In our blog series, we shed light on how new EU regulations are fundamentally changing security and resilience for energy suppliers. Part 1 classifies the strategic implications, parts 2 and 3 delve deeper into operational and organizational fields of action.

Cybersecurity for energy suppliers is evolving from a specialized technical discipline to a central management task. Energy supply is highly digitized today: Grid control, market communication, forecasting, billing, and generation are based on complex IT and OT systems that are closely networked with each other and with external partners.

This digitalization increases efficiency and flexibility, but also increases dependence on digital technologies and specialist suppliers. Cyberattacks, system disruptions, or supply chain weaknesses can therefore directly affect the security of supply, profitability, and public perception.

Against this backdrop, cybersecurity is no longer an isolated IT issue. It touches on matters central to corporate management, risk management, and the resilience of critical infrastructure.

This post is the strategic prelude to a three-part blog series on Cyber Security and resilience for energy suppliers in the period 2025-2030.

• Part 1 organizes the new EU regulatory framework and explains why cybersecurity becomes a management task.

• Part 2 highlights the operational duties and practical challenges, especially in procurement, operations, and Incident Response.

• Part 3 focuses on Governance, liability, organization, and culture, as well as the sustainable integration of regulatory requirements into existing control models.

With the NIS-2 directive, the Cyber Resilience Act, and the Cyber Solidarity Act, the European Union is establishing a regulatory framework that transforms cybersecurity across Europe from a partly voluntary best practice into a binding, verifiable, and sanctionable corporate obligation.

The sets of rules address different levels:

• NIS-2 strengthens organizational, operational, and Governance-related requirements for operators.

• The Cyber Resilience Act addresses products and supply chains and requires manufacturers to ensure end-to-end security of digital components throughout their lifecycle.

• The Cyber Solidarity Act aims at better preparation and coordination for large-scale cyber crises at the European level.

In combination, these regulations clearly shift the responsibility for digital security to the company management.

Traditionally, cybersecurity has been seen primarily as a technical task for IT. This understanding will fall short in the future. The new regulatory requirements make it clear: Cyber Security is not a project, but a permanent management and control task.

Responsibility shifts:

• from operational IT units to corporate management,

• from reactive individual measures to systematic risk management,

• from technical controls to clear Governance structures.

Cybersecurity is thus becoming an integral part of corporate management, compliance, risk assessment, and strategic planning.

Energy suppliers play a special role. As operators of critical infrastructure, they bear a special responsibility for the security of supply and social stability. Disruptions not only affect internal operations but also potentially affect entire regions and economies.

• In addition, there are industry-specific challenges:

• long life cycles of OT systems,

• historically grown and heterogeneous system landscapes,

• high dependency on specialized technology providers,

• increased regulatory and political attention.

These factors make it clear why energy suppliers are the focus of European cyber regulation.

The current regulatory framework is not static. Evaluations are planned at the EU level to review the effectiveness and enforcement of existing requirements. Experts are discussing how regulations could be further harmonized and specified. Detectable is a tendency to:

• harmonization of requirements in the EU for a common standard

• more precise technical and organizational specifications,

• enger interlocking of adjacent regimes.

This assessment is based on publicly known discussion statuses and is not to be understood as a binding forecast (not verified). However, it is relevant for companies that regulatory requirements are more likely to increase than decrease.

Independent of concrete implementation details, central points can already be set today:

• Anchoring of Cyber Security and resilience at the management level

• Development of a common target image for security and availability

• Clarification of responsibilities and decision paths

• Clear definition of roles and responsibilities

• Preparation of the organization's upcoming operational requirements

This strategic preparatory work makes the subsequent implementation of specific obligations much easier.