When is an energy utility subject to NIS2?

Energy utilities fall under NIS2 Annex I No. 1 (energy) as Essential Entities once they supply electricity, gas, district heating, or oil in a manner relevant to societal supply. Network operators (transmission and distribution networks) are subject to NIS2 irrespective of company size; generators and suppliers from medium size (50 employees or 10M EUR turnover per SME Recommendation 2003/361/EC Art. 2). Exact classification depends on the activity (generation, transmission, distribution, supply).

What is the difference between NIS2 and KRITIS for energy utilities?

NIS2 (Annex I No. 1) applies to energy utilities from medium enterprise size or as network operators without size threshold. KRITIS under BSI-KritisV § 2 Annex 1 applies to electricity above 420 MW installed generation capacity or 3,700 GWh/year network draw, to gas above 5,190 GWh/year. Energy supply is a sector where NIS2 and KRITIS regularly apply simultaneously; transmission system operators are subject to both regimes. Additionally, § 11 EnWG applies with IT security obligations for network operators.

What OT/SCADA protection obligations apply to energy utilities under NIS2?

§ 30 BSIG-neu requires energy utilities especially to protect network management systems (EMS/DMS), remote terminal units (RTU, IED), and SCADA infrastructure. Mandatory measures include: OT/IT network segmentation, protection of communication protocols (IEC 60870-5-104, IEC 61850), patch management for field devices, and emergency plans for supply interruptions. The BSI IT Security Catalogue of the Bundesnetzagentur contains supplementary requirements for network operators.

What fines do energy utilities face for NIS2 violations?

As Essential Entities under Annex I, energy utilities risk fines up to 10 million Euro or 2 percent of global annual revenue under § 65 BSIG-neu. KRITIS operators can additionally face coercive fines under § 53 BSIG-neu. Network operators can further be fined under EnWG § 95 if IT security obligations under § 11 EnWG are violated.

What do NIS2 supply-chain obligations mean for energy utilities?

§ 30 Para. 2 No. 4 BSIG-neu requires energy utilities to secure their supply chain. This affects providers of network management technology (e.g. Siemens, ABB, Schneider Electric), SCADA systems, smart meter infrastructure, and remote maintenance service providers. Supply contracts must include security requirements, vulnerability management, and audit rights. The BDEW whitepapers on requirements for secure control and telecommunications systems provide supplementary guidance.

When must energy utilities register with the BSI?

§ 33 BSIG-neu requires registration within three months of determining NIS2 applicability. Network operators and other Essential Entities under Annex I are generally required to register directly upon BSIG-neu entering into force. KRITIS operators must additionally register with the BSI as critical infrastructure operators under § 8a BSIG; this registration follows a separate BSI process.

Are energy utility managing directors personally liable under NIS2?

§ 38 BSIG-neu requires management to approve, supervise, and train on cybersecurity measures. Culpable breach creates personal liability. For network operators, risk is elevated by parallel obligations under EnWG and BSIG-neu; overlaps between the Bundesnetzagentur IT Security Catalogue and NIS2 should be coordinated in an integrated compliance management system.

Industry-specific Self-Check

Is my energy utility affected by NIS2?

Electricity, gas, district heating, oil - NIS2 falls under Annex I. KRITIS thresholds differ per sub-sector - this calculator checks all.

Step 1 / 2

Supply type and operating structure

NIS2 Annex I No. 1 covers energy suppliers and network operators. Check what applies to your operation.

Supply of electricity, gas, district heating or oil to end customersHouseholds, commercial, industrial - direct sales/distribution operationsOperation of transmission or distribution networksElectricity grid, gas network, district heating pipes, oil pipelines - incl. SCADA/control roomOwn generation or importPower plants, gas storage, combined heat and power, refineriesSupply to more than 10,000 connection pointsIndicator of supra-regional supply relevance

Step 2 / 2

Company size and sub-sector metrics

Energy Supplier: The Complete NIS2 Guide

Energy suppliers - electricity, gas, district heating, oil - are classified as Essential Entities under NIS2 Annex I No. 1 (Energy) when they exceed the KRITIS thresholds of BSI-KritisV. Below these thresholds, energy suppliers fall under Annex II. Regulatory density is especially high in this sector: NIS2, the EnWG, and the BSI IT Security Catalog all overlap. This guide is written for compliance managers, IT directors, and managing directors at energy supply companies.

Who is affected?

