When the lights go out, it is rarely just an inconvenience. For a country, it can mean hospitals paralyzed, water systems disabled and entire communities left in the dark. Around the world, energy systems have become the frontline of cyber conflict, targeted not only by criminals but also by state-backed actors seeking to exploit weaknesses.

To date, there have been no publicly reported cyberattacks targeting Kosovo’s critical infrastructure. Yet the threat is neither abstract nor distant. In November 2024, a powerful explosion occurred in a water canal in Zubin Potok, disrupting the supply to two coal-fired power plants that together produce more than 90% of the country’s electricity. Though the attack was physical, its impact exposed how easily one strike could cripple the nation’s energy security. It also triggered fears of what a coordinated cyberattack might look like, silent, invisible and potentially far more devastating.

As Kosovo modernizes its energy system, it is introducing smart grids — electricity networks that utilize digital technologies, sensors and real-time data to enhance reliability, efficiency and flexibility. These digital upgrades also create new entry points for cyberattacks. While smarter systems help address long-standing challenges such as outages, inefficiencies and limited control, they also increase cyber risks, necessitating robust cybersecurity safeguards.

Much of Kosovo’s power grid was built decades ago, and upgrading this aging infrastructure without robust cybersecurity measures could leave critical systems exposed to serious threats. The transition from analog systems to smart grids significantly broadens the cybersecurity risk landscape, and Kosovo remains particularly vulnerable as it lacks a dedicated and comprehensive strategy to safeguard the cybersecurity and resilience of its essential energy infrastructure. Strengthening the capacities of energy regulators and operators is therefore urgent. 

Regulators must be equipped to set and enforce cybersecurity standards, while operators require the expertise and tools to detect, prevent and respond effectively to threats. Without these investments, the benefits of smart grids and renewable integration risk being overshadowed by growing cyber vulnerabilities. Although strengthening cybersecurity is likely to increase system costs, it is essential for ensuring the reliability and resilience of Kosovo’s energy infrastructure. Ultimately, the costs of inaction –– service disruptions, financial losses and erosion of public trust –– would be far greater.

Around the world, cyberattacks on energy systems are increasing. The International Energy Agency has estimated that the attacks more than doubled between 2020 and 2022, with a record of 1,101 events globally in 2022 where utilities were targeted. In recent years, European utilities have increasingly been targeted by ransomware attacks, and the European Electricity Industry Association (Eurelectric) called for stronger EU cybersecurity measures, expanded workforce development, increased investment, and enhanced collaboration to prevent blackouts and societal disruptions. Such examples highlight the urgent need for robust cybersecurity measures across the energy sector to prevent operational disruptions and protect essential services. These are not distant threats; they serve as clear examples of what could happen in Kosovo if vulnerabilities are left unaddressed. 

In a region where the lights once went out due to war, they must not go out again because of inaction. A cyberattack is not just a matter of crashing a single computer; it can disable an electricity grid, a hospital or a water system, with consequences that extend far beyond technical failures. Critical infrastructure is no longer purely physical; it is now a frontline in national security. If Kosovo is serious about energy security, cybersecurity must be recognized as a national governance priority, not merely a technical concern.

Kosovo’s cyber shield: a legal skeleton with missing organs 

Kosovo has taken steps on paper. Two laws now form the backbone of its regulatory response. The first, introduced in 2018, is the Law on Critical Infrastructure. This foundational law, the first of its kind in the Western Balkans, establishes a comprehensive framework for identifying, protecting and managing critical infrastructure across sectors such as energy, transport and water systems. It transposed EU standards and set requirements for operators to develop security plans and coordinate through institutional mechanisms under the Ministry of Internal Affairs.

The second, passed in early 2023, is the Law on Cybersecurity. This law lays the groundwork for Kosovo’s national cybersecurity architecture. It defines core principles and roles, mandates institutional cooperation and establishes the Cyber Security Agency. It aligns with EU directives, boosting the security of the country’s information systems and networks. A draft of the National Cybersecurity Strategy is reportedly in circulation. Regionally, Kosovo is part of the Energy Community initiatives and Western Balkans dialogues on cyber resilience.

While Kosovo has taken measures on paper, the implementation of these laws, however, remains uneven, fragmented and slow. Currently, Kosovo’s energy sector lacks an operational Computer Security Incident Response Team (CSIRT), a team that monitors, detects, and responds to cybersecurity incidents at both the organizational and national levels.  To address this gap, in 2023, organizations such as NRD Cyber Security proposed the establishment of a sector-specific Energy CSIRT (E-CERT), a team dedicated exclusively to the energy sector. 

