NIS2 for the Energy Sector: Compliance Across Electricity, Oil, Gas, and Hydrogen
Who should read this: Energy sector leaders, utilities, producers, operators, procurement teams, security teams, and anyone responsible for compliance in electricity, oil, gas, district heating, or hydrogen operations.
The energy sector is explicitly called out in NIS2 as critical to European security and prosperity. Electricity, oil, gas, district heating, and hydrogen operations are listed in Annex I as essential to the functioning of society. This sector faces intensified regulatory pressure and elevated cybersecurity expectations.
This guide walks through NIS2 compliance for the energy sector: who is in scope, what the key vulnerabilities are, and how to build compliance programmes specific to energy operations.
Energy Sector Scope: Five Subsectors
NIS2 Annex I, Sector 1 covers five energy subsectors:
Electricity
The electricity subsector covers the full supply chain from generation to distribution:
Electricity undertakings that carry out supply function.
Distribution system operators (DSOs) who manage the distribution networks that deliver electricity to consumers.
Transmission system operators (TSOs) who manage the high-voltage networks that move electricity across regions.
Producers of electricity from any source (fossil, renewable, nuclear).
Nominated electricity market operators who run wholesale markets.
Market participants providing aggregation, demand response, or energy storage services.
Operators of EV recharging points responsible for management and operation.
In practical terms, if you generate, transmit, distribute, or supply electricity in the EU, and you meet the size threshold (250+ employees or EUR 50 million+ turnover), you are in scope. If you are smaller but designated by your Member State as essential, you are also in scope.
District Heating and Cooling
Operators of district heating or cooling systems--centralised heating or cooling that pipes hot water or chilled liquid to buildings--are in scope. This includes both public and private operators.
Oil
The oil subsector covers production, transmission, storage, and trade:
Operators of oil transmission pipelines (major pipelines moving oil across distances).
Operators of oil production, refining, and treatment facilities.
Storage facility operators.
Central stockholding entities (entities that maintain strategic oil reserves).
All of these are in scope if they meet the size threshold.
Gas
The gas subsector is broad:
Supply undertakings that sell gas to customers.
Distribution system operators who manage the distribution networks.
Transmission system operators who manage high-pressure networks.
Storage system operators who manage underground gas storage.
LNG system operators who manage liquefied natural gas facilities and regasification.
Natural gas undertakings.
Operators of natural gas refining and treatment facilities.
Hydrogen
A new subsector added to reflect the EU's hydrogen energy strategy:
Operators of hydrogen production facilities.
Operators of hydrogen storage.
Operators of hydrogen transmission networks.
Hydrogen is nascent, but as the sector grows, these operators become essential to the energy transition.
Nuclear Considerations
A special note on nuclear: NIS2 explicitly applies to entities "carrying out activities in the production of electricity from nuclear power plants."
However, Recital 10 recognises that some nuclear activities may be linked to national security. Where national security is involved, a Member State can exercise responsibility for safeguarding national security with respect to those activities, including activities within the nuclear value chain, in accordance with the EU Treaties.
In practice, this means:
Nuclear power plant operators are in scope for NIS2 compliance.
Member States may reserve certain aspects of nuclear cybersecurity (e.g., protection of sensitive national infrastructure) for national security treatment.
Entities should check with their national regulator (and national security authorities) to clarify which NIS2 obligations apply to nuclear operations and which may be handled outside the NIS2 framework.
Energy Sector Cyber Threat Landscape
The energy sector faces unique cyber threats:
State-sponsored attacks: Energy infrastructure is a target for state-sponsored actors seeking to undermine EU resilience or economic interests. Attacks have originated from Russia, China, Iran, and North Korea against energy targets globally.
Ransomware: Criminal ransomware groups target energy operators for financial gain. A successful attack can disrupt supply and cause economic damage.
Supply chain compromise: Energy companies depend on critical suppliers (SCADA/ICS vendors, software providers, contractors). Compromise of these suppliers can infiltrate energy operations.
Physical-cyber convergence: Energy infrastructure is both physical (pipelines, substations, power plants) and cyber. An attacker who compromises network systems controlling physical infrastructure can cause physical damage.
Espionage: Competitors and foreign governments seek to gather intelligence about energy operations, reserves, pricing, and geopolitics.
Insider threats: Employees with knowledge of energy operations could disclose sensitive information or sabotage systems.
Legacy systems: Much energy infrastructure was built decades ago and uses older control systems (SCADA, Distributed Control Systems) that were not designed with cybersecurity as a priority. These systems may be difficult or costly to upgrade while maintaining operational continuity.
