Security Solutions | 5 mins

How can the Energy Sector prepare for NIS2 Compliance?

Approved by the EU Council in November 2022, NIS2 will enter into national law by October 2024. Utilities especially face heightened cybersecurity requirements compared to the previous NIS directive - the Annex I of the directive lists the energy sector in the “SECTORS OF HIGH CRITICALITY”.

And, generally, stricter penalties for non-compliance have been introduced, including fines of up to 10% of an entity's annual turnover. Furthermore, regardless of your organization's location outside the EU, if it offers services within the EU, adherence to the NIS2 Directive is mandatory. Preparing your organization is key.

Current Challenges

NIS2 arrives amidst heightened tensions in Europe, spurred by the ongoing war in Ukraine. The need for European states to explore alternative sources to reduce dependency on fossil fuels has become paramount. But conversations about supply coincide with concerns about the security of existing sources. 

"Critical infrastructure is the new frontier of warfare [...]."

- Ursula von der Leyen, EU Commission President, October 2022

Thus far attacks on the physical infrastructure have been of greater damage but the magnitude of cybersecurity attacks on digital infrastructure should not be overlooked - a hack by suspected Russian attackers in 2015 left 230,000 residents with an outage. Today, this could result in a continent-wide domino effect. 

"The European power grid is now one big machine. If one component is attacked, it can knock out power in a city, a country and even a whole continent."

- Peter Palensky, Professor of Intelligent Electric Power Grids

Digitization in the sector remains a double-edged sword. In October 2022, the European Commission adopted the Digitalising the Energy System - EU action plan (COM/2022/552). The plan, amongst other goals, aimed to fully exploit the potential of digital technologies and integrate technologies such as weather models, mobility patterns, financial services, and geographic location systems. Advanced data analytics and machine learning further contribute to informed decision-making and cost savings.

However, the increased reliance on digital technologies also introduces concerns. The complexity of interconnected systems poses multiple challenges: supply chain risks, difficulties around system integration, expanding attack surfaces, and more. You read more on these in our datasheet below.

“[...] due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place.” 

- Directive (EU) 2022/2557, December 2022

Additionally, a global study conducted in October 2023 revealed only 35% of energy organizations believe to be well-positioned for the threats of tomorrow. In this complicated context, NIS2 can provide an opportunity for businesses to tackle the challenges of digital transformation. 

What is the scope of NIS2 for energy companies?

Security:

  • Adopt suitable technical and organizational measures to prevent, detect, and respond to incidents.
  • Safeguard critical infrastructure, and maintain energy service and availability.

Data Protection and Privacy:

  • Implement measures to safeguard personal data handled by energy companies.
  • Report incidents compromising data security.
  • Consumers also have the right to be informed of incidents that could impact the security of their personal data and to request the deletion of that data.

Compliance and Enforcement:

  • Designate a responsible individual for overseeing NIS2 Directive implementation.
  • Conduct regular risk assessments.
  • Cooperate with national competent authorities to ensure compliance with NIS2.
  • Adhere to NIS2 requirements, including the development of policies on risk analysis and information system security.
  • Establish policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
  • Develop policies and procedures regarding the use of cryptography and, where appropriate, encryption.
  • Implement human resources security, access control policies, and asset management.

How can the energy sector prepare?

The NIS2 Directive holds profound implications for the energy sector, necessitating a comprehensive response from companies. Its primary objective is to fortify the security and resilience of energy systems against cyber threats, with mandates for robust technical and organizational measures covering critical infrastructure protection, data privacy, and the continuity of energy services

Beyond compliance, the directive's potential impact on the energy market is significant, promising increased consumer confidence and trust, fostering competition, and driving market growth.

Contact Hadrian to learn how we can get you ready for NIS2 and help you avoid penalties.

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example