New ENCS-DIVD pact targets energy cyber weaknesses
The European Network for Cyber Security (ENCS) and the Dutch Institute for Vulnerability Disclosure (DIVD) have signed a memorandum of understanding to formalise cooperation on finding and disclosing security flaws in systems used across Europe's critical infrastructure, including the electricity sector.
The agreement links ENCS security testing to DIVD's coordinated vulnerability disclosure process and its process for assigning Common Vulnerability and Exposure (CVE) identifiers. It covers high-impact systems and components that may be deployed across borders.
Both organisations are Netherlands-based non-profits that work with stakeholders in the energy sector and across critical infrastructure. The collaboration takes effect immediately.
Testing Focus
The memorandum outlines how vulnerabilities identified through ENCS testing will be addressed. ENCS has launched a security testing programme focused on high-power Internet of Things components, introduced during its General Assembly meeting at its headquarters in The Hague.
Under the framework, vulnerabilities identified by ENCS testers will undergo DIVD's coordinated disclosure process, which includes documenting issues, notifying affected parties, and managing timelines for public disclosure. CVE registration will also be handled through DIVD, providing a standard reference for organisations to track and remediate security issues.
ENCS security experts will also take part in DIVD testing activities and events. The partnership is intended to align technical testing with structured vulnerability handling, amid the European Union's growing focus on vulnerability management for critical systems.
Policy Context
The announcement comes as European policymakers increase scrutiny of cyber risk in connected products and operational technology environments. The Cyber Resilience Act has sharpened attention on how vulnerabilities are managed throughout the lifecycle of digital products, including reporting and remediation. Energy networks have also faced higher expectations for cyber risk governance as grid operations become more software-driven and reliant on third-party components.
Both organisations pointed to the cross-border nature of the risk. Components used in smart grids, substations, metering systems, and industrial communications can be deployed by multiple operators in different countries. A flaw in a widely used component can affect many organisations at once, raising the stakes for coordination and consistent disclosure practices.
DIVD said it provides a safe environment for hackers and security researchers to report vulnerabilities responsibly and coordinates verification and remediation with affected organisations. It said DIVD-CNA disclosed 47 vulnerabilities on energy devices in 2025, reflecting sustained attention on the sector.
Industry Links
ENCS is a membership organisation whose remit spans applied research, technical security requirements, component and end-to-end testing, and training. It works with distribution system operators, transmission system operators, and regulators, drawing on links across academia, government, and business.
The memorandum was signed at ENCS' General Assembly, where ENCS also staged a hacking demonstration. The demonstration underscored the need for coordinated vulnerability discovery and responsible disclosure in critical infrastructure environments.
ENCS members also appointed Wolfgang Löw, CISO of EVN Group, as Chair of the ENCS Assembly Committee.
Anjos Nijk, Managing Director of ENCS, said: "Strengthening Europe's cyber resilience requires close cooperation across the cybersecurity ecosystem. This agreement enhances our ability to identify and resolve vulnerabilities affecting critical infrastructure, while reinforcing responsible disclosure practices that help reduce risk for grid operators and other essential service providers."
Chris van 't Hof, Director of DIVD, said: "Effective vulnerability disclosure depends on trust, coordination and technical expertise. By working with ENCS and its community of security specialists and infrastructure stakeholders, we can help ensure vulnerabilities in high-impact systems are handled efficiently and responsibly."
Maarten Noom, Director Asset Management at Enexis and Chair of the ENCS General Assembly meeting, said: "With its deep industry knowledge and extensive network, ENCS has proven to be a valuable partner, making a crucial difference in addressing real cyber threats to our critical infrastructure."
ENCS tied the new testing programme and the agreement with DIVD to the increasing digitisation of energy systems and growing reliance on connected devices and software components. Löw said: "I am grateful for the trust of the ENCS Assembly, and I look forward to supporting ENCS in strengthening Europe's cyber resilience. The partnership with DIVD is an important milestone: timely insight into vulnerabilities in high-impact systems is essential for critical infrastructure operators to initiate effective protective measures at an early stage. This collaboration underscores ENCS' leadership in driving coordinated vulnerability discovery and resolution across the energy sector."