Key Requirements for NIS2 in the Energy Sector

NIS2 in the energy sector is not just another compliance document: it is the framework that redefines what an acceptable cybersecurity posture looks like for an electricity, gas, hydrogen or oil operator in Europe.

Directive (EU) 2022/2555 expands the universe of obligated entities, raises minimum requirements and makes the responsibility of the governing body explicit. For the energy sector, where the impact of an incident can cross borders and affect the supply of millions of homes and industries, these requirements are not rhetoric: they are operational commitments.

This guide translates the key NIS2 requirements into the language of compliance teams, CISOs, operations directors and legal officers at energy entities. The goal is that by the end you have a clear picture of what is expected, what needs to be documented and where the risk of inaction lies.

Transposition Status in Spain: What You Need to Know Today

Important legal note (May 2026): A pending transposition does not exempt organisations from reputational, contractual or continuity risks. Both INCIBE-CERT and CCN-CERT agree that the technical measures the directive requires take months to implement and waiting for the official gazette is not a viable strategy.

On supervisory authorities in Spain, the draft law already designates INCIBE-CERT as the reference CSIRT for the private sector (including private energy operators), CCN-CERT for the public sector and defence domain, and provides for the creation of a National Cybersecurity Centre (CNC) as the coordinating body. Energy operators should already align their notification processes with INCIBE-CERT as the operational reference.

Who Does NIS2 Apply To in the Energy Sector?

The directive distinguishes two categories: essential entities and important entities. In energy, the majority of electricity sector operators, generation, transmission, distribution, supply and significant charging point operators, as well as gas and oil operators, fall under essential entities per Annex I of the Directive, subject to stricter supervision and higher penalties.

The size threshold (more than 50 employees or more than €10 million in turnover) is indicative, not exclusive. The directive does not automatically exempt a small company that provides critical infrastructure services. If the entity delivers a service on which energy continuity depends, the applicability analysis must be done in detail, size is not a shield.

Covered infrastructures include:

• Electricity generation (conventional and renewable)
• Electricity transmission and distribution networks
• Market operators and balancing service providers
• Natural gas and LNG supply and distribution
• Hydrogen infrastructure and storage
• Oil production, transportation and distribution

If you operate in more than one Member State, the directive provides for coordinated supervision mechanisms and you may need to engage with more than one national competent authority. In such cases, regional coordination may involve ACER for cross-border interoperability aspects.

The Core Obligation: Proportionate and Documented Risk Management

Article 21 of Directive (EU) 2022/2555 sets out the cybersecurity risk management measures that every obligated entity must adopt. It is not an exhaustive checklist: it is a proportionality framework that takes into account the state of the art, costs, size and risk exposure of the entity.

Mandatory minimum measures include:

Information security policies and risk management. A documented framework must exist covering periodic risk analysis, domain owners and a formal review cycle. In energy, that framework must cover both corporate IT and OT/remote control environments, not treat them as separate silos.

Incident management. Clear procedures for detection, classification, containment, recovery and communication. This includes defining internally what a “significant incident” is before one occurs, not in the heat of the crisis.

Business continuity and crisis management. Backup plans, critical systems recovery, continuity procedures during the incident and formalised lessons learned. For network operators, this intersects with pre-existing sector obligations for supply continuity.

Supply chain security. Assessing and managing risks introduced by vendors, integrators and digital service providers with access to critical systems. A standard contract is not enough: active review of access and conditions must be evidenced.

Security in the acquisition, development and maintenance of systems. Security criteria in procurement contracts, integration projects and changes to production environments.

Policies and procedures to assess the effectiveness of measures. Compliance must be measurable. Without metrics or review evidence, the framework is not sustainable under audits or in the event of a real incident.

Basic cybersecurity hygiene and training. Operators must ensure their staff, including management, receives adequate training. NIS2 requires the management body to approve the measures and understand their implications.

Cryptography policies. Particularly relevant for communications between control systems, market exchanges and telemetry transmission.

Human resources security, access control and asset management. Up-to-date inventories, identity management, privilege control and joiner/leaver processes.

