+49 155 609 62044contact@vamisec.com
Book an Appointment
NCCS Regulation EU 2024/1366 | Article 37(8)

Classify the cyberattack.
Report it correctly.
Avoid liability.

The ENTSO-E Cyber-Attack Classification Scale (CACS) requires energy suppliers, grid operators and critical infrastructure to systematically classify and report cyberattacks. The methodology has been in force since 13 June 2025.

Gravity level High and Critical must be reported under Art. 38(4) NCCS — personal liability for executive management.
Free CACS initial consultationUnderstand the methodology →
Valeri Milke – VamiSec
Valeri MilkeCEO & Founder, VamiSec GmbHISO 27001 Lead Auditor | NCCS expert
Book a meeting
5Severity grades (Gravity Levels)
In forceNCCS valid since 13 June 2025
Art. 38(4)Reporting duty: High & Critical
TSO & DSOAffected energy actors
Regulatory framework

Four regulations. One obligation.

The CACS methodology is embedded in a complex EU regulatory environment. Anyone operating as an energy actor must understand all layers.

Art. 37(8)

NCCS Reg. EU 2024/1366

Requires TSOs and DSOs to apply the CACS methodology. The methodology has been in force since 13 June 2025.

Art. 23

NIS2 Directive 2022/2555

Reporting obligations for significant incidents within 24 hours (Early Warning) and 72 hours (Notification).

Art. 3(14)

DORA Reg. EU 2022/2554

Definition of "cyberattack" — CACS uses this definition as the basis for distinguishing malicious / not malicious.

Art. 19

Electricity Reg. EU 2019/943

The Union-wide Risk Assessment identifies High-Impact and Critical-Impact processes as the basis for asset classification.

Who is affected?

Transmission System Operators (TSO)
Distribution System Operators (DSO)
Power exchanges & trading systems
Critical IT/OT infrastructure in the energy sector
SCADA and ICS system operators
Cloud and IT service providers for energy suppliers
Methodology | Art. 4–7 CACS

From event to reporting duty

Every security event passes through this 4-step assessment process. Whenever a parameter changes, the classification must be repeated (Art. 7.3).

01
Art. 4

Root Cause

Determine the cause

Is the origin of the event intentional (malicious), unintentional or unclear (uncertain)? Only malicious or uncertain qualify as a cyberattack.

  • Malicious → Cyberattack
  • Uncertain → Cyberattack
  • Not Malicious → No report
02
Art. 5

Potential Impact

Affected perimeter

Which assets are affected? Do they belong to the High-Impact or Critical-Impact perimeter under NCCS Art. 26(4)(c)?

  • Low PI: No High/Critical asset
  • High PI: High-Impact asset affected
  • Critical PI: Critical-Impact asset affected
03
Art. 6

Severity

Attack severity (MITRE)

How far has the attacker progressed? Based on position within the MITRE ATT&CK Kill Chain (Enterprise & ICS).

  • Low: Recon, Resource Dev, Initial Access
  • High: Execution to Discovery
  • Critical: Lateral Movement to Impact
04
Art. 7

Gravity

Overall assessment

A combination of Potential Impact and Severity yields the final gravity level. High and Critical are reportable under Art. 38(4) NCCS.

  • To Follow / Medium / Important
  • High → Reportable
  • Critical → Reportable
Art. 4: Not MaliciousNot reportable
Art. 5: Low Potential ImpactNot reportable
Art. 7: To Follow / Medium / ImportantNot reportable
Art. 7: High or Critical GravityReportable — Art. 38 NCCS
Annex I – CACS Methodology

Gravity matrix & MITRE Kill Chain

Potential Impact × Severity = Gravity Level. Cells marked with ★ are reportable under Art. 38(4) NCCS.

Gravity matrix (Art. 7)

Low PI
High PI
Critical PI
Low Severity
To Follow
Medium
Important
High Severity
Medium
High★ Required
High★ Required
Critical Severity
Important
High★ Required
Critical★ Required
To Follow
Medium
Important
High ★
Critical ★

MITRE ATT&CK Kill Chain (Art. 6)

Low Severity

Attacker is attempting to gain access to one or more assets.

ReconnaissanceResource DevelopmentInitial Access
High Severity

Attacker has at least limited access to one or more assets.

ExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscovery
Critical Severity

More than one asset is affected through lateral movement, or the attacker can interrupt processes.

Lateral MovementCollectionCommand & ControlExfiltrationInhibit Response FunctionImpair Process ControlImpact
VamiSec CACS consulting

We make you CACS-ready.

From gap analysis to a fully operational reporting process — VamiSec accompanies you all the way to NCCS Art. 37(8) compliance.

Asset classification

Identification and assignment of your assets to High-Impact and Critical-Impact perimeters under NCCS Art. 26(4)(c).

Root Cause framework

Development of internal processes for fast, legally compliant root-cause assessment of security events.

MITRE ATT&CK mapping

Integration of the MITRE ATT&CK Enterprise and ICS frameworks for automated severity assessment.

CACS gap analysis

Inventory: where does your organisation stand today? What is missing for full NCCS Art. 37(8) compliance?

Reporting processes (Art. 38)

Setup of legally compliant reporting procedures for High and Critical Gravity incidents to national authorities and CSIRTs.

CACS training & tabletop

Hands-on training and incident simulation for your SOC, IT and management — including CACS classification exercises.

Reach out directly

CACS compliance starts with a conversation.

The CACS methodology has been mandatory since 13 June 2025. Many energy operators have not yet fully completed the implementation — especially the asset classification and MITRE integration.

Our team knows the NCCS requirements from practice and has already guided several TSOs and DSOs through the implementation. ISO 27001 certified.

  • ISO 27001 Lead Auditor & Lead Implementer
  • NCCS & NIS2 compliance experts
  • MITRE ATT&CK practitioners (Enterprise & ICS)
  • Experience in the energy sector (TSO/DSO projects)
Book initial consultationcontact@vamisec.com
Valeri Milke
Valeri MilkeCEO & Founder

Are your processes CACS-ready?

The CACS methodology is in force. Request a free gap analysis now and ensure compliance.

Book free initial consultation