- Energy is listed as a sector of high criticality in Annex I of the NIS2 Directive. Energy suppliers are therefore classified as essential entities with the strictest requirements.
- NIS2 does not replace existing KRITIS regulations but supplements them. Critical infrastructure operators in the energy sector must comply with both regulatory frameworks in parallel.
- OT security is the key differentiator from a traditional IT ISMS: grid control technology, SCADA systems, and process controls require their own protective measures and segmentation.
- Reporting obligations are strict: initial notification within 24 hours, follow-up within 72 hours, final report within one month.
- Even municipal utilities with 50 to 200 employees fall under NIS2, even if they were not previously classified as KRITIS operators.
Energy Under NIS2: Why the Sector Is Subject to Particularly Strict Regulation
When the power goes out in Germany, everything comes to a standstill within hours. Hospitals switch to emergency power, traffic lights fail, cold chains break down, and communications networks become unstable. Energy is the foundation upon which all other critical infrastructures are built — and that's precisely why the European legislator classified the energy sector as a sector of high criticality in the NIS2 Directive.
For energy suppliers and municipal utilities, this concretely means: They belong to the category of essential entities and are therefore subject to the strictest requirements NIS2 provides. This encompasses tightened reporting obligations, proactive supervision by the BSI, and a fine regime tied to annual revenue.
This article is aimed at managing directors, IT managers, and Information Security Officers (ISOs) at municipal utilities and regional energy supply companies. It explains what NIS2 requires, how the law differs from existing KRITIS regulations, and what specific steps you must take now.
Who Is Affected in the Energy Sector?
NIS2 defines the energy sector very broadly in Annex I. Affected are not only the major transmission system operators but also regional and municipal suppliers, provided they exceed the thresholds.
The Sub-Sectors in Detail
Electricity: Generators, transmission system operators, distribution system operators, electricity suppliers, operators of charging points for electric mobility, operators of energy storage facilities, and aggregators within the meaning of the Electricity Directive.
District heating and cooling: Operators of district heating or cooling systems that deliver heat or cooling to end customers via a network.
Petroleum: Operators of oil pipelines, operators of facilities for the production, refining, processing, and storage of petroleum.
Natural gas: Gas supply companies, distribution network operators, transmission network operators, operators of storage facilities and LNG facilities.
Hydrogen: Operators of facilities for the production, storage, and transmission of hydrogen. This sub-sector is new and was regulated for the first time with NIS2.
The Thresholds
As in all NIS2 sectors, the standard thresholds apply: at least 50 employees or at least EUR 10 million annual revenue or annual balance sheet total. However, there is an important distinction in the energy sector: The BSI can classify companies as essential entities regardless of the thresholds if a failure would have significant impacts on public safety.
In practice, this means: A municipal utility with 80 employees supplying a medium-sized city with electricity, gas, and district heating clearly falls under NIS2. But even a smaller utility with 45 employees can be affected if it plays a central role in regional energy supply.
Essential vs. Important Entity
In the energy sector, most companies are classified as essential entities. This has concrete consequences:
| Aspect | Essential Entity | Important Entity |
|---|---|---|
| Supervision | Proactive (BSI audits proactively) | Reactive (only upon suspicion) |
| Fines | Up to EUR 10M or 2% of global annual revenue | Up to EUR 7M or 1.4% of revenue |
| Audits | Regular security reviews by BSI | Occasion-based audits |
| Reporting obligations | 24h / 72h / 1 month | 24h / 72h / 1 month |
The reporting obligations are identical for both categories, but the proactive supervision for essential entities means the BSI can request evidence or conduct on-site inspections at any time without a specific trigger.
NIS2 and KRITIS: Two Regulatory Frameworks, One Company
One of the most common questions energy suppliers ask: Does NIS2 replace existing KRITIS regulations? The answer is a clear no. Both frameworks exist in parallel, and they partly address different aspects.
What Remains from KRITIS Regulation
The KRITIS Ordinance and the BSI Act (BSIG) have defined obligations for critical infrastructure operators in the energy sector for years. These include registration with the BSI, designation of a point of contact, demonstration of appropriate security measures reflecting the state of the art, and reporting of significant IT security incidents.
The KRITIS thresholds in the energy sector are based on supply figures: An electricity supplier is considered a KRITIS operator if it supplies more than 500,000 people. A gas network operator if its network exceeds a certain capacity threshold.
What NIS2 Additionally Brings
NIS2 significantly expands the circle of regulated companies because the thresholds are tied to company size and sector rather than supply figures. A municipal utility with 120 employees that was not previously considered a KRITIS operator because it supplied fewer than 500,000 people now falls under NIS2 regardless.
