Introduction
The Law on Security of Network and Information Systems (“Cybersecurity Law”), which transposes the NIS2 Directive into Macedonian legislation, became applicable on 1 January 2026. Since then, the new cybersecurity framework has gradually started to be implemented through sector-specific rules and obligations for the entities covered by the Cybersecurity Law.
One of the first steps in this direction is the adoption of the Rules on Cybersecurity of Production and Storage Facilities and Energy Transmission and Distribution Systems (“Rules”) by the Energy Regulatory Commission, which entered into force at the end of May 2026.
The Rules apply to regulated energy entities, including electricity transmission and distribution system operators, the nominated electricity market operator, electricity suppliers, certain electricity producers, electricity storage operators, gas transmission and distribution system operators, and operators of hydrogen or biogas production facilities.
Key obligations and deadlines under the Rules
The key starting point for determining the applicable obligations is whether the entity is classified as an essential or important entity under the Cybersecurity Law, and such classification is carried out by the Energy Regulatory Commission as the regulator for the energy sector, based on the criteria under the Cybersecurity Law.
One of the first and main obligations for regulated entities is the appointment of a cybersecurity officer and the decision for such appointment should be provided to the Energy Regulatory Commission within 30 days from the adoption of the Rules.
Within 6 months from the entry into force of the Rules, regulated entities should complete the first implementation phase. This includes appointing the cybersecurity officer, preparing an initial inventory of assets, carrying out an initial risk assessment, adopting basic cybersecurity policies, setting up incident management procedures and introducing multi-factor authentication for remote access.
Relevant entities must prepare and submit an annual cybersecurity plan to the Energy Regulatory Commission by 31 January for the current year. Risk assessment reports, domino-effect assessments and annual reports related to simulations and exercises should be submitted by 31 March for the previous year.
For significant cybersecurity incidents, the entities must notify the competent CSIRT and the Energy Regulatory Commission immediately, and no later than 3 hours after becoming aware of a significant incident or significant cyber threat. This is followed by an early warning within 24 hours, a detailed notification within 72 hours and a final report within one month.
Recommended approach for energy entities
Energy entities covered by the Rules should start with a practical assessment of their position under the cybersecurity framework. This means checking whether the Rules apply to them and, if so, whether their activities, size, role in critical infrastructure and risk profile could place them in the category of essential or important entities.
Once this is clarified, the focus should shift to implementation. Entities should compare their existing cybersecurity arrangements with the new requirements. Special attention should be given to internal escalation and reporting channels. In case of a significant cybersecurity incident, the notification deadlines are short, so the relevant teams should know in advance who is responsible for assessing the incident, escalating it internally and notifying the competent CSIRT and the Energy Regulatory Commission.
Conclusion
The new Rules introduce a more structured cybersecurity framework for the energy sector and require organisations to align their internal processes with new regulatory expectations. Early preparation will be key to meeting compliance requirements and managing cybersecurity risks effectively.
FAQ
- Who is subject to the new Rules?
The Rules apply to regulated energy entities, including electricity and gas transmission and distribution system operators, electricity suppliers, certain electricity producers, electricity storage operators, the nominated electricity market operator, and operators of hydrogen or biogas production facilities.
- How is it determined which obligations apply to a particular entity?
The applicable obligations depend on whether the entity is classified as an essential or important entity under the Cybersecurity Law. This classification is carried out by the Energy Regulatory Commission based on the criteria prescribed by the Cybersecurity Law.
- What is the first compliance step for regulated entities?
One of the first obligations is the appointment of a cybersecurity officer. The appointment decision must be submitted to the Energy Regulatory Commission within 30 days from the adoption of the Rules.
- What must be completed within the first six months?
Entities must complete the initial implementation phase, including appointing a cybersecurity officer, preparing an asset inventory, conducting a risk assessment, adopting cybersecurity policies, establishing incident management procedures, and implementing multi-factor authentication for remote access.
- What are the incident reporting deadlines?
Significant cybersecurity incidents and threats must be reported immediately and no later than three hours after becoming aware of them. This is followed by an early warning within 24 hours, a detailed notification within 72 hours, and a final report within one month.
- What annual reporting obligations apply?
Annual cybersecurity plans must be submitted by 31 January for the current year, while risk assessment reports, domino-effect assessments, and reports on simulations and exercises must be submitted by 31 March for the previous year.
- What should energy entities do now?
Entities should assess whether they fall within the scope of the Rules, evaluate their likely classification status, review existing cybersecurity measures, and establish clear internal processes for incident escalation and reporting. Early preparation will help ensure compliance with the new framework and reduce operational risks.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.
