Executive Summary
One of the topics being addressed in Work Package 1 (Project Management) is the management of legal and ethical compliance issues. More specifically, Task 1.3 aims to support the coordination of SELP management (Security, Ethical, Legal and Privacy) in CyberSEAS.
To support SELP management in CyberSEAS, an initial deliverable (D1.4 – Interim SELP report) was delivered in the first year of the project, providing a consolidated view of the SELP activities and issues to be addressed in the project, along with the methodology to implement and monitor these issues.
As outlined in D1.4, these issues focused on:
- Data protection and privacy requirements, as addressed also in more operational detail in other tasks and deliverables;
- Security requirements, which are not only driven by data protection, but can also be linked to existing and emerging cybersecurity legislation, network and information security legislation and critical infrastructure protection (CIP) laws;
- The emerging data governance legislation at the EU level, notable the emerging notion of a single European Energy Data Space, as well as the impacts of the European Energy Package and its provisions related to the sharing of energy data;
- And finally, the ethical requirements, which are detailed in other deliverables.
Task 1.3 ran throughout the CyberSEAS project, and the deliverable was continuously refined and updated to reflect both the progress of piloting activities, and evolutions of the legal framework.
These evolutions have been significant, as had been largely expected. Most notably, since the submission of D1.4, over a period of barely 24 months, the EU has adopted the NIS 2 Directive, the CER Directive, the AI Act, the first network code on cybersecurity for the electricity sector, and the EUCC cybersecurity certification scheme, to name but the most significant ones. The legal framework has thus been a continuously and fast moving target. While these new frameworks only rarely and indirectly affected piloting activities directly, it was nonetheless important to analyse them, and identify current impacts on CyberSEAS products and services, either now or in the future.
The present final SELP report has a ‘best practice’ goal, and aims to share the difficulties and solutions linked to SELP that have been encountered during the lifetime of CyberSEAS. As such, it provides a summary of the requirements that includes these new frameworks, reports on their implementation in the project, and describes the principal lessons learned.
The report includes in its Annex a high-level SELP manual for EPES projects, that can be used to deploy CyberSEAS solutions in a secure and legally compliant manner even after the project’s duration, and that can also be used as a tool to guide EPES deployments even outside the context of CyberSEAS projects and services. In this manner, CyberSEAS aims to provide a significant contribution to increased cyber resilience in European EPES, also from a SELP perspective.
