The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024 and with it comes an overhaul of the way in which cybersecurity risk management is regulated in Europe.

For the EU’s energy and critical utilities sector, as well as key suppliers to this sector, the major changes brought about by NIS2 will require organisations to implement stricter security measures and comply with new incident reporting obligations, and it will substantially expand enforcement powers.

Sanctions for non-compliance under NIS2 are substantial, with fining powers of up to €10m or 2% of worldwide turnover and (in some cases) sanctions against management and the C-suite. Above all, NIS2 emphasises a proactive approach to cybersecurity and operational resiliency.

This article, part of our NIS2 series, provides a high-level overview of what you need to know for your sector and what steps you need to take now. For a more in-depth insight into NIS2 and its requirements, see our article here.

Note on the UK: this article focuses on the EU’s enhanced cybersecurity regime, which will not apply in the UK. For specific guidance on the steps the UK is undertaking in this space, please contact a member of the Resiliency team.

What does this mean for energy and utilities providers?

NIS2 imposes obligations on a broader range of entities, depending on whether they are identified as being ‘essential’ or ‘important’. 

Given the central role energy and utility services play in the economy, companies must prioritise the resilience of their infrastructure to prevent potentially catastrophic disruptions resulting from cyber-attacks. Incidents such as the outage of much of Europe’s wind generation capacity in 2020 and the 2022 attack on European oil terminals are just some examples which highlight the impact on individuals, businesses and the European economy from critical attacks and outages in the energy and utilities sectors.

NIS2 categorises the majority of these sectors as ‘essential’ and it enforces stringent security measures aimed at protecting essential services such as power grids, water supply systems, distribution systems, and gas networks. 

Operational technology systems that control critical energy and utilities infrastructure, such as SCADA networks, are particularly vulnerable to cyberattacks. Under NIS2, providers must take steps to secure these systems, ensuring they are resilient to both external and internal threats, given that the potential consequences of an attack range from power outages to compromised safety and even loss of life.

NIS2 emphasises building resilience to disruption at any point in the vast and interconnected supply chain for these critical sectors, requiring assurance that all links in the chain – from equipment manufacturers to technology vendors to contractors – do not contain vulnerabilities that pose a risk to the entire system. As such, companies in this sector will be expected to flow down NIS2’s robust requirements across its supply chain.

Finally, as an “essential” sector, energy and utility companies will be subject to enhanced audit and inspection measures, with each EU Member State regulator conducting regular (and in some cases unannounced) inspections and audits of a company’s information security management frameworks and cybersecurity posture. Where compliance gaps are found, companies can expect onerous corrective action plans and daily fines for non-conformity. Companies may also be expected to pay the cost of these audits.

Incident management

NIS2 represents a significant cultural change for the way organisations approach incident management, and for the personnel who will need to be involved in that process. 

One of the significant aspects of NIS2 is the emphasis on breach reporting, which requires affected entities to promptly report any cybersecurity incidents to the relevant authority without undue delay and no later than 24 hours after detection of the incident, with more detailed reporting at additional intervals.

In essence, under NIS2:

• a regulated entity’s information security team will need to be sufficiently resourced to ensure it can notify incidents within a 24-hour window
• information security teams will need to develop new processes for how they identify and classify incidents
• wider departments (particularly legal, compliance and risk functions) will need to be introduced into the incident management process at an earlier stage in order to consider any impact to the company associated with notification. The presence of significant financial sanctions means this is of key importance
• members of the entity’s legal, compliance and risk departments will need to be upskilled on aspects of incident classification, containment and mitigation in order to contribute to this assessment. 

For further insight into some of the changes to incident classification see our article here.

Registration

With NIS2 comes a new mandatory registration requirement. A regulated entity will be required to register with its competent authority and provide key details about where the organisation provides its services, its IP ranges, and (where applicable) the identity and contact information of its designated representative. 

Providers and suppliers located outside Europe and with no legal presence will need to appoint a local representative.

We have ISO27001 – do we need to do anything?

In short – yes.

While it is true that both NIS2 and ISO 27001 (and other information security management frameworks such as ISO 22301) aim to enhance an organisation’s cybersecurity and resiliency, NIS2 is fundamentally different in its scope.

The mandatory controls required under NIS2 are more granular in nature and will apply to a wider part of an organisation (including entities that would typically be segregated under ISO 27001).

In addition, due to the stringent requirements around incident management, reporting and audit, it is highly unlikely an organisation will be able to simply rely on its ISO 27001 certification to achieve NIS2 compliance.

However, those organisations with ISO 27001 (particularly the 2022 version) will already have in place a strong governance framework and an ISMS onto which NIS2 controls can be added.

Is there any other legislation to worry about?

Those reading about NIS2 for the first time may understandably think that this is it.

However, particularly for sectors such as energy and utilities, it is likely that many providers will also be subject to the EU’s Critical Entities Resiliency Directive (CERD), which also entered into force on 18 October 2024.

The CERD covers similar content to NIS2 as it applies to resiliency, but it is far broader in scope in the types of external threats an organisation must prepare for. For example, while NIS2 requires a regulated entity to ensure its information systems are hardened towards cybersecurity and information threats, vulnerabilities and outages, the CERD extends these to all forms of threat, including physical factors such as natural disasters.

In some cases, Member States are introducing measures under the CERD in parallel with NIS2, while in others CERD requirements will be laid down on a standalone basis. It is therefore important for organisations to understand the specific domestic variation of NIS2 and CERD that applies to them for their respective home countries.

Supply chain

It goes without saying that NIS2 places a heavy emphasis on vendor management with regulated organisations being obliged to ensure that cybersecurity is appropriately preserved across the supply chain.

Suppliers to the energy and utility sectors should expect to receive more due diligence and vendor assessment questions and be subject to more stringent contractual requirements. Suppliers used to contracting under their own paper should consider taking steps now to update contractual documentation in line with NIS2.

For organisations involved in the supply of hardware and critical software to the sector, focus should also be on the EU’s Cyber Resiliency Act (CRA) – which introduces cybersecurity requirements for products with digital elements (IoT products and devices). The CRA applies to all IoT products but lays down enhanced measures for hardware used within critical infrastructure. Therefore, for the energy and utility sector, devices such as Industrial Automation and Control Systems, network management systems, physical network interfaces, firewalls and routers, modems and switches (including GIS switchgear) will all fall under intense scrutiny.

What you need to do now 

1. Familiarise yourself with the key requirements of NIS2 – you can read our more in-depth article here as a starting point.
2. Undertake a scoping assessment to assess in more detail whether your business is likely to be in scope of NIS2, bearing in mind its size, sector, the nature of its business, and the Member States in which it operates or into which it provides services.
3. Keep track of the specific NIS2 implementation timeline for your home country – very few Member States were able to implement national implementing laws before the 17 October deadline.
4. Determine and complete registration requirements – for entities with a broad reach across Europe this may be a complicated assessment, potentially requiring multiple registrations.
5. Conduct a gap analysis between NIS2 measures (specifically those required in your home country), against your current cybersecurity posture and implement a rectification and improvement plan.
6. Review and update existing incident management handling processes – you can read more about some of the changes to incident classification here.
7. Start your vendor management process now, given the significant time it often takes to cascade compliance throughout the supply chain.
8. Consider whether key customers are likely to be impacted, and how this should be reflected in key contracts (particularly in B2B settings).

For further information on NIS2 or assistance with the above activities, please engage with our Resiliency team.