Additionally, NIS2 introduces new requirements that go beyond previous KRITIS obligations:
- Personal liability of executive management for implementing cybersecurity measures
- Mandatory training of the management level in cybersecurity
- Supply chain security as an explicit requirement component
- Extended reporting obligations with the three-tier reporting system (24h, 72h, 1 month)
- Risk management as a continuous process with documented methodology
The Practical Consequence
If your company is both a KRITIS operator and NIS2-obligated, you must comply with both frameworks. The good news: There is significant overlap. A well-established ISMS based on ISO 27001 covers the majority of requirements from both frameworks. But you must know the differences and ensure nothing falls through the gap.
OT Security: The Key Differentiator from a Traditional IT ISMS
Energy suppliers operate not only classic IT systems like email servers, ERP systems, and office workstations. They also operate Operational Technology (OT): grid control technology, SCADA systems, process controls, smart metering systems, and increasingly IoT devices in the network.
This OT environment differs fundamentally from traditional IT, and an ISMS that only covers the IT side does not meet the NIS2 requirements for energy suppliers.
Why OT Operates Differently
In traditional IT, the priority order is Confidentiality, Integrity, Availability (CIA Triad). In OT, the order is reversed: Availability comes first, followed by Integrity and then Confidentiality. When a SCADA system is unavailable, the consequences can be physical — from power outages to safety-critical situations.
Further differences you must consider in ISMS planning:
Lifecycles: IT systems are replaced every three to five years. OT systems often run 15 to 25 years. This means: outdated operating systems, missing security updates, and protocols that were never designed for a connected world.
Patch management: In IT, you can patch a server on the weekend. You cannot simply shut down a grid control station because doing so would endanger the power supply for an entire region. Patches must be applied during maintenance windows that are often planned months in advance.
Protocols: OT systems frequently use proprietary or industrial protocols such as IEC 60870-5-104, IEC 61850, or Modbus. These protocols were developed for reliability, not security. Encryption or authentication is often not provided or only retrofitted in newer versions.
Network segmentation: The strict separation of IT and OT networks — consistent network segmentation — is not a nice idea but a mandatory security requirement. In practice, however, many municipal utilities have historically grown network structures where the boundaries between IT and OT are blurred.
What NIS2 Requires for OT Security
NIS2 requires in Article 21 a risk management approach covering all systems relevant to service delivery. For energy suppliers, this explicitly includes the OT environment. Specifically, this means:
Complete asset inventory: You must know which OT systems you operate, what software versions run on them, what network connections exist, and who has access. In many municipal utilities, this is one of the biggest challenges because OT has historically been managed separately from IT and documentation is incomplete.
Risk assessment for OT: Every OT system needs a risk assessment that accounts for specific threats. A SCADA server controlling power distribution has a different risk profile than an office PC.
Network segmentation: IT and OT networks must be separated by firewalls or data diodes. Data flow between networks must be controlled and monitored. Ideally, there is a demilitarized zone (DMZ) between IT and OT.
Access controls: Who may access OT systems? Remote maintenance connections must be secured, logged, and time-limited. Multi-factor authentication is required for OT access as well, insofar as technically feasible.
Monitoring and anomaly detection: You must be able to detect unusual activities in your OT network. This requires specialized monitoring solutions that understand industrial protocols and can detect anomalies in communication between OT components.
Reporting Obligations in the Energy Sector
Reporting obligations under NIS2 follow the three-tier scheme applicable to all sectors. But for energy suppliers as essential entities, they apply in full and without exceptions.
The Three-Tier System
Tier 1 — Early Warning (24 hours): Within 24 hours of becoming aware of a significant security incident, you must submit an initial notification to the BSI. This notification must indicate whether the incident is presumably attributable to unlawful or malicious actions and whether cross-border impacts are possible.
Tier 2 — Incident Notification (72 hours): Within 72 hours follows a more detailed notification with an initial assessment of the incident, its severity and impact, as well as the countermeasures taken so far. Indicators of compromise (IoC) should also be shared here.
Tier 3 — Final Report (1 month): No later than one month after the initial notification, a comprehensive final report is due. This must contain a detailed description of the incident, root cause analysis, the remedial measures taken, and any cross-border impacts.
What Qualifies as a Significant Incident
Not every disruption must be reported. An incident is considered significant if it:
- has caused or could cause a serious operational disruption of services,
- has caused or could cause financial losses for the affected entity,
- has impaired or could impair other natural or legal persons through significant material or immaterial damages.
For an energy supplier, this means in practice: A ransomware attack on the billing system is reportable. A compromised remote maintenance connection to grid control technology is reportable. Even a phishing attack that has captured credentials for critical systems can be reportable, even if no direct damage has occurred yet.
