Power & Utilities Sector – EU Regulatory Law developments – Digital challenges foreseen

The P&U sector is undergoing significant change, some of which is market driven, some driven by regulatory changes. As regards the regulatory driver, digital is an important element:

  • Online platforms will emerge to connect suppliers, distributors and customers – breach of foreseen new laws relating to platforms might impact business development and constrain the potential of business models;
  • Cyber security is already a proven threat – regulatory fines and other pressures mean market participants will need to devote more resources to this risk; and
  • New EU electricity market rules – customers will become digitally empowered to obtain better terms and to change suppliers.

I. Platforms

It is foreseen that in Q3 2019 there will come into effect an EU Regulation to promote fairness and transparency for users of online intermediation services. The regulation is principally directed at online intermediary service providers, namely online platforms where either (a) the transaction and payment takes place on the platform, typically with the platform charging a commission (e.g., Airbnb), or (b) the platform facilitates a commercial transaction, and while the transaction may not occur via the platform, there is a contractual relationship between the supplier (business user) and the platform (e.g., Facebook). Obviously, the regulation has significant, practical consequences for the users of such platforms. The regulation would apply to any P&U market participant that engages in business via an online platform that fits into one of the two definitions above.

In the P&U sector:

  • businesses that have come together to form an off-grid pooling arrangement;
  • an electricity supplier broker;
  • an app providing information on and ability to pay at public charging stations;
  • storage solutions for EV demand integration; and
  • fleet transition services,

are examples of activities that if conducted on an online platform will be subject to the Regulation.

The Regulation addresses principally the relationship between the business user and the online platform (relationship ‘A’ in the diagram below), although there are aspects touching on the relationship between the online platform and the end customer (relationship ‘B’ in the diagram below). The effective date of when the Regulation would apply is 12 months after adoption and publication, so from Q3 2020.

  • What online platforms need to do before the effective date

Among other things online platforms will need to review their terms and conditions to ensure they are clear and unambiguous, and easily available for business users. Failure to do so means the terms and conditions or at least specific provisions would be null and void, creating business disruption issues for the online platform.

The review of the terms and conditions should also occur before the effective date in order to refresh or update the terms. This is important because after the effective date all changes to the terms and conditions must first be notified to the business users. Business users can complain about any such changes, and ultimately the matter could go to mediation.

II. Cyber

Cyber security is a threat to the P&U sector, as it is for other sectors, but probably more so for the P&U sector given the imperative that the ‘lights must be kept on’. The latest EY Global Information Security Survey[1] reveals that only 65% of organizations believe they have cyber insurance that meets their needs. Two recent significant legal actions indicate that as cyber threats and their associated risks increase, even the remaining 35% of organizations may not be adequately covered by insurance. The first relates to a lawsuit claiming $100 million in damages that was filed in the U.S. State of Illinois, alleging wrongful denial of insurance coverage. The complainant, a victim of the NotPetya attack[2], claimed the business was covered by a property insurance policy (not cyber insurance, specifically)[3].  The second relates to a court in California that recently approved a $29 million settlement in a data-breach-related derivative lawsuit filed against the board of directors and senior executives of a company that suffered several data breaches. Shareholders can use derivative lawsuits to act on behalf of the company against its directors and officers to redress harm done to the company. The allegations in the complaint included a breach of fiduciary duties, failure to implement safety mechanisms to prevent attacks, and failure to investigate and remediate breaches after they occurred.

The two cases raise a number of questions about cyber insurance. In brief, securing cyber insurance does not mean investing less in processes and controls that will lead to better cyber hygiene. Digitization and connectivity have increased exposure to cyber risk; as a result, cyber insurance premiums are also increasing. Active cooperation between the insurer and the insured to strengthen cybersecurity practices could lead to lower premiums, broader coverage and less exclusions. This would benefit both the insured and insurer as the former can benefit from lower fees and increased coverage and the latter would face lower claims.

III. EU rules

The EU adopted in June a number of laws intended to make the EU electricity market fit for the challenges of clean energy transition – better connected, better protected against black-outs, better able to integrate renewable energy, more market-based and more consumer-oriented.[4] These new EU rules will adapt current EU market rules by

  • allowing electricity to move freely throughout the EU energy market through cross-border trade, more competition and better regional cooperation;
  • enabling more flexibility to accommodate an increasing share of renewable energy in the electricity grid;
  • fostering more market-based investments in the sector, while decarbonizing the EU energy system;
  • introducing a new emissions limit for power plants eligible to receive subsidies; and
  • improving planning to anticipate and respond to electricity market crisis situations, including through cross-border cooperation.

For the first time, consumers will have the right to request a smart meter and a dynamic price contract that allows them to be rewarded for shifting consumption to times when energy is widely available and cheap.

These changes will have a significant impact on the dynamics of the customer relationship. The new rules will apply from 1 January 2020 so there is only six months for companies to ensure they are prepared for the required changes, including in particular changes to their contractual provisions.





[1]     The EY Global Information Security Survey (2018–19) is available at https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf.

[2]     In June 2017, a global cyber attack called Petya (also known as Petrwrap, NotPetya, Petna and GoldenEye) impacted organizations across a wide range of sectors, including financial services, power and utilities, media, telecom, life sciences, transportation and government agencies. It was speculated to be a nation-state cyber attack.

[3]     Usually commercial general liability and property insurance policies exclude cyber risks, which has led to cybersecurity insurance as a different line of coverage.

[4]     The new electricity Directive and Regulation, replace Electricity Directive (2009/72/EC) and the Electricity Regulation (EC/714/2009).