NIS2: How energy suppliers must protect themselves against cyber attacks

In July 2025, the Military Counterintelligence Service reported a significant increase in spying attempts and disruptive measures by the Russian secret service, according to media reports. It is becoming increasingly realistic that the German energy infrastructure could also be the target of sabotage.

Several German municipal utilities and energy suppliers have already fallen victim to targeted cyber attacks. Hackers have spied on sensitive data, encrypted systems with ransomware or temporarily paralyzed internal IT structures. These cases make it clear just how vulnerable our energy supply is. The EU’s NIS 2 Directive will force operators of critical infrastructures to significantly increase their protective measures against cyber attacks in future. The EU adopted the first directive regulating cyber security back in July 2016. With Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (Network and Information Security Directive 2 – NIS 2), it expanded the scope of application in 2022, tightened the security and reporting obligations and introduced sanctions for the first time. The draft bill for the German law implementing the NIS 2 Directive has been available since June 24, 2025. At the same time, the Federal Network Agency is also taking action and is consulting on a new IT security catlog with regard to the specific design of the KRITIS in the energy industry.

There are still some weak points in the energy sector

There are still several points of attack for cyberattacks in the energy sector. Many grid operator control rooms are not manned around the clock; employees connect to the systems remotely during off-peak hours. This also opens up access opportunities for hackers.

Even the buildings of energy suppliers are not always access-proof and therefore offer criminals access to the home (W-)LAN. Some substations and transformer stations are located in freely accessible fields or on public roads. The situation is no better in the areas of gas supply, water and wastewater: Pumping and distribution stations are often purely IT-controlled via telecontrol technology.

The NIS 2 Directive already stipulates not only technical but also organizational measures

The NIS 2 Directive covers a large number of critical and important sectors, including energy supply, healthcare, transportation, digital infrastructure and central areas of public administration. It covers companies and facilities whose failure could have a significant impact on public life, the economy or security.

The directive not only prescribes technical precautions, but also obliges companies to take organizational measures to protect their IT infrastructure. Above all, this includes risk management. Security incidents must be reported. In addition, other institutions affected by the incident must be informed.

NIS 2 also stipulates that the members of the Executive Board are personally responsible for implementation and monitoring.

Annex 1 of the NIS2 Directive describes the energy industry as a sector with high criticality. This means, among other things, that facilities in this sector must comply with many minimum IT security requirements and operators of critical infrastructure are also subject to additional verification obligations.

Draft of the NIS 2 Implementation Act also contains amendments to the Energy Industry Act (EnWG)

As an EU directive, this must be transposed into national law. The Federal Ministry of the Interior presented a new draft of the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) on June 23, 2025. The NIS2UmsuCG is primarily intended to amend the BSI Act and the EnWG with regard to the energy industry. The new, very extensive Section 5c EnWG-E is particularly relevant for the energy sector. The IT security catalog of the Federal Network Agency, the current version of which has already been implemented by operators via Section 11 (1a) and (1b) EnWG, is also enshrined in law there. In future, it will oblige grid operators and other operators of critical energy systems to systematically manage the risk of their IT systems and to use attack detection systems. As a rule, operators must report security incidents within 24 hours. In detail:

• Adequate protection: Operators of energy supply networks and systems should have to ensure adequate protection against threats to telecommunications and electronic data processing systems that are necessary for secure operation.
• Documentation obligation: Operators should document compliance with the requirements of the IT security catalog and submit this to the Federal Network Agency. In the event of security deficiencies, the Federal Network Agency can demand measures to rectify the deficiencies.
• Reporting of security incidents: Operators should be required to report significant security incidents to a common reporting point within 24 or 72 hours. The reports should contain detailed information about the incident and the measures taken.
• Training and liability: Operator management should regularly attend training courses to improve their knowledge of IT security. They are liable for any damage caused by a breach of their duties.
• Critical components and functions: The Federal Network Agency is to specify in the IT security catalog which components and functions are considered critical and which security requirements must be met for their operation.

The IT security catalog: New definition likely in 2025

In addition to the amendment to the EnWG resulting from the NIS2UmsuCG, the IT security catalog is also being adapted at a sub-legislative level. Following a consultation with market participants, the Federal Network Agency (BNetzA) and the Federal Office for Information Security (BSI) have added new critical functions in the energy sector to the IT Security Catalog 2025 and have already taken NIS 2 into account in their definition.

In accordance with the presumption regulations in Section 11 (1a) and (1b) EnWG, the operation of an energy supply grid or the operation of an energy system is adequately protected if this catalog of security requirements has been complied with and this has been documented by the operator. The new provisions therefore not only oblige operators of energy supply grids, but also other market roles that are part of the critical infrastructure, such as telecommunications/EDP systems, offshore wind turbines and other KRITIS energy systems.

In future, operators of electricity and gas grids as well as energy plants will be obliged to notify the Federal Ministry of the Interior if they install IT components that have been identified as critical. The BMI then assesses the security risks and can prohibit the use of certain components.

Critical technical functions in the energy sector include grid and system control (e.g. control technology, grid protection and measures such as redispatch and frequency maintenance) as well as their remote maintenance access and any emergency communication.

The definition of critical functions will already apply to transmission system operators from December 25, 2025, where the grid and system control functions (control, control technology and grid protection) of HVDC connections are defined as critical functions. For operators of offshore wind turbines, all functions listed in the IT security catalog are to be classified as critical.

With the abolition of the obligation to notify in accordance with Section 9b (1) sentence 1 BSIG, in a second step, the functions specified in the security catalog for all operators of energy supply networks and energy systems that are classified as critical infrastructure by statutory order are also considered critical.

Energy suppliers should adapt their processes now

The stricter safety requirements that have already been adopted and those that will soon be introduced are already being felt, particularly in the area of grid and system control and grid infrastructure. All market roles in the energy industry can and should start adapting their processes and documentation now in order to minimize liability risks. This includes in particular the adaptation of operating manuals and internal guidelines.