Once operational, E-CERT would monitor and respond to cybersecurity incidents across Kosovo’s energy infrastructure, coordinate rapid threat mitigation, share intelligence among operators and ensure that critical systems –– including power plants and transmission networks –– remain secure.

Under the Law on Cybersecurity, Kosovo’s energy sector has been formally designated as critical infrastructure. Entities in energy production, transmission and distribution are now considered Operators of Essential Services (OES). The law mandates strict cybersecurity requirements for all OES, including developing policies, reporting incidents in set timeframes and implementing technical measures. Despite these frameworks, practical implementation remains limited, and with an E-CERT not yet fully operational, there are gaps in the sector’s ability to detect, respond and recover from cyber threats.

The lack of skilled cybersecurity professionals is another compounding challenge. Kosovo, like much of the Western Balkans, faces a shortage of IT specialists, with many leaving for better-paid opportunities in the EU. Building capacity for specialized roles in industrial cybersecurity will require not only education and training programs but also incentives to retain talent. The OECD’s Western Balkans Competitiveness Outlook 2024 highlights that Kosovo struggles to attract and retain skilled professionals, including in the cybersecurity sector, due to limited local opportunities and the allure of better prospects abroad.

The threats of modernizing Kosovo’s energy sector

Kosovo’s energy sector is at a turning point. The introduction of Smart grids, automation, renewable energy integration and data-driven monitoring in Kosovo is transforming the way power is generated, distributed and consumed. Kosovo Energy Corporation (KEK), which operates the country’s main power plants, and the Kosovo Transmission System and Market Operator (KOSTT), which manages the national electricity grid and market, are both undergoing modernization of their operations. Smart metering is expanding. The state is betting big on digital solutions to solve legacy problems, from outages to billing inefficiencies. 

But the question no one seems to be asking is: can we defend this new infrastructure?

Unlike traditional one-way power systems, smart grids enable two-way flows of both electricity and information, making it easier to integrate renewable energy sources, reduce outages, and optimize billing and operational efficiency. This process, however, also significantly broadens the cybersecurity risk landscape. 

Kosovo’s electricity grid is still mainly operated through older digital control systems (SCADA), which monitor and control power flows, and are essential for running power plants and transmission lines, but were not originally designed with cybersecurity in mind. The transmission infrastructure is operated by KOSTT, while KEDS manages electricity distribution. As the sector undergoes digitization, securing SCADA systems has become critical to prevent cyber exploitation. The energy sector faces a range of cyber threats, with ransomware attacks, where malicious software encrypts a company’s data or systems and demands payment to restore access, being among the most prominent. 

With over 95% of people aged 16 to 74 regularly using the internet, Kosovo is a highly connected society. Smart metering systems, automated billing platforms and digital grid management tools could all be targeted, potentially causing widespread power outages, inaccurate billing and interruptions to water and electricity distribution. Smart meters, if breached, could reveal sensitive consumer data or be manipulated to trigger errors in billing or the electricity grid. Even digital contracts and automated reporting systems, which the sector relies on for operational efficiency, often lack robust encryption or authentication protocols, leaving them vulnerable to cyber exploitation.

Compounding these technical gaps is the lack of regular cyber audits and sector-wide simulation drills to test readiness against attacks, while awareness among personnel also remains low. Limited cyber drills, weak incident response systems and insufficient public-private coordination significantly undermine the sector’s ability to respond to cyber incidents. Everyday operational issues could quickly escalate into broader risks for energy security, making the sector a prime target for cyber threats.

Cybersecurity in the Western Balkans and EU alignment

Globally, the threat of cyberattacks is far from theoretical. Russian hackers successfully infiltrated Ukraine’s power grid in 2015, using malware such as BlackEnergy and Industroyer to cut electricity to hundreds of thousands of people. In 2021, the Colonial Pipeline ransomware attack disrupted fuel supplies across the eastern United States, demonstrating how cyber incidents in energy infrastructure can cause panic and economic dislocation. In April 2025, Russian hackers briefly took control of a Norwegian dam, releasing 500 liters per second for four hours before being stopped, highlighting the vulnerability of Norway’s hydro-dependent energy sector.

In the region, Kosovo is not alone in facing energy-related cyber risks. Across the Western Balkans, governments have already witnessed the disruptive impact of cyberattacks. In 2022, Albania suffered one of the most severe cyber incidents in the region when Iranian state-backed hackers shut down government services for weeks, crippling communication systems and forcing Tirana to sever diplomatic ties with Tehran. That same year, Montenegro’s government was hit with ransomware attacks that disrupted state institutions, financial systems and energy sector operators, prompting NATO’s rapid cyber assistance teams to intervene. North Macedonia and Bosnia and Herzegovina have also reported sharp increases in attempted intrusions on public institutions.

