TL;DR The NIS 2 directive brings a mandatory catalogue of duties for European energy providers in 2026, including personal board liability. Who is affected, what needs to be done concretely, and what a robust implementation plan looks like.

Who is affected

NIS 2 (Directive EU 2022/2555) and the German national implementation (NIS2UmsuCG) classify the energy sector as a highly critical sector (Annex I). This includes:

  • - Electricity providers, transmission and distribution network operators
  • - Gas and oil providers, pipeline operators
  • - District heating operators
  • - Hydrogen producers and providers (newly in scope)
  • - Operators of fuel-station networks above a defined size

Beyond activity, company size matters. Essential entities are typically organisations with 250+ employees or 50M+ EUR annual turnover. Important entities start at 50 employees or 10M EUR. Suppliers can be indirectly affected if they deliver security-relevant services to NIS 2 entities.

What changes compared to NIS 1

NIS 1 in the energy sector primarily covered transmission network operators and large power plants. NIS 2 substantially broadens the scope:

  • - More companies through lower size thresholds
  • - Supply chain explicitly part of risk assessment
  • - Personal board liability (Article 32) for failure to implement security measures
  • - Fines up to 10M EUR or 2 percent of global annual turnover
  • - Reporting duties with strict deadlines, no more "as soon as possible"

Energy providers that were only marginally affected under NIS 1 find themselves with a substantially expanded catalogue of duties under NIS 2.

The core catalogue of obligations

Article 21 of the directive defines ten technical and organisational measures every affected company must implement:

  1. 1. Risk analysis and security policy concepts
  2. 2. Security incident handling (incident response)
  3. 3. Business continuity, backup management, crisis management
  4. 4. Supply chain security, including relationships with service providers
  5. 5. Security in acquisition, development and maintenance of network and information systems
  6. 6. Concepts for assessing the effectiveness of these measures
  7. 7. Cyber hygiene and training
  8. 8. Cryptography and encryption
  9. 9. Personnel security, access control, asset management
  10. 10. Multi-factor authentication, secured communication, emergency communication

These ten points are not optional. They are not "best practice". They are legally required.

Reporting duties: strict deadlines

For a security incident with significant impact:

  • - 24 hours: Initial early warning to the competent authority (in Germany: the BSI)
  • - 72 hours: Updated report with first assessments
  • - 1 month: Final report with root cause analysis and measures taken

Missing these deadlines means not just the fines, but also personal consequences for the board. In a sector that has historically been reluctant to communicate, this is a cultural shift.

Personal liability: this gets serious

Article 32 of the directive and § 38 NIS2UmsuCG require the board to actively approve cyber security measures, monitor their implementation, and undergo regular training. Violations create personal liability for board members.

This is not a theoretical scenario. Supervisory authorities receive powers to temporarily exclude leading individuals from their roles. Cyber security is finally no longer an IT matter, it is a board matter.

Checklist: ten steps to NIS 2 compliance

We recommend the following implementation plan, building on ISO 27001 as a foundation with NIS 2-specific additions:

  1. 1. Define scope. Essential or important entity? Which subsidiaries are affected? Which suppliers?
  2. 2. Establish risk management. Protection-need analysis, asset inventory, risk assessment with clear owners.
  3. 3. Map measures catalogue against Article 21. Gap analysis between current state and legal duty.
  4. 4. Board resolution on cyber security strategy. Written, with responsibilities and budget.
  5. 5. Secure the supply chain. Contract clauses, audit rights, security requirements for service providers.
  6. 6. Build detection and response. SOC in-house or as managed service, with 24/7 coverage.
  7. 7. Define reporting channels. Who informs the BSI within 24 hours? Deputy? Escalation?
  8. 8. Roll out training. Board, key personnel, technical teams, each tailored to audience.
  9. 9. Build documentation. Audit-ready, version-controlled, regularly updated.
  10. 10. Test effectiveness. Penetration tests, tabletop exercises, annual management review.

These ten steps do not produce a "NIS 2 certificate" (no such thing exists). They produce evidence that the legally required measures are implemented.

What many energy providers underestimate

Three points that are regularly addressed too late in our advisory practice:

  • - Supply chain. Anyone without contractual security requirements for IT service providers, remote-maintenance providers and cloud platforms in 2026 has an open flank. Supervisory authorities will target this.
  • - OT security. Control technology in substations, pumping stations and generation plants is often outdated, long patch cycles, weak authentication. NIS 2 makes no exception for OT.
  • - Board competence. The duty to train the board is not symbolic. In an incident, the authority will ask what the board knew when, and what they decided.

How GermanAI Defense supports

We build NIS 2 programmes on ISO 27001 as the foundation, add the NIS 2-specific duties, and deliver audit-ready documentation. Our scope covers gap analysis, measures plan, technical implementation (SOC, penetration testing, training) and ongoing board support.

Audited, accredited, documented. From Frankfurt, for energy infrastructure in Germany.

→ More on our GRC and compliance services: germanaidefense.com/grc