Use of multi-factor authentication (MFA) or continuous authentication. For access to sensitive systems, including external support access, bastion hosts and remote management tools, MFA is not optional.

Management Body Responsibility: A Real Paradigm Shift

One of the most disruptive elements of NIS2 is the explicit management liability. Article 20 of Directive (EU) 2022/2555 requires that the management bodies of obligated entities:

• Approve cybersecurity risk management measures.
• Oversee their implementation.
• Receive periodic cybersecurity training.
• Be liable for personal responsibility in cases of serious non-compliance.

The Spanish draft law provides for fines of up to €500,000 for personal liability of directors, as well as the possibility of temporary disqualification from holding office. This means that delegating all cybersecurity to the CISO without effective board or executive committee involvement is no longer sufficient from a regulatory standpoint.

For the energy sector, where cybersecurity has historically lived in technical departments with limited executive visibility, this change requires renewed reporting structures and risk language that management can understand, not just the technical team.

Incident Management and Notification: Deadlines That Cannot Be Improvised

NIS2 establishes a three-phase incident notification regime that applies when an incident has a significant impact on service delivery. Deadlines run from the moment the entity becomes aware of the incident, not from when it has been fully analysed:

Phase	Deadline	Minimum content
Early warning	24 hours	Whether malicious origin is suspected and whether cross-border impact is possible
Incident notification	72 hours	Initial impact assessment, available indicators of compromise, mitigation measures adopted
Final report	1 month	Detailed description, root cause analysis, actual impact and lessons learned

Source: INCIBE-CERT. NIS2: What You Need to Know

What cannot be improvised: internal incident classification, the decision chain from NOC or SOC to management, and external communication procedures with regulators. Having these flows in place before an incident is what distinguishes an orderly response from a communications crisis layered on top of a technical one.

Digital Supply Chain: The Risk Vector the Directive Places at the Centre

Article 21 explicitly requires managing the security of vendors and service providers. In the energy sector, this has immediate implications for:

OT and SCADA integrators. Remote maintenance access, firmware update windows and OEM support credentials are documented risk vectors. The directive requires the entity not only to trust the contract, but to evidence active review of those access conditions.

Cloud and SaaS vendors. If asset management systems, CMMS platforms, telemetry analytics tools or corporate ERPs are in the cloud, the entity must have security clauses, audit rights and documented exit plans.

Critical hardware and firmware components. Dependency on manufacturers with embedded software updates or licence keys is a continuity risk that NIS2 does not resolve technically, but does require managing and documenting.

Subcontractors with access to essential systems. Any third party with access, even occasional, to systems that affect service continuity must be covered by the vendor assessment process.

The assessment does not need to be exhaustive from day one, but it must be systematic and documented: vendor classification by criticality, periodic review criteria and records of decisions taken in response to identified risks.

Technical Measures: What NIS2 Expects in Energy OT/IT Environments

The directive does not prescribe specific architectures, but the “state of the art” referenced in Article 21 translates into practical expectations for the sector:

• Network segmentation between corporate IT and OT/SCADA environments, with a documented policy of authorised flows and periodic firewall rule reviews.
• Centralised identity and privileged access management (PAM) for critical systems, including external vendor accounts with automatic expiry and session recording.
• Monitoring and detection across IT environments and, progressively, OT environments, with cross-domain correlation capability.
• Vulnerability management with a documented process for environments where immediate patching is not possible due to certification or continuity requirements.
• Verified, isolated backups with tested recovery procedures for critical control systems and operational data.
• Encryption in transit for sensitive communications between control systems, remote access and third-party data transfers.

For many operators, the gap is not ignorance of these measures, but the absence of formal documentation, assigned owners and evidence of periodic review. That is precisely what distinguishes an auditable posture from a real but indefensible one before supervisors.

Certifications as a Compliance Lever

NIS2 does not mandate certification, but existing certifications serve as structured evidence of compliance. It is worth noting that Commission Implementing Regulation (EU) 2024/2690, adopted on 17 October 2024, develops the technical and methodological requirements of Article 21 in a binding way for digital infrastructure subsectors (cloud, data centres, DNS, managed services). Although it does not directly apply to traditional electricity operators, many experts consider it a de facto reference for all sectors. Energy operators should use it as a signal of the level of detail supervisors will expect.