These attacks underline a critical lesson: in small, digitally vulnerable states, a single cyber incident can escalate into a full-blown national security crisis. Energy, as the backbone of modern economies, is a prime target. Unlike banks or ministries, power grids and energy plants cannot “go offline” to contain damage; disruption translates immediately into blackouts, production halts and the public panics.

In 2024, the European Union established Commission Delegated Regulation (EU) 2014/1366, a Network Code on cybersecurity that sets sector-specific rules for cross-border electricity flows and harmonizes requirements for interconnected systems. The EU has already recognized the growing threat and has acted decisively through the Network and Information Security Directive (NIS2), which entered into force in 2023. NIS2 requires member states to adopt stronger frameworks for critical infrastructure protection, enforce mandatory incident reporting and expand oversight of operators in essential sectors, including energy. ENISA, the European Union Agency for Cybersecurity, has further stressed that energy grids, especially electricity transmission and distribution, are among the most attractive targets for cybercriminals and hostile states.

The Energy Community Secretariat, an international organization that assists non-EU countries, such as Kosovo, in aligning with EU energy rules, is exploring how to align its member states with this regulatory framework. Discussions are underway to adapt and adopt consistent cybersecurity standards regionally. For Kosovo and its neighbors, closer coordination among electricity system operators is critical – including aligned incident response, information sharing and joint planning. A cyberattack in one part of the network carries the risk of cascading impacts, especially across borders, which could destabilize the entire interconnected system if left unchecked.

For Kosovo, which aspires to align with EU standards, the lack of regulatory oversight is acute. While some neighbors have begun incorporating NIS2 requirements into national law, such as Croatia and Slovenia, Kosovo still lacks a comprehensive, sector-specific cybersecurity strategy for the energy sector. Existing frameworks, while improving, remain fragmented and under-resourced. Without stronger alignment, Kosovo risks falling further behind just as cyberattacks on critical energy systems are becoming more frequent, sophisticated and geopolitically weaponized.

Building Kosovo’s cyber shield

Kosovo’s path forward requires a combination of institutional reform, regulatory alignment and capacity building. The most urgent step is to establish and operationalize the E-CERT. This institution must be given sufficient resources, staff and technical capabilities, along with the authority to monitor, detect and respond to cyber threats across the entire energy sector. Without this foundation, all other initiatives risk being undermined by fragmented responses and delayed actions.

In parallel, Kosovo should align its frameworks with the EU’s NIS2 Directive. Doing so would ensure consistency with European standards while sending a clear signal of readiness for integration. The adoption of sector-specific cybersecurity standards for operators such as KEK, KOSTT and KESCO is equally important. These standards should address vulnerabilities in SCADA systems, enforce regular audits, and mandate strong encryption and authentication protocols for all digital infrastructure.

Building a skilled workforce must be treated as a national priority. Kosovo needs to train specialists in operational technology and cybersecurity, creating incentives to keep talent in the country. Partnerships with universities, vocational programs and international donors can help develop this expertise, but retention requires competitive conditions and recognition of cybersecurity as a core component of national security.

Transparency and accountability are also essential. Operators should be legally required to report cyber incidents within strict timeframes and share technical assessments to strengthen collective resilience. Concealment of breaches only benefits attackers. Finally, Kosovo must embrace cooperation beyond its borders. Engagement with ENISA, NATO and regional CSIRTs would enhance intelligence-sharing and provide access to best practices. A permanent government-industry forum on energy cybersecurity could further bridge the gap between policy makers and operators, ensuring that responses to cyber threats are coordinated and timely.

Critical infrastructure has become the frontline of national security, and any weakness in cybersecurity is now a direct threat to the safety and well-being of citizens. The Zubin Potok incident was a stark warning. Kosovo’s energy system stands at a crucial crossroad. The shift toward smart grids, automation and renewable energy offers efficiency and modernization, but also creates new vulnerabilities. Without decisive and immediate action, Kosovo risks repeating the mistakes seen elsewhere, such as Ukraine’s deliberate grid disruptions and Albania’s government shutdown caused by cyber intrusions.

For Kosovo, cybersecurity cannot remain a technical afterthought. It must be embedded at the heart of energy governance, fully integrated into policy, planning and operational strategy. The time to act is now, because energy security and national security are inseparable and must be treated as such.

Feature Image: Atdhe Mulla 

 Want to support our journalism? Become a member of HIVE or consider making a donation. Learn more here.