Which energy companies are in scope of NIS2?

Annex I of NIS2 covers electricity undertakings, distribution and transmission system operators, producers, nominated electricity market operators, electricity market participants, and charging point operators. It also covers oil including transmission and storage, gas including supply, distribution, transmission, storage and LNG, district heating and cooling, and hydrogen production, storage, and transmission.

Are energy companies essential or important entities?

Medium and large entities in Annex I energy sub-sectors are typically classified as essential entities. Smaller operators may be classified as important. Essential entities face proactive supervision and maximum fines up to 10 million euro or 2 percent of global annual turnover.

How does NIS2 interact with sector-specific rules like the Grid Code?

NIS2 sets horizontal cybersecurity requirements, while network code on cybersecurity aspects of cross-border electricity flows, EECSP recommendations, and the CER Directive add sector-specific layers. For most electricity entities the network code is the operational expression of NIS2 in the electricity domain, so the two should be implemented as one coherent program.

What are typical nation-state threats against energy?

Energy entities are consistently targeted by state-aligned groups, with observed activity including reconnaissance of grid control systems, compromise of engineering workstations, supply chain compromise through OT vendors, and attacks on adjacent sectors such as telecoms to affect energy operations. Threat intelligence sharing via national CSIRT and sector ISACs is a key control.

Do renewable energy producers and aggregators need to comply?

Producers and aggregators classified as electricity market participants under the electricity regulation fall under Annex I. Size thresholds apply, but critical designation by member states can pull smaller entities in when their disruption would affect market operations or grid stability.

How long does NIS2 implementation take for a TSO or DSO?

TSOs and large DSOs with existing ISMS, NIS1 heritage, and sector code experience can typically reach NIS2 readiness in six to twelve months by closing specific gaps. Smaller DSOs and producers without a formal ISMS should plan twelve to eighteen months.

NIS2 for Energy: Grid, OT, and Sector Rules

Key facts for energy

Energy is Annex I. Medium and large entities are typically essential.
Scope spans electricity, oil, gas, hydrogen, and district heating and cooling.
NIS2 sits alongside the network code on cybersecurity, EECSP, CER Directive, and national grid codes.
OT systems (SCADA, EMS, DMS, ICS) are squarely inside Article 21.
State-aligned threat actors frequently target energy. Threat intelligence sharing is not optional practice, it is a control.

Energy sub-sectors in scope

NIS2 Annex I for energy is detailed and covers the full value chain. In-scope entity types include:

Electricity: electricity undertakings involved in supply, distribution system operators (DSOs), transmission system operators (TSOs), producers, nominated electricity market operators (NEMOs), market participants providing balancing, aggregation, or demand response services, and operators of charging points for electric vehicles.
Oil: operators of oil transmission pipelines, operators of oil production, refining, treatment facilities, storage, and transmission, and central stockholding entities.
Gas: supply undertakings, DSOs, TSOs, storage operators, LNG system operators, natural gas undertakings, and operators of gas refining and treatment facilities.
District heating and cooling: operators of district heating and district cooling systems.
Hydrogen: operators of hydrogen production, storage, and transmission.

Scope is assessed per legal entity. Large integrated energy groups often span several Annex I sub-sectors and may need separate registrations in different member states.

Top cyber risks for energy

OT and SCADA attacks

Grid control systems, SCADA, EMS, and DMS are the crown jewels. A successful intrusion can enable load manipulation, breaker operations, or loss of visibility for operators. Historical incidents in the sector have demonstrated that motivated attackers can move from IT to OT when segmentation is weak or when engineering laptops cross the trust boundary.

Smart grid and metering

Advanced metering infrastructure, field devices, and DER aggregation expand the attack surface beyond the control room. Firmware integrity, device authentication, and secure communications matter at scale. A compromise of the head-end system of an AMI deployment can have grid-level consequences.

Supply chain, especially OT vendors

OT vendors, engineering service providers, and managed service providers typically have deep remote access. Several of the most consequential publicly reported energy incidents have started with a compromise of a vendor or engineering service provider, not the utility itself.