Energy-Specific Implementation Challenges
Energy operators face particular challenges in implementing NIS2:
Operational Technology vs. Information Technology
Energy operations rely on Operational Technology (OT)--SCADA systems, Industrial Control Systems (ICS), programmable logic controllers (PLCs)--that directly control physical infrastructure (generators, transformers, valves, switches). OT systems are fundamentally different from IT systems:
OT systems prioritise availability and safety over confidentiality. A power plant must operate reliably even if connectivity is compromised.
OT systems often use proprietary protocols and older standards (Modbus, DNP3) not designed for modern cybersecurity.
OT systems may have long deployment cycles (10+ years) making rapid patching difficult.
Many OT systems do not support modern controls like multi-factor authentication.
Implementing NIS2 in OT environments requires balancing cybersecurity with operational continuity. You cannot take systems offline for patching or upgrades if doing so disrupts energy supply.
Legacy Infrastructure
Energy infrastructure is long-lived. Pipelines built in the 1970s may still be in operation. Power plants may be decades old. These systems were not designed with cybersecurity in mind.
Retrofitting modern cybersecurity controls onto legacy infrastructure is expensive and technically challenging. You may not be able to upgrade systems to meet NIS2 requirements without significant capital investment or operational disruption.
Strategy: conduct a risk assessment to identify the highest-risk legacy systems and prioritise upgrades. For systems that cannot be upgraded, implement compensating controls (e.g., network segmentation, monitoring, access controls) to reduce risk.
Interconnected Systems
Energy systems are interconnected at multiple levels:
TSOs and DSOs are connected to each other and to generators.
Energy markets connect multiple operators for trade and coordination.
Energy systems depend on external services (telecommunications, gas for cooling, water for cooling).
An attack on one entity can cascade to others. NIS2 requires you to manage your own security, but you must also be aware of how breaches upstream could affect you and how you could inadvertently affect downstream operators.
This interconnectedness also means that supply chain security is critical. A breach in a SCADA vendor could infiltrate multiple energy operators simultaneously.
Article 21 Implementation in Energy Contexts
The ten Article 21(2) measures apply to energy operators. Here is how they translate to energy contexts:
Risk Analysis and Security Policies
Energy operators must conduct risk assessments that specifically address:
Threats to physical infrastructure (sabotage, terrorism, accidents).
Threats to OT systems (cyber attacks targeting SCADA, PLCs, communications).
Interdependencies with other operators and critical services.
Supply chain risk for SCADA vendors and control system providers.
Incident Handling
Incident response for energy operators must address:
Operational continuity: how to restore operations if systems are damaged or compromised.
Physical safety: how to protect personnel if physical systems malfunction due to cyber attack.
Coordination with other operators: if a cross-sectoral or cross-border incident occurs, how to coordinate.
Law enforcement and regulators: energy incidents often attract law enforcement and regulatory attention.
Business Continuity
Energy operators must maintain critical operations even during major incidents. Backup systems for critical infrastructure are essential. For a power plant, this might mean:
Alternative control systems that can manually operate critical functions if cyber systems are compromised.
Off-site backup of critical system configurations and data.
Disaster recovery procedures that allow the operator to restore systems within defined time objectives (often very tight for energy--minutes or hours, not days).
Supply Chain Security
Energy operators depend on vendors for:
SCADA and control system software and hardware.
Network and telecommunications equipment.
Consulting and maintenance services.
Supply chain security for these vendors is critical. A compromised SCADA vendor is a threat to every energy operator using their products.
Implementation: assess all critical suppliers, require security certifications, contractually require notification of vulnerabilities and rapid patching, and have contingency plans if a critical supplier is compromised.
Secure Development
For energy operators developing custom software or firmware:
Require secure development practices (secure coding, code review, testing).
Implement vulnerability handling and disclosure.
Test software thoroughly before deployment in production environments.
For vendors providing products and services:
Require them to disclose vulnerabilities and provide patches.
Require them to conduct security assessments of their products.
Effectiveness Assessment
Energy operators must regularly assess their cybersecurity controls:
Conduct tabletop exercises simulating cyber attacks on critical systems.
Conduct penetration tests of network perimeters and OT systems (carefully, to avoid disrupting operations).
Review logs from OT systems to detect suspicious activity.
Measure key metrics: mean time to detect (MTTD) for intrusions, mean time to respond (MTTR) for incidents, percentage of systems patched, etc.
Cyber Hygiene and Training
Energy sector employees need security training appropriate to their roles:
Operational staff: how to recognise attacks, how to report suspicious activity, physical security practices.
IT/OT staff: secure development, patch management, access control, incident response.
Management: cybersecurity risk understanding, governance, supply chain risk.
Cryptography
Energy systems often communicate sensitive control information. Cryptography is essential:
Encrypt control communications between field devices and central systems.
Encrypt all data transmitted over public networks.
For industrial protocols, use cryptographic extensions (e.g., DNP3 Secure Authentication, IEC 62351-1 for power systems).
