The NIS2 Directive: Challenges Renewable Energy Companies

Briefing

Introduction to NIS2

With the recent entry into force of the NIS2 Directive, the European Union has taken a decisive step toward harmonizing and strengthening cybersecurity requirements within its member states. The Directive notably replaces and expands upon its predecessor, tightening regulations and broadening the range of entities subject to cybersecurity obligations. In Germany, these requirements have been implemented with the new BSIG (Act on the Federal Office for Information Security and on the Strengthening of the Security of Information Technology Systems), which came into effect in December 2025.

General Requirements and Scope

NIS2’s central objective is to raise the level of digital resilience across critical sectors by obliging defined entities to implement robust technical and organizational measures for managing cyber risks. The framework distinguishes between “essential” and “important” entities on the basis of sectoral relevance and company size. In the energy sector, this includes not only large producers and grid operators but also a much broader range of market participants than before, e.g. in the areas of power supply, district heating supply and gas supply.

Key requirements include:

Proactive risk management: Entities must identify, assess, and address cybersecurity risks across their entire value chain.
Comprehensive reporting obligations: Significant security incidents must be reported promptly within strict deadlines (early warning within 24 hours, notification within 72 hours, and a final report within one month).
Executive accountability: Management personnel are personally responsible for ensuring compliance, including ongoing oversight and regular cybersecurity training
Potential for severe sanctions: Non-compliance may result in substantial administrative fines, calculated as a portion of worldwide turnover.

Sectoral Considerations

Renewable energy companies were already subject to mandatory IT security measures, particularly under the German Energy Industry Act (EnWG), which obliged operators of energy supply networks and energy installations to implement IT security measures. However, these obligations for energy installation operators only applied if the renewable energy company operates installations that qualify as critical infrastructure and reach certain supply-relevant thresholds.

Now, renewable energy companies are subject to NIS2 requirements (deriving both from BSIG and EnWG) if they either operate critical infrastructure or have at least 50 employees or achieve an annual turnover of at least EUR 10 million and perform an activity regulated in Annexes 1 and 2 of the BSIG, such as - inter alia -:

Electricity suppliers
Operators of electricity distribution networks
Operators of transmission networks
Operators of generation plants
Aggregators
Operators of energy storage facilities
Charge point operators
Operators in the field of hydrogen production, storage, and transmission

While NIS2 generally provides a uniform framework, practical application in the energy sector clearly raises specific considerations. The sector is characterized by complex operational models, such as the outsourcing of operations or management functions, which can make it challenging to clearly determine the responsible legal entity for compliance purposes.

Additionally, energy companies remain subject to further national energy regulations. In Germany, for example, an “IT Security Catalogue” (which is currently being revised) prepared by the telecommunication and network regulator stipulates binding requirements for information security obligations, including mandatory ISO27k certifications.

Conclusion

The NIS2 Directive fundamentally reshapes the cybersecurity landscape for the energy sector, imposing more extensive and standardized duties while shifting accountability directly to organizational leadership. The main challenges now lie in the practical implementation of these requirements – especially regarding risk assessment, organizational liability, and compliance management – within the increasingly complex structures characteristic of modern energy markets. An overview of the most important NIS2 requirements for the energy sector can be found here.

执业领域和服务团队项目、能源和基础设施