Nation-state threat actors

Energy is a strategic target. State-aligned groups have conducted long-running campaigns against European energy operators, including reconnaissance of control systems, spear-phishing of engineers, and supply chain operations. Threat intelligence sharing via the national CSIRT, sector ISACs, and EE-ISAC is an operational control, not a nice to have.

Physical-cyber convergence

Substations, pipelines, and compressor stations can be disrupted by combined physical and cyber events. NIS2 complements the CER Directive on physical resilience, and coordinated handling of these risks is expected.

NIS2 and the sector regulatory stack

For energy, NIS2 is the horizontal baseline. Several other instruments add detail:

Network code on cybersecurity aspects of cross-border electricity flows. Adopted under Regulation (EU) 2019/943, this is the operational expression of NIS2 in the electricity domain. It covers risk assessment, supply chain, information classification, and cyber exercises.
Critical Entities Resilience (CER) Directive. Focuses on physical resilience of critical entities. Many energy operators are in scope of both CER and NIS2 and should integrate the two.
EECSP recommendations. Non-binding guidance from the European Energy and Cybersecurity Strategy Platform, useful as a design reference.
National grid codes and sector regulators. Member states layer domestic rules on top, with national energy regulators often acting as competent or sector authorities.

The practical answer is a single cybersecurity program that satisfies all these regimes, not one project per regulation. This is where a clear control framework mapping pays for itself.

A 30-day, 90-day, and 12-month roadmap

First 30 days: clarity

Confirm scope per entity, including cross-border operations, and register with competent authorities.
Inventory in-scope IT and OT systems per site, with criticality ratings tied to grid or supply impact.
Map existing obligations under NIS2, network code, CER, and national grid code to a single control framework.
Appoint accountable executives and a joint cyber and resilience steering committee.

Days 30 to 90: stabilise

Publish a management body-approved information security policy covering IT and OT.
Close top quick wins on OT: brokered remote access, MFA for engineering staff, and restricted USB usage.
Run a tabletop exercise on a sector-relevant scenario, such as ransomware on EMS or a supply chain compromise via an OT vendor.
Deliver mandatory cybersecurity training to the management body.

Months 4 to 12: sustain

Mature OT monitoring: passive network monitoring, asset discovery, and integration with the SOC.
Extend supply chain security across OT vendors, engineering service providers, and MSPs, including contract clauses and periodic assessments.
Join threat intelligence communities, including sector ISACs and national CSIRT channels.
Conduct an internal audit against Article 21 and network code requirements and close findings before external supervision.

Frequently asked questions

Which energy companies are in scope?

Annex I covers the electricity value chain including TSOs, DSOs, producers, NEMOs, and EV charging point operators, plus oil, gas, hydrogen, and district heating and cooling operators. Size thresholds and member state designation apply.

Are energy companies essential or important?

Medium and large entities in Annex I are typically essential, with higher maximum fines and proactive supervision. Smaller operators may be classified as important.

How does NIS2 fit with the Grid Code and CER?

NIS2 is the horizontal baseline. The network code on cybersecurity is its operational expression in electricity. CER covers physical resilience. Treat them as a single program with one control framework and mapped evidence.

Do smart meters and DER fall under NIS2?

Yes, via the DSO or aggregator. Article 21 requires you to manage the cybersecurity of all network and information systems you use, which includes AMI and integrated DER. Supply chain duties extend to the vendors.

What about nation-state threats?

Energy is a recurring target. Threat intelligence sharing via national CSIRT and sector ISACs, red team exercises focused on OT, and robust vendor risk management are the pragmatic answer.

Do renewables and aggregators need to comply?

Producers and aggregators classified as electricity market participants are in scope under Annex I when they meet size thresholds. Member states can pull in smaller entities by designation when their disruption affects market operations or grid stability.

What does incident reporting look like for a grid operator?

Article 23 timelines apply: 24 hour early warning, 72 hour notification, one month final report. Expect national sector-specific reporting on top, and cross-border coordination with neighbouring TSOs and ENISA when relevant.

How long does implementation take?

Mature TSOs and large DSOs often reach readiness in six to twelve months by closing specific gaps against NIS2 and the network code. Smaller producers and DSOs without a formal ISMS should plan twelve to eighteen months.

NIS2 for Energy