Organizing Reporting Obligations in Practice
The 24-hour deadline for the initial notification is ambitious. You need clear processes that ensure incidents are quickly detected, assessed, and reported. This requires:
- A defined reporting process with clear responsibilities (who reports, who decides, who approves)
- Templates for all three reporting tiers that can be quickly completed in an emergency
- Availability outside business hours, since a cyberattack doesn't follow office hours
- Regular exercises to test and improve the reporting process
Business Continuity Management for Energy Suppliers
NIS2 explicitly requires measures for maintaining operations in Article 21. For energy suppliers, Business Continuity Management (BCM) is not an abstract concept but immediately relevant because an energy supply failure has cascading effects on all other sectors.
What a BCM Concept for Municipal Utilities Must Cover
Business Impact Analysis (BIA): Which business processes are critical? How long may an outage last at most? For a municipal utility, these are typically grid control, dispatch for disruptions, communication with the transmission system operator, and billing.
Emergency plans: For each critical system, you need a documented emergency plan describing how operations can be maintained or quickly restored in case of failure. For grid control technology, this may mean that fallback procedures for manual control must be documented and regularly practiced.
Backup and recovery: The backup strategy must cover both IT and OT systems. For OT systems, this means that configurations of protective devices, parameterizations of grid control stations, and firmware versions must also be backed up.
Crisis management: Who decides in an emergency? How is communication handled? Who informs the Federal Network Agency, the BSI, and potentially the public? A crisis team with clear roles and communication channels must be defined and regularly practiced.
Energy Supply Specifics
Unlike many other industries, the energy supply sector has additional regulatory requirements that overlap with BCM. The Federal Network Agency has required security measures for network operators under IT security catalogs per Section 11(1a) and (1b) EnWG for years. These requirements persist and must be harmonized with NIS2 requirements.
For municipal utilities that simultaneously operate electricity, gas, and district heating networks, complexity increases because each network has its own dependencies and fallback scenarios. An integrated BCM concept covering all divisions is more efficient here than separate concepts per network.
BSI Requirements and Industry-Specific Standards
The BSI has already issued extensive requirements for the energy sector before NIS2. With NIS2 implementation, new requirements are added that partly overlap with existing ones.
IT Security Catalogs Under EnWG
Electricity and gas network operators have been required since 2015 (electricity) and 2018 (gas) to operate an information security management system based on ISO 27001 and demonstrate this through a certificate. Additionally, industry-specific requirements from the Federal Network Agency's IT security catalog apply that go beyond general ISO 27001.
BSI IT-Grundschutz
The BSI recommends applying the IT-Grundschutz Compendium for the energy sector, particularly the modules for industrial IT (IND modules). These modules specifically address OT security and provide concrete measures for SCADA systems, process controls, and grid control technology.
Industry-Specific Security Standards (B3S)
The industry association BDEW has developed industry-specific security standards in collaboration with the BSI that serve as implementation recommendations for KRITIS requirements. The BDEW white paper "Requirements for Secure Control and Telecommunications Systems" has been the de facto standard for OT security in the energy industry for years.
Under NIS2, the option to use industry-specific security standards as compliance evidence remains. If your company already works according to a recognized B3S, you have a solid foundation that can be supplemented with NIS2-specific requirements.
ISO 27001 and IEC 62443
For energy suppliers that must secure both IT and OT, the combination of ISO 27001 (for the overarching ISMS) and IEC 62443 (specifically for OT security) has proven effective in practice. ISO 27001 provides the management system framework, while IEC 62443 defines specific technical requirements for industrial automation systems.
Practical Example: Municipal Utility with 200 Employees
To make the requirements tangible, let's look at a fictitious but realistic example: Stadtwerke Mittelstadt GmbH, a municipal utility with approximately 200 employees.
Starting Position
Stadtwerke Mittelstadt supplies a city of 80,000 residents with electricity, gas, district heating, and water. They operate their own electricity network, gas network, and district heating network. Additionally, there are two combined heat and power plants and several photovoltaic installations. The IT department comprises eight employees who manage both traditional IT and OT.
Previously, Stadtwerke was already obligated as an electricity and gas network operator to operate an ISMS based on ISO 27001. However, the certification only covers grid management. The ERP system, personnel management, customer communication, and district heating control lie outside the existing ISMS scope.
The NIS2 Gap Analysis
In the first step, the ISO conducted a gap analysis comparing the existing ISMS scope with NIS2 requirements. The following action areas were identified:
Expand scope: NIS2 requires that all systems relevant to providing the regulated services are in scope. This includes not just grid control technology but also the ERP system (because a failure impacts billing and thus customer supply), the email infrastructure (needed for communication with authorities and customers), and district heating control.
Build supply chain security: The municipal utility uses managed services from an external IT service provider for monitoring grid control technology. This provider was not previously included in the ISMS. NIS2 requires an assessment of supply chain security and contractual arrangements with service providers.
