Article   November 09 2023

The Energy sector - what’s new with NIS2?

With a wider coverage of sectors, stricter requirements for risk management and incident reporting and more hard-hitting penalties for non-compliance, the new NIS2 directive is the most comprehensive European cybersecurity directive yet. The energy sector has already been a subject for NIS1, but here’s what companies within the energy sector needs to look out for with the new NIS2 directive.

Information security

Electricity, oil, gas, district heating, water supply and hydrogen. Due to its critical infrastructure status, the energy sector is highly relevant to the NIS2 Directive, as it provides essential services to the public and is a prime target for cyberattacks.  

Even though the energy sector is facing several critical technical challenges, like supply chain risks, aging technology and vulnerabilities in their industrial control systems (ICS), the protection against the attack types typically targeting the energy sector can not only rely on technical solutions. A highly interconnected industry like the energy sector also needs to make sure that the employees operating the systems are aware of the cybersecurity risks.  

The most specific NIS2 implications for the Energy sector include security of energy systems and the overall impact to the energy market along with compliance and enforcement to NIS2 and data protection and privacy with consumers having the right to be informed of any incidents and to request the deletion of their personal data. 

 Awareness training – one of 10 key cyber hygiene measures 

The NIS2 directive requires that the energy sector and other essential and important entities implement 10 baseline security measures to address specific forms of likely cyberthreats.  

- Risk assessments and security policies for information systems 

- Policies and procedures for evaluating the effectiveness of security measures. 

- Policies and procedures for the use of cryptography  

- A plan for handling security incidents 

- Security around the procurement of systems and the development and operation of systems.  

- Security procedures for employees with access to sensitive or important data,  

- A plan for managing business operations during and after a security incident. 

- The use of multi-factor authentication 

- Security around supply chains and the relationship between the company and direct supplier.  

- Cybersecurity training and a practice for basic computer hygiene. 


Cybersecurity training is not only ‘on the list’. It’s a well-known fact that awareness training is an essential part in creating the organisational security culture needed for organisations to be compliant with many of the other security measures mandated by NIS2. Without awareness training all year round, many of the operational procedures will eventually fail – due to human errors.  

Our new updated 2024 editions of Information Security Awareness training is targeting all employees, managers, executives and boards and is one part of being NIS2 compliant.  

Or why not kickstart with our NIS2 Introdution course? This will give your management a better understanding of what your organisation need to be NIS2 compliant.  

Article   November 09 2023