Aligning DYNAMO Framework with the EU Cyber Resilience Act in the Energy Sector

Abstract

The importance of robust cybersecurity frameworks has been raised by the digitalisation of critical infrastructure, particularly in the energy sector. The European Union (EU) launched the Cyber Resilience Act (CRA) in 2022, establishing uniform cybersecurity standards for products with digital elements at all lifecycle stages to address this issue. CRA describes requirements for software and hardware products with digital elements placed on the EU market. This study examines the CRA's effects on the energy sector and evaluates how the DYNAMO platform can support compliance and enhance sectoral resilience. The platform's key element is a dynamic resilience assessment methodology, which combines business continuity management (BCM) and cyber threat intelligence (CTI). Significant cybersecurity vulnerabilities in the energy sector are identified in the study, which include a growing attack surface, complex supply chains, and convergence of operational technology (OT) and information technology (IT) systems. CRA's inability to address OT-specific challenges, particularly in legacy systems like SCADA, is highlighted in the study through a literature review and case study analysis. The gap analysis shows that although CRA follows standards like NIST and ISO 27001, it doesn't have provisions for real-time monitoring, adaptive risk management, and OT-specific protections. To resolve those gaps, the research suggests that DYNAMO include 24-hour incident reporting to the European Union Agency for Cybersecurity (ENISA), structured vulnerability disclosure protocols, and post-market surveillance mechanisms. Additionally, DYNAMO must develop customised plans for OT environments, which involve retrofitting outdated systems and improving threat detection abilities. The findings show that cybersecurity in the energy industry requires a more dynamic and functionally integrated approach. Aligning DYNAMO and CRA will support regulatory compliance and strengthen the industry's resilience to evolving cyber threats. The next stage of research should be to validate these recommendations via empirical testing and explore cross-sector applications of the DYNAMO framework.