommendations, the Ministry emphasizes the issue of using cloud computing solutions provided by external suppliers. The recommendations state that when selecting cloud computing services, energy sector undertakings need to take special security measures, such as measures to secure data processed in a cloud computing system or risk assessment when making use of solutions of that kind.