The European electricity system is facing a twin challenge of decarbonisation and digitalisation. While these trends bring many benefits, they also make the electricity system more vulnerable to cyberattacks. A successful cyberattack on the electricity system could have a profound and long-lasting impact on our economies and societies. However, protecting the electricity system from cyberattacks challenges traditional regulatory approaches.

This PhD thesis examines how the European Union, its institutions, and its Member States can effectively exercise control over cybersecurity in the electricity system. It identifies the challenges of cybersecurity regulation, critically assesses the current EU approach to electricity system cybersecurity and looks at alternative approaches of tackling the problem.

First, I explore the nature of cybersecurity in the electricity system and show how its characteristics create a control issue (Chapter 2). I then argue that in the absence of a direct line of control, systems thinking and design methods can be a useful tool for steering the system towards certain policy outcomes. I develop a model based on these methods, which provides an abstract representation of the various regulatory functions (Chapter 3).

In the next chapters, I apply this model and map it to the current regulatory framework at the EU level. First, I explore the general principles and goals of the policy and regulation on cybersecurity in the electricity system (Chapter 4). Second, I look at the translation of these principles into concrete instruments (Chapter 5). Third, I discuss the certification of cybersecurity requirements (Chapter 6). I then examine information sharing in the system (Chapter 7). Next, I explore the ways in which cyberattacks against the electricity system can be remediated. I look at ex ante measures (prevention), the immediate response to an attack (recovery) and the longer-term system restoration (recuperation) (Chapter 8). Finally, I evaluate the performance of the model and compare it to other approaches (Chapter 9).

I conclude that while the European policy and regulation of cybersecurity in the electricity system is relatively well-developed, it faces some important challenges. I also find that the model can be a useful tool for policy analysis and development (Chapter 10).

The material in this thesis has been kept up to date until 1 July 2021.