ISO/IEC 27001 provides the baseline ISMS: risk policy, documented controls and a continual improvement cycle. For energy entities that must demonstrate proportionate and auditable risk management, it is the most internationally recognised standard.

ENS (National Security Framework) applies when the entity has a contractual relationship with public administrations or provides services involving public sector information processing. In the energy sector, many distribution operators and infrastructure operators have this relationship.

IEC 62443 is the sector reference framework developed by the International Electrotechnical Commission for cybersecurity in industrial automation and control systems (IACS). Its various parts, 62443-2-1 for asset owners, 62443-3-3 for system requirements, 62443-4-1 and 62443-4-2 for manufacturers, cover security zones, protection levels (SL-1 to SL-4) and OT vendor auditing. Although not directly linked to NIS2, its adoption makes it easier to demonstrate proportionate measures in the OT domain and it is the most robust technical reference for the IT/OT boundary in energy.

Combining an ISO 27001 ISMS with specific IEC 62443 controls in OT and, where applicable, ENS, is the structure that best covers NIS2 expectations for an energy entity with mixed IT/OT environments.

What Can Go Wrong: Non-Compliance Risks in the Sector

The risks of inaction go beyond the financial penalty, though that is also significant:

• Essential entities: fines of up to €10 million or 2% of global annual turnover, whichever is higher.
• Important entities: fines of up to €7 million or 1.4% of global annual turnover.
• Personal liability of directors: up to €500,000 and temporary disqualification from office, per the Spanish draft law.

Beyond the fine:

• Temporary suspension of certification or authorisation to operate regulated services.
• Reputational exposure with industrial clients whose contracts already require demonstrable cybersecurity posture.
• Real operational risk from unmanaged known attack vectors, incidents that occur later and that basic measures could have contained or detected earlier.

The most common form of non-compliance is not ignorance of the regulation, but the gap between what exists on paper and what is practised operationally. That gap is precisely what an experienced sector supervisor looks for.

7 Steps to Prepare Your NIS2 Compliance Plan in Energy

Step 1. Determine scope and category. Is the entity essential or important? Which systems and services fall within the NIS2 scope? Which authority will supervise compliance? Reference: INCIBE-CERT NIS2 FAQ.

Step 2. Gap assessment. Compare the current state of technical and organisational measures against Article 21 requirements. Identify the gaps with the highest risk and greatest visibility to supervisors.

Step 3. Prioritise by real risk. Not everything can be done at once. Risk analysis must drive prioritisation: which failure scenario has the greatest impact? Which missing control leaves the greatest exposure?

Step 4. Structure governance. Formalise management body involvement per Article 20, assign domain owners and create the reporting mechanisms that connect operations with management.

Step 5. Document and evidence. Compliance without evidence does not exist before an auditor. Every measure must have documentation, an owner, a last-review date and, where applicable, effectiveness metrics.

Step 6. Test the plans. Incident simulations, recovery tests, notification exercises. Not to tick a box, but to identify where the real plan diverges from the plan on paper.

Step 7. Maintain the programme. NIS2 is not a one-off project; it is a continuous programme. The directive expects periodic review, updates in response to changes in the threat landscape and a documented improvement cycle.

What Privalex Offers in NIS2 Projects for Energy

Privalex is a consultancy specialised in certifications, regulatory compliance and data protection. We support compliance officers, CISOs, operations management and legal teams at energy entities in translating NIS2 requirements into operational controls, auditable documentation and governance structures that hold up in conversations with supervisors.

Our energy practice integrates NIS2, ISO/IEC 27001, ENS and IEC 62443 as OT frameworks, combining technical expertise with legal and management perspectives. We are not a generic law firm: we are specialists who work with teams that need to defend their decisions before auditors and regulators.

If you want to start with a no-cost NIS2 gap assessment, access the free risk evaluation. To align scope and roadmap with management, book a strategic session.

Frequently Asked Questions (FAQs)