The threat
The NIS2 Directive (EU Directive 2022/2555) came into force in January 2023. Member States had until 17 October 2024 to transpose it into national law. That deadline has passed. Germany, the Netherlands, Denmark are now enforcing. Energy operators (electricity transmission, distribution, gas transmission, storage, oil pipelines, district heating) are classified as essential entities under Annex I.
The scope is wider. The obligations are specific. The penalties are real. A Head of Risk at a German TSO told me in November that the biggest shock was not the technical measures but the speed at which their legal team flagged personal liability for the management board. NIS2 makes cybersecurity a governance issue.
The threat is the regulatory consequence of failing to manage the vectors you already know about: supply-chain compromise, third-party access to operational technology, ICT incidents that cascade into physical operations. Triton) in 2017 demonstrated that OT environments are reachable. Industroyer in 2016 demonstrated the same. Norsk Hydro in 2019 showed that a ransomware event can halt industrial production for weeks. NIS2 assumes these events will happen and holds you accountable for how you prepare and respond.
Risks it creates for the enterprise
The first risk is financial. Essential entities face administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher. ENISA has published enforcement guidance making clear that repeat non-compliance or failure to report significant incidents will attract the upper end of the scale.
The second is personal. Article 20 of NIS2 requires Member States to ensure that management bodies approve cybersecurity risk management measures and oversee their implementation. Supervisory authorities can hold directors personally liable for failures. The board owns the risk.
The third is reputational. Significant incidents must be reported to the national CSIRT or competent authority within 24 hours of becoming aware, with updates at 72 hours and a final report within one month. Some Member States are publishing incident summaries. A supply-chain breach that takes down a distribution network will be public within days.
The fourth is operational. NIS2 requires supply-chain security measures. If a third-party IT provider or OT vendor causes an incident, you are still liable. Every integration point, every remote access session, every software update from a vendor is a control point you must document and test.
Likelihood-reducing controls
Article 21 lists ten categories of risk management measures. These are minimum requirements. The ones that matter most for energy operators are policies on risk analysis, information system security, incident handling, business continuity, supply-chain security, security in network and information systems acquisition.
Start with supply-chain due diligence. Map every third party with access to your IT or OT environment. Classify them by criticality. For high-risk suppliers (SCADA vendors, remote monitoring providers, cloud infrastructure) require contractual security obligations, annual attestation, the right to audit. If a vendor cannot demonstrate compliance with IEC 62443 or equivalent, treat that as a red flag.
Segment your OT networks. NIS2 does not mandate a specific architecture, but supervisory authorities expect defence in depth. Air-gapping is ideal but rare in practice. If you cannot air-gap, enforce strict access controls, monitor all traffic between IT and OT zones, disable unnecessary protocols. Many energy operators still run legacy systems with no authentication. That will not pass a NIS2 audit.
Implement continuous monitoring for anomalies. Log, correlate, alert on deviations from baseline behaviour. A sudden spike in outbound traffic from a substation controller is a signal. An unauthorised login attempt on a historian database is a signal. A configuration change outside the maintenance window is a signal. You need the tooling to see them and the process to act.
Test your incident response plan quarterly. NIS2 requires you to have one. Supervisory authorities will ask to see evidence that it works. Run a scenario where a ransomware event locks the ERP system during a planned outage. Who makes the call to isolate the network? Who notifies the regulator? Who speaks to the press? Write down the answers before the event.
Impact-reducing mitigations
The 24-hour reporting clock starts when you become aware of a significant incident. "Aware" means the moment your monitoring tools flag it or a user reports it. Have a pre-drafted notification template ready. Include the incident type, affected systems, potential impact, initial containment actions. You can refine the details in the 72-hour update.
Designate a single point of contact for regulatory reporting. In Germany, that is the BSI. In Denmark, it is the Centre for Cyber Security under the Danish Defence Intelligence Service. Know who to call before you need to call them. Have their contact details in your incident response runbook.
Isolate affected systems immediately. If you suspect a supply-chain compromise, assume lateral movement. Cut network access to the affected vendor's integration points. Revoke API keys, disable VPN tunnels, quarantine any devices that communicated with the compromised system in the last 72 hours. Speed matters more than precision in the first hour.
Communicate internally before you communicate externally. Your operational teams need to know what is down, what is safe, what actions they should take. Brief your crisis management team, then brief the board, then notify the regulator. In that order.
Keep forensic evidence. NIS2 requires a final report within one month. That report must include root cause, timeline, affected systems, corrective actions. If you wipe and rebuild systems before capturing logs, you will have nothing to submit. Preserve disk images, network captures, authentication logs. If you lack in-house forensic capability, have a retainer with a firm that does.
Management liability under NIS2 is real. The directive gives supervisory authorities the tools to enforce. If your board has not reviewed your Article 21 measures in the last six months, that review is overdue.