What does NIS2 mean for energy businesses?

The cybersecurity landscape has changed dramatically in the eight years since the Network and Information Systems Directive (NIS) came into force in 2016. Cyber risks are greater, while access to and protection of critical data and system operations is increasingly a target for new, adapting, and emerging threats.

NIS2 is the EU’s response to this growing area of risk. It was published in December 2022 and EU member states have until 17 October 2024 to transpose it into their national legislation. So what are the key changes under NIS2 and how can businesses best prepare for compliance?

At our monthly ‘Unlocking the energy transition’ event, we were delighted to be joined by Sanjay Chauhan, Head of OT Security at RWE Renewables UK and Patrick Wreglesworth, Head of Security at Northern Gas Networks, to discuss the new directive and its implications for businesses in the energy sector.

NIS2 focuses on the same objectives as NIS, but it has stricter requirements for risk management and incident reporting, wider coverage of sectors, and more hard-hitting penalties for non-compliance.

Among the main changes is an expansion in the scope of organisations covered by the new directive. NIS covered ‘essential’ entities in specific and digital service providers. NIS2 removes the separate category of digital service providers and adds a new category – ‘important’ entities in specific industries, which almost doubles the number of organisations in scope. The distinction between essential and important is automatically determined according to the size and nature of the entity in question.

NIS2 requires organisations to implement ‘state of the art’ security measures to protect networks, OT, and IT systems. This means entities must implement the latest and most effective cybersecurity measures and techniques available at the time. It is left to organisations themselves, however, to define what ‘state of the art’ actually means for any given context and risk.

As Patrick Wreglesworth, Head of Security at Northern Gas Networks, advised, “Organisations should spend some time looking at the systems they have, where they are in terms of their risk profile, and how the business is likely to change, and use those insights to define what ‘state of the art’ should look like.”

This point was picked up by Sanjay Chauhan, Head of OT Security at RWE Renewables UK, who highlighted the need to standardise systems across an organisation before you can define what ‘state of the art’ might be.

“A lot of organisations will have different legacy systems, maybe due to historic mergers and acquisitions. This could pose challenges in terms of standardising systems to enable them to comply with NIS2,” said Sanjay.

Organisations shouldn’t let uncertainty over the definition of ‘state of the art’ hold up their compliance activities, however. It is more advisable for in-scope entities to start making progress at a level they feel comfortable with, in terms of compliance and strengthening cyber security, than to risk delay by worrying about whether their approach is perfect. Organisations shouldn’t underestimate what this will involve, either. Complying with NIS2 is much more than a problem for the technology team to deal with.

“There is no simple resolution, compliance is not achieved by deploying technology alone. NIS is much bigger than a cybersecurity piece of legislation, it’s about resilience. Start by surveying what you've got, identifying risks and prioritising the areas you need to address as a priority,” said Patrick.

Another crucial change under NIS2 is that organisations will be responsible for addressing cybersecurity risks in their supply chains. This could mean that in-scope entities like energy companies may push certain requirements down the supply chain. So, even if a supplier is itself not in scope, it could still be affected by NIS2.

NIS2 also tightens up reporting requirements and introduces stricter reporting lines to the competent authority. Every incident with significant impact should be communicated within 24 hours to the competent authority, along with an indication of initial impacts. A full notification report must then be submitted within 72 hours, including an assessment of the incident, severity and impact. After 1 month, a final report must be submitted. This tight timeline could potentially pose challenges, particularly if an incident occurs in the supply chain, which could plausibly take several hours to be notified to the in-scope entity.

For organisations that deliver services in several jurisdictions, relationships with regulators and competent authorities will be crucial. Every jurisdiction will implement NIS2 in their own way, with their own regulator and own reporting procedures. OFGEM, the regulator in the UK for instance, will have a different perception of NIS2 than the regulatory in Germany or the Netherlands. Understanding these different contexts and building relationships with the regulators can help organisations prioritise their compliance efforts.

Although strictly speaking, NIS2 will only apply to organisations based in or doing business within the EU, it is likely that other countries, like the UK and US, will align their own frameworks to follow a very similar approach. So, wherever they are based, companies need to start considering their strategy for complying with NIS2.

As Sanjay explained, “there isn't a golden ticket that will solve this problem. There are a number of actions that can be taken and levers that can be pulled, but there's no magic system out there that will resolve all your NIS2 compliance challenges.”

With the introduction of NIS2, the EU aims to strengthen its resilience to cyber-attacks and safeguard against the increasing risks inherent in an ever more digital economy. Among other things, the new Directive covers more industries, introduces new requirements, increases reporting obligations and strengthens accountability.

NIS2 covered organisations are expected to be compliant within seven months of the Directive coming into effect on 18 October 2024. This means waiting until the 17 October to start preparing is not a practical strategy. Proactivity is crucial. Starting your preparations well before the end of the grace period will enable your organisation to be ready, resilient, and compliant for the significant changes due when NIS2 lands.