Access Control
Energy systems have many access points:
Remote access for maintenance and monitoring.
Access from control centres and dispatch facilities.
Access from engineering workstations.
All access should be logged and monitored. Multi-factor authentication for remote and privileged access is essential.
Multi-Factor Authentication
Implement MFA for:
Administrative access to OT systems.
Remote access to energy facilities.
Access to critical control systems.
For legacy OT systems that do not support MFA, implement compensating controls (VPN with MFA, network segmentation, monitoring).
Energy Sector Supply Chain Risk Assessment
Article 22 authorizes the Cooperation Group to conduct coordinated risk assessments of critical supply chains. For the energy sector, key supply chain risks include:
SCADA and ICS vendors: a compromised vendor could infiltrate multiple energy operators. Due diligence on these vendors is essential.
Telecommunications providers: energy operators depend on telecommunications for communications between sites. A compromised telecom provider could disrupt energy operations.
Hardware suppliers: tampering with hardware (servers, network equipment, control devices) could compromise systems.
Renewable energy supply chain: solar panel manufacturers, wind turbine manufacturers, and their supply chains.
Monitor Cooperation Group assessments of energy supply chains and incorporate findings into your vendor management.
National Security Considerations
Energy is critical to national security. EU Member States have strong interests in protecting energy infrastructure from foreign threats.
Some NIS2 obligations may be subject to national security carve-outs. For example:
A Member State may restrict where certain energy systems can be located.
A Member State may restrict which countries' vendors can provide critical components.
A Member State may classify certain energy infrastructure as national security sensitive, limiting information sharing.
Energy operators should engage with their national security authorities (often part of the defence ministry or intelligence services) to clarify which NIS2 obligations apply and which may be handled under national security frameworks.
Compliance Timeline and Roadmap
For energy operators, the compliance timeline is:
By 17 October 2024: governance requirements (Article 20) became mandatory. Boards must approve cybersecurity measures, oversee implementation, and accept accountability.
By 12 May 2025: full compliance with Article 21 (cybersecurity measures) and Article 23 (incident reporting).
For energy operators, immediate actions should include:
Determine your scope status: are you an essential or important entity? Clarify with your Member State regulator.
Conduct a cybersecurity risk assessment specifically addressing energy infrastructure, OT systems, and supply chain risk.
Map your current practices to Article 21(2) and identify gaps.
Develop an implementation plan prioritising high-risk gaps.
Engage your board in cybersecurity governance (Article 20) through quarterly reports and formal approvals.
Begin vendor assessments for critical suppliers (SCADA vendors, telecom providers, etc.).
Establish incident response capability capable of detecting and reporting significant incidents within 72 hours.
Conduct security assessments (penetration tests, vulnerability scans) of OT systems.
Update all security policies to reflect NIS2 requirements.
Test incident response capability through tabletop exercises.
Energy Sector Resources
Organisations like ENISA, the European Network and Information Security Agency, provide sector-specific guidance. Check for:
ENISA good practice reports on energy sector cybersecurity.
Implementing acts from the Commission specific to energy entities.
Guidance from your Member State regulator.
Industry groups and associations that may provide sector guidance (e.g., Eurelectric for electricity sector, Gas Infrastructure Europe for gas sector).
Key Takeaways
- The energy sector (electricity, oil, gas, district heating, hydrogen) is explicitly critical under NIS2; scope covers generators, TSOs, DSOs, producers, storage operators, and suppliers; size threshold (250+ employees or EUR 50 million+ turnover) applies, plus Member State discretion for smaller entities.
- Energy operators face unique cybersecurity challenges: operational technology systems designed for reliability not security, legacy infrastructure difficult to upgrade, interconnected systems creating cascading risks, and state-sponsored threats targeting energy infrastructure.
- Article 21 measures must be tailored to energy contexts: risk assessment must address physical threats and OT systems, business continuity is critical (systems must stay operational), supply chain security is essential (SCADA vendors are high-value targets), and multi-factor authentication must be implemented for all remote and privileged access.
- Energy-OT integration is challenging: SCADA and legacy systems may not support modern controls; compensating controls (network segmentation, monitoring, access logs) are essential where systems cannot be upgraded; national security considerations may carve out certain obligations from NIS2.
- Compliance timeline is tight: board governance (Article 20) became mandatory October 2024; full Article 21 and Article 23 compliance required by May 2025; energy operators should immediately conduct risk assessments, map gaps, develop implementation plans, and engage boards in cybersecurity governance.
- Supply chain security is critical for energy sector: SCADA vendors, telecommunications providers, hardware suppliers are high-value targets; vendor assessments, contractual security requirements, and incident notification timelines are essential; monitor Cooperation Group assessments of energy supply chains.
