The energy sector’s importance for economic and social prosperity has put it in the crosshairs of cyber criminals. According to the European Network and Information Security Agency (ENISA), more than 200 cyber incidents were reported in the energy sector in 2023 alone. The key targets are data, information or the deliberate disruption of critical infrastructure. Although the big players in the energy sector are generally well protected, the route via third parties in the supply chain is often easier.

The energy sector is very often a high potential target of cyber attacks. Last year the EU adopted the NIS2 Directive to respond to the threat and prevent failure of critical infrastructure.

The NIS2 is an update of the existing European Union Network and Information Security (NIS) Directive. It is designed to harmonise the level of IT security in all EU member states and increase their resilience to cyber attacks. NIS2 focuses on improving the cyber security of networks and information systems necessary for the provision of essential services and critical infrastructure.

While many energy operators were affected by NIS, NIS2 has broadened the scope and raised the bar for energy sector operators. Covering significantly more companies than previously, it expands regulatory oversight and enforcement, standardises sanctions for non-compliance and focuses attention on supply chains.

The NIS2 Directive has been in force since January 2023. While the official implementation deadline for all individual EU member states was 17 October 2024, this deadline has been missed by quite a few countries, which now risk incurring some potential implications due to the delays within the EU. Even if implementation in the member states takes a little longer, the NIS2 Directive is of paramount importance to all organisations operating in the EU. Compliance with the Directive is essential to identify and minimise cyber security risks, reduce the likelihood of business disruption from cyber incidents, and avoid heavy fines and reputational damage.

Gaps and vulnerabilities identified during audits and incident reviews must be addressed immediately, and the resulting feedback used for implementing enhancements to organisation-specific policies and procedures, and driving continuous improvement in an ever-evolving cyber threat landscape.

Energy suppliers are classified as ‘essential entities’ under the NIS2 Directive. Annex I of the Directive provides a detailed list of the affected suppliers, and requires these companies to register with local cyber security authorities. All these organisations must implement comprehensive risk management, effective incident response and supply chain security. The security of operational technology (OT) systems that are central to physical processes, such as power generation and fuel distribution, must also be protected by specific measures. Essential entities must also have back-up systems and redundant infrastructure.

Essential entities should address the following four points to make their organisation NIS2-compliant and increase cyber resilience.

1.    Conduct risk assessments and gap analyses  
Risk assessments and gap analyses will identify weaknesses in the cyber security measures already in place. Special attention should be paid to the areas of incident response, general risk management and supply chain security, which are of particular importance in the context of NIS2.

The value of information assets is determined as part of a risk analysis. For example, what types of business data are critical to business continuity?

The impact on the relevant information assets is then determined in various scenarios, such as loss of data from a service provider or encryption of a specific system with ransomware. This forms the basis of gap analysis, which not only identifies the differences between the current state of security measures and the ideal target state, but then develops a clear, organisation-specific action plan to improve and minimise potential security risks. This allows organisations to allocate resources efficiently to the most critical areas, optimising their investment in cyber security while reducing the risk of financial and reputational loss.

Given the high level of cyber risk in the energy sector, such risk assessments are critical to meeting the requirements of NIS2. The Directive, therefore, requires key entities to conduct a comprehensive risk analysis on a regular basis.

2.    Build a culture of cyber awareness  
Building a culture of cyber awareness is of the utmost importance in ensuring a strong ‘human firewall’ and avoiding errors at human level. NIS2 emphasises the importance of ongoing training for employees at all levels, up to and including senior management.

By promoting a culture of vigilance and compliance, organisations can reduce the risk of security breaches and improve their overall security posture. Employees should be trained on an ongoing basis, including – as a first step – on the company’s own policies that have been developed to meet the requirements of NIS2. NIS2 expects senior management to be familiar with information security risk management.

In order for cyber awareness to become active knowledge and lead to sustainable behavioural change, security training needs to meet certain criteria and characteristics. It is not enough to simply provide participants with knowledge about the threat situation. To achieve real awareness in everyday working life, background knowledge of the most common attack vectors should be combined with practical training. In this way, application can be practiced and become routine to achieve long-term learning success.

3.    Enhance supply chain security  
Vulnerabilities in suppliers’ systems can pose significant risks. There are many ways for cyber criminals to exploit the supply chain, including inserting malware into legitimate software updates, compromising third-party vendors with access to a company’s networks, launching an insider attack, or even introducing infected hardware. Attacks carried out through trusted partners or suppliers can go undetected for a long time and cause significant damage.

NIS2 requires companies to address cyber security risks in their supply chains and ensure that third-party systems meet compliance standards. The supply chain risk analysis must include the following criteria: the level of risk exposure, the size of the facility, the cost of implementation, the likelihood and severity of security incidents, and their social and economic impact. This proactive approach helps to mitigate risks arising from networked systems.

4.    Establishing trust and continuous improvement through internal audit and testing  
In an evolving threat landscape where organisations are only one incident away from operational disruption and reputational damage, regular internal audits and frequent penetration testing are essential. They provide insight into emerging vulnerabilities, support ongoing compliance with NIS2 and refine incident response capabilities. For energy providers, internal audits provide a systematic way to adjust security practices to maintain effectiveness and resilience across different types of facilities, from hydrogen plants to oil and gas refineries.

Once implemented, internal audits enable regular monitoring of measures to be performed, including their impact on the supply chain. Gaps and vulnerabilities identified during audits and incident reviews must be addressed immediately, and the resulting feedback used for implementing enhancements to organisation-specific policies and procedures, and driving continuous improvement in an ever-evolving cyber threat landscape.

ISO 27001 and IEC 62443 – foundation for NIS2 compliance  
Organisations wondering which specific regulations they can use to become NIS2 compliant should take a look at the widely used international cyber security standards ISO 27001 and IEC 62443.

ISO 27001 helps to establish and maintain an effective Information Security Management System (ISMS). Energy organisations certified to this standard already cover many of the requirements of NIS2. ISO 27001 certification can also be used, for example, to demonstrate effective risk management by suppliers and service providers to KRITIS (critical infrastructure) operators.

As OT security also plays an important role in the energy sector, the IEC 62443 series of international standards is also relevant. This is a series of international standards designed to ensure the security of industrial control systems, control devices and development processes. Published by the International Electrotechnical Commission (IEC), these international standard guidelines for plant security cover all stages of industrial cyber security, from risk assessment to operation, from a variety of perspectives.

Achieving and maintaining compliance with NIS2 is a complex endeavour, particularly for large-scale operations. By focusing on regulatory compliance, risk management, supply chain security, continuous improvement and employee awareness, energy companies are playing a key role in protecting Europe's critical infrastructure against an ever-evolving threat landscape.

• Further reading: ‘Cyber security and BESS – battery energy storage systems’. Battery energy storage systems are becoming indispensable in modern power grids. These systems integrate renewable energy sources, maintain grid stability and provide backup power during emergencies. However, increasing digitalisation of energy systems and the inherent vulnerabilities of BESS to cyber threats pose significant risks to the stability of power grids and the safety of physical assets.
• Digitalisation of the oil and gas industry and its supply chain offers increased production, reduced operating costs and enhanced efficiency. Find more about some of the latest initiatives worldwide aiming to reduce the risk of cyber attacks on the sector.