Implement reporting process: While there was already a reporting obligation to the BSI for KRITIS incidents, the process was not formalized. Clear responsibilities, templates, and around-the-clock availability were missing.
Engage executive management: Previously, responsibility for information security effectively resided with the ISO and the IT manager. NIS2 requires active involvement of executive management and demonstrable training of the management level.
Complete OT inventory: OT system documentation was incomplete. Particularly for older components in substations, current network diagrams and software versions were missing.
The Implementation Plan
The municipal utility has established a twelve-month plan that addresses gaps prioritized by risk and effort:
Months 1 to 3: Train executive management, strengthen ISO role and provide budget, begin OT asset inventory, define and document reporting process.
Months 4 to 6: Expand ISMS scope, conduct risk assessment for newly included systems, review service provider contracts and supplement with security requirements.
Months 7 to 9: Improve network segmentation between IT and OT (separate firewall zone for OT, monitoring at the boundary), expand backup concept to include OT configurations, update and practice emergency plans.
Months 10 to 12: Conduct internal audits, management review with executive management, complete documentation, finalize registration with BSI as essential entity.
Budget and Resources
The municipal utility has calculated an additional budget of EUR 180,000 for the first year. This includes external consulting for OT risk assessment (EUR 40,000), an OT monitoring system (EUR 60,000), training for executive management and employees (EUR 15,000), an additional half position for the ISO (EUR 45,000), and various technical measures such as network segmentation and backup expansion (EUR 20,000).
This budget is realistic for a municipal utility of this size and complexity. Smaller utilities with less OT complexity can manage with less; larger companies must plan accordingly more. To keep tool costs manageable: ISMS Lite offers full functionality ab 500 Euro pro Jahr oder als Einmalkauf für 2.500 Euro, ohne Seat-Lizenzen oder versteckte Kosten.
Common Pitfalls for Energy Suppliers
From consulting practice, several errors can be identified that are particularly common among energy suppliers:
Treating OT as a blind spot. If the ISMS only covers traditional IT and grid control technology is excluded, you don't meet NIS2 requirements. OT security must be an integral part of the ISMS, even if organizational responsibility lies with a different department.
Managing too many frameworks in parallel. IT security catalog, KRITIS ordinance, NIS2, ISO 27001, IEC 62443, the BDEW white paper: The volume of frameworks and standards can be overwhelming. The key is an integrated approach where a central ISMS maps all requirements, rather than maintaining separate documentation for each framework.
Not bringing IT and OT together. In many municipal utilities, the IT department and grid control center traditionally work separately. NIS2 requires a unified security strategy. This doesn't mean everything must be merged, but there must be joint risk assessments, coordinated security policies, and clear interfaces.
Underestimating remote maintenance. Many OT systems are remotely maintained by external manufacturers and service providers. These remote maintenance connections are a popular attack target and must be strictly controlled: time-limited, secured with MFA, logged, and only via dedicated, hardened access paths.
Forgetting hydrogen. Those investing in hydrogen projects should know that hydrogen is regulated as a separate sub-sector under NIS2. Even pilot projects and smaller installations can fall within scope.
Next Steps: What You Should Do Now
The requirements are extensive, but they are manageable — especially if your company already operates an ISMS. Here are the key next steps:
Clarify applicability and classification. Check whether your company qualifies as an essential or important entity. In the energy sector, the answer is clear in most cases, but formal registration with the BSI must still take place.
Conduct a gap analysis. Compare your current status with NIS2 requirements. If you already operate an ISMS based on ISO 27001, you're in a good starting position. Focus on the gaps: OT security, supply chain security, reporting processes, and executive management responsibility.
Build an OT inventory. If you don't yet have a complete inventory of your OT systems, start there. You can't assess risks or plan security measures if you don't know what you need to protect.
Engage executive management. Personal liability of executive management under NIS2 is not an empty phrase. In ISMS Lite, IT and OT assets can be managed in a unified system and the parallel requirements from KRITIS and NIS2 tracked at a glance. Use this lever to secure budget and attention. Schedule training for the management level and ensure that executive management is regularly informed about the state of information security.
NIS2 is a challenge for energy suppliers and municipal utilities, but also an opportunity. The regulation forces holistic thinking about security, bringing IT and OT together, and holding executive management accountable. Those who take this as an opportunity to fundamentally modernize their security strategy gain not only compliance but genuine resilience.
Further Reading
- NIS2 for SMEs: What You Need to Know and What to Do Now
- NIS2 Initial Notification to the BSI: Content, Deadlines, and Template
- NIS2 Fines: Who Is Liable and How High Are the Penalties?
- Business Impact Analysis (BIA): How to Assess the Criticality of Your Business Processes
- Network Segmentation for SMEs: Practical Guide for Mid-Market Companies