Electricity grid operators, gas grid operators, power producers, and energy traders fall under NIS2 Annex I No. 1 (Energy) when they reach the KRITIS thresholds of BSI-KritisV: for electricity, approximately 420,000 residents in the supply area or 36 MW rated power.

Below these thresholds - or without grid operations - energy suppliers fall under NIS2 Annex II No. 1 and are Important Entities if they have 50+ employees or EUR 10+ million in revenue.

A regional municipal utility with 150 employees, an electricity grid, and district heating for a city of 80,000 residents is an Essential Entity under NIS2 Annex I.

Obligations under § 30 BSIG-new

§ 30 BSIG-new requires seven obligation categories that are especially relevant for energy suppliers with their combination of IT and operational technology (OT):

Risk analysis and management: SCADA systems, grid control technology (EMS/DMS), remote control technology, smart meter infrastructure, and commercial IT must be assessed holistically.
Incident handling: Grid failures caused by cyberattacks are high-priority incidents. Coordination with the Federal Network Agency, BSI, and if necessary the BKA must be prepared.
Business continuity: Essential and critical entities must be able to maintain 24/7 emergency operations. Manual grid management procedures for SCADA failure must be tested.
Supply chain security: Suppliers of grid control technology, smart meter systems, remote control technology, and cloud services must be reviewed for security standards.
Access control and MFA: Access to control room systems, remote control technology, and commercial systems must be secured by MFA. Specifically: remote access to substations and grid nodes.
Encryption: Network protocols in OT communications must be secured. Smart meter communication (SMGW) is encrypted per BSI TR-03109.
Training and awareness: Grid management personnel, IT staff, and administrative employees must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

Energy suppliers in the KRITIS sector already had reporting obligations to the BSI under the IT Security Act 1.0. NIS2 tightens these obligations and extends them to more entities.

Fines and personal liability

Essential Entity (Annex I): up to EUR 10 million or 2% of turnover. Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover.

§ 38 BSIG-new: personal liability for management. Added to this are energy law sanctions for grid failures and regulatory risks from the Federal Network Agency.

BSI-KritisV thresholds and EnWG § 11 IT Security Catalog: applying them together

§ 11 Para. 1a EnWG obligates grid operators to implement "appropriate organizational and technical measures" for IT security. The BSI has issued an IT Security Catalog for the energy sector that references ISO 27001 as its basis.

The overlap with NIS2: the IT Security Catalog covers many technical and organizational measures that § 30 BSIG-new also requires. Those who have already implemented the IT Security Catalog fulfill core parts of NIS2.

What NIS2 adds: stricter reporting obligations (24-hour initial report), personal management liability (§ 38 BSIG-new), and extended supply chain obligations (§ 30 Para. 2 No. 4 BSIG-new). Energy suppliers who have implemented the IT Security Catalog should conduct a gap analysis for the specific NIS2 additions.

First steps

Determine your classification: Essential Entity (Annex I, KRITIS threshold) or Important Entity (Annex II)?
Conduct a gap analysis between your existing IT Security Catalog status and NIS2 requirements.
Review all remote access points to grid control technology and substations.
Map all OT systems and their network connections.
Create an incident response plan that includes BSI, Federal Network Agency, and CERT coordination.
Review all supplier contracts for grid control technology and OT systems for security clauses.
Register with the BSI.

Common pitfalls

OT systems managed separately from IT security management: The IT Security Catalog and NIS2 require an integrated ISMS encompassing both OT and IT.

Smart meter infrastructure not assessed: The Smart Meter Gateway (SMGW) and its associated communications infrastructure are NIS2-relevant systems.

IT Security Catalog reporting obligations not equivalent to NIS2 reporting: The NIS2 reporting chain (24h/72h/30d) is stricter than previous obligations under IT Security Act 1.0.

Supplier requirements not extended to OT manufacturers: Grid control technology manufacturers and SCADA providers are critical suppliers under § 30 Para. 2 No. 4 BSIG-new.

Use the industry-specific NIS2 calculator for energy suppliers to clarify your classification.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my energy utility affected by NIS2?

Energy Supplier: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

BSI-KritisV thresholds and EnWG § 11 IT Security Catalog: applying them together

First steps

Common pitfalls

Frequently asked questions

01When is an energy utility subject to NIS2?

02What is the difference between NIS2 and KRITIS for energy utilities?

03What OT/SCADA protection obligations apply to energy utilities under NIS2?

04What fines do energy utilities face for NIS2 violations?

05What do NIS2 supply-chain obligations mean for energy utilities?

06When must energy utilities register with the BSI?

07Are energy utility managing directors personally liable under NIS2?