Key data
| Regulation | Correction of errors in Delegated Regulation (EU) 2024/1366 — network code on cybersecurity for cross-border electricity flows |
|---|---|
| Base regulation | Delegated Regulation (EU) 2024/1366, of 11 March 2024 (OJ L, 2024/1366, 24.5.2024) |
| Complemented regulation | Regulation (EU) 2019/943 of the European Parliament and of the Council — internal market for electricity |
| Correction publication | 19 May 2026 |
| Original entry into force | 24 May 2024 |
| Affected parties | Electricity network operators, transmission system managers and participants in cross-border EU electricity markets |
| Category | Energy / Sectoral cybersecurity |
| CELEX reference | 32024R1366R(04) |
Electricity network operators and transmission managers operating in European cross-border markets must review the corrected text of the Delegated Regulation (EU) 2024/1366. The correction of errors published on 19 May 2026 affects the network code that establishes specific cybersecurity requirements for cross-border electricity flows in the EU, complementing the Regulation (EU) 2019/943 on the internal market for electricity.
The correction is technical in nature, but ignoring it implies a real risk: internal compliance procedures that have been designed based on the original text with errors may not align with the valid official version.
What does this regulation establish?
Delegated Regulation (EU) 2024/1366 creates a sectoral cybersecurity network code specific to the field of cross-border electricity flows in the European Union. This code is mandatory for sector operators and establishes three blocks of obligations:
- Cybersecurity risk management: operators must identify, assess and manage cybernetic risks affecting their systems and infrastructure linked to cross-border flows.
- Incident notification: relevant cybersecurity incidents must be reported in accordance with the procedures established in the regulation.
- Measures to protect critical energy infrastructure: specific controls and safeguards are required to protect infrastructure considered critical in the context of the European electricity market.
The correction of errors published in 2026 (CELEX reference: 32024R1366R(04)) is technical in nature: it does not introduce new obligations or modify the substance of the regulation, but rather corrects errors in the text published on 24 May 2024 to ensure its correct application. The original regulation complements Regulation (EU) 2019/943, which regulates the internal electricity market at European level.
Economic and operational impact
Although the correction is technical, its operational impact is direct for any organization that has designed its compliance systems based on the original text. The practical effects are concentrated in three areas:
| Area of impact | Operational consequence |
|---|---|
| Compliance documentation | Internal procedures based on the text with errors may require review and update |
| Risk management | Risk assessment frameworks must be verified against the corrected text to ensure their validity |
| Incident notification | Notification protocols must be aligned with the updated official version of the regulation |
| Protection of critical infrastructure | Protection measures implemented must be reviewed to confirm their adequacy to the corrected text |
The cost of not reviewing the corrected text is not immediate, but it is cumulative: operating with procedures based on an erroneous version of the regulation can generate compliance deviations that may be detected in subsequent audits or inspections.
Who does it affect?
This regulation directly affects entities participating in the European cross-border electricity market:
- Electricity network operators with activity in cross-border flows within the EU
- Transmission system managers (TSOs — Transmission System Operators) operating in the interconnected European market
- Participants in cross-border EU electricity markets that manage or access infrastructure linked to these flows
- Cybersecurity and regulatory compliance officers in energy sector companies with cross-border operations
- Legal advisors and consultants providing services to European electricity sector entities
Practical example
An electricity transmission system manager operating interconnections between Spain and France designed its internal cybersecurity framework in June 2024 based on the original text of Delegated Regulation (EU) 2024/1366, published on 24 May 2024.
With the publication of the correction of errors in May 2026, this operator must:
- Locate the specific points in the text that have been corrected in version CELEX:32024R1366R(04).
- Compare those points with the internal procedures for risk management and incident notification that it has documented.
- Update any procedure that has been drafted following the erroneous wording of the original text.
- Leave documentary evidence of the review carried out, in view of possible regulatory compliance audits.
This verification process is especially critical in the sections relating to incident notification and measures to protect critical infrastructure, which are the blocks with the highest regulatory exposure.
What should companies do now?
- Download the corrected text: access the official version CELEX:32024R1366R(04) on EUR-Lex and save the document as an updated compliance reference.
- Identify the corrected points: locate which articles or sections have been modified by the technical correction and assess whether they affect your internal procedures.
- Review compliance documentation: compare your risk management frameworks, incident notification protocols and critical infrastructure protection measures with the corrected text.
- Update affected procedures: if you detect deviations from the corrected text, update internal documents and leave traceability of the change.
- Inform responsible teams: communicate to cybersecurity, regulatory compliance and operations teams the existence of the correction and its implications for their areas.
- Document the review: formally record that verification of compliance with the corrected text has been carried out, as evidence for possible audits.