NIS2 obligations for energy providers 2026

Who falls under Annex I 'energy'

Electricity: generators, transmission system operators (TSO), distribution system operators (DSO), electricity market participants, charging point operators, suppliers.

Natural gas: suppliers, distribution and transmission system operators, LNG terminal operators, storage operators.

District heating and cooling: operators of district heating and cooling systems.

Oil: pipeline operators, production and refining, central stockholding entities.

Hydrogen: producers, storage operators, transmission system operators for hydrogen (new under NIS2).

Size filter: 50 employees or EUR 10m revenue gets at least important entity status, 250 employees or EUR 50m revenue gets essential entity status.

Relationship to EnWG and the BNetzA IT security catalogue

§ 11 (1a) EnWG requires operators of electricity and gas networks to implement state-of-the-art protection in line with the BNetzA IT security catalogue (last issued in 2018 for grids and 2019 for energy installations).

§ 11 (1b) EnWG requires operators of energy installations classified as critical infrastructure to implement the energy installations IT security catalogue.

Both catalogues rest on ISO 27001 plus sector-specific requirements (DACF, OT/IT separation, smart meter gateway interfaces).

Gaps versus NIS2: Art. 20 management body training duty is new, the Art. 23 notification cascade (24h initial notification to BSI) is stricter than the existing BNetzA security incident reporting, and Art. 21(2)(d) demands deeper supply chain security towards SCADA, smart metering and cloud providers.

Ten concrete obligations for 2026

1. Separate risk analysis for OT (process control) and office IT, with reference to energy-specific threats (ransomware with OT impact, state-sponsored actors, supply chain attacks).

2. Incident handling with a clean separation between 'BNetzA security incident' and 'material NIS2 incident'. Frequently both must be reported in parallel.

3. Business continuity and crisis management: documented contingency plans for OT outage, black-start recovery, island operation where applicable.

4. Backup and recovery of control-system configurations with offline copies. Restore test at least annually.

5. OT vulnerability management: SCADA components often have 15+ years of lifecycle. Patching requires planned maintenance windows and vendor approval.

6. Cryptography and secure communication: especially for tele-control, smart meter gateway, remote control modems and pricing signals.

7. Access control plus MFA for all remote access to control systems, supplier VPN and cloud consoles.

8. Supply chain security: every procurement of SCADA, smart meter, EMS or DERMS components needs security audit rights and vulnerability notification duties from the supplier.

9. Training duty and awareness: board annually, OT staff at least twice a year, office IT awareness regularly.

10. Authentication, OT asset inventory and personnel security.

Notification cascade: BNetzA vs. BSI

BNetzA notification under § 11 EnWG: for security incidents that affect grid operation or service delivery, reported to BNetzA, typically within hours.

NIS2 notification under Art. 23: 24h early warning, 72h incident notification, one-month final report to BSI as competent authority under the German NIS2 law.

For a material incident, both are mandatory in parallel. A sensible approach is a single internal incident template that serves both audiences and an explicit 'who informs whom when' definition.

Management body responsibility

Board or managing directors must formally approve the cyber risk strategy, attend regular training and oversee implementation.

For essential entities: fines up to EUR 10m or 2 percent of worldwide group turnover. For important entities: up to EUR 7m or 1.4 percent.

The competent authority (in Germany: BSI, flanked by BNetzA for regulated areas) may order training to be redone and individual managers to be temporarily barred from management functions.

Sector-specific pitfalls

OT patch conflict: many SCADA components must not be patched for regulatory reasons (certification, vendor approval). Compensation via network segmentation, IDS and documented risk acceptance.

Energy cloud: many utilities migrate EMS and customer portals to the cloud. EU data residency plus NIS2 clauses with hyperscalers are contractual must-haves.

DERMS and aggregators: as renewables ramp up, aggregator platforms grow fast. They become NIS2 subjects themselves once they cross the threshold and introduce new supply chain risk into classic grid operation through their interfaces.

What DecisionOS does

The most expensive decisions in the energy IT stack, SIEM/SOC build-out, OT EDR selection, IAM platform with MFA, backup design for control systems, EMS cloud migration, can be documented as audit-bearing decision memos. DecisionOS maps each memo onto NIS2 Art. 21 and the IT security catalogue at the same time, captures stakeholder alignment (CIO, OT lead, ISB, board) and produces a readiness score. The same dossier serves BSI audits and BNetzA inspections.