01
OT/IT convergence under NIS2
Operational technology was traditionally air-gapped. NIS2 brings it under the same risk-management regime as IT.
IMPACTCyber-physical incidents trigger 24h reporting.
SECTOR PRACTICE · ENERGY & UTILITIES
EU compliance for energy & utilities
NIS2 essential entity compliance for electricity, gas, oil, and renewables
REGULATIONS.STACK · ENERGY● 09
NIS2Essential entity for energy
CERCritical Entities Resilience
NCCSNetwork Code on Cybersecurity
GDPRSmart meter and customer data
REMITWholesale energy markets
AI ACTGrid optimisation and forecasting AI
EEDEnergy Efficiency Directive
RED IIIRenewable Energy Directive III
EU ETSEmissions Trading System
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHO WE SERVE
Six energy profiles, one compliance map.
From transmission system operators to retail suppliers and renewables developers. The regulatory load tracks the position in the value chain.
TSO / DSO
Transmission and distribution operators
NIS2 essential entity, network code cybersecurity, smart meter data.
NIS2NCCSGDPR
GENERATION
Generation and renewables
REMIT reporting, ETS allowances, RED III sustainability criteria.
REMITEU ETSRED III
SUPPLY
Energy suppliers and retailers
Customer data, billing, vulnerable consumers, switching obligations.
GDPREEDREMIT
TRADING
Energy traders and brokers
REMIT transaction reporting, MAR for derivatives, market abuse.
REMITMAREMIR
OIL & GAS
Oil and gas operators
CER critical entity, methane emissions, supply-chain due diligence.
CERNIS2CSDDD
SMART GRID
Smart grid and energy tech
AI for grid forecasting, IoT for substations, customer-facing apps.
AI ACTGDPRNIS2
§ 02 / LANDSCAPE
The energy-sector regulatory clock.
Multiple regimes interlock. We sequence them around your operating cadence.
LIVENIS2
IN FORCE
Energy as essential entity
Risk management, 24h/72h reporting, supply-chain assurance, board accountability for energy companies.
LIVEREMIT
IN FORCE
Wholesale energy markets
Inside information disclosure, transaction reporting to ACER, market manipulation prohibition.
LIVERED III
IN FORCE
Renewable Energy Directive III
42.5% renewable target by 2030, sustainability criteria, guarantees of origin.
LIVECER
IN FORCE
Critical Entities Resilience
Identification of critical entities, risk assessments, incident notification, background checks.
NEXTNCCS
2026
Network Code on Cybersecurity
Sector-specific cybersecurity for electricity. Risk assessment, common minimum requirements.
CRITICALAI ACT
AUG 2026
AI in critical infrastructure
Grid optimisation AI as high-risk under Annex III. Conformity, human oversight, monitoring.
NEXTCSDDD
2027
Corporate Sustainability Due Diligence
Supply-chain due diligence for energy companies above thresholds. Phased application.
PLANNEDEU ETS
ROLLING
Emissions Trading System II
Extension to road transport and buildings from 2027. Updated MRV requirements for installations.
§ 03 / WHAT TO SOLVE
Where energy companies get stuck.
02
Smart meter data under GDPR
High-frequency consumption data is personal data. Article 6 lawful basis plus Article 9 if special-category inference.
IMPACTDPA enforcement actions across multiple Member States.
03
REMIT inside information disclosure
Unplanned outages, asset availability, capacity changes all qualify. Disclosure timing windows are tight.
IMPACTSix-figure REMIT fines for late or selective disclosure.
04
Renewables sustainability criteria
RED III requires demonstration of sustainability across the supply chain. Documentation burden is high.
IMPACTLoss of GO certificates affects revenue.
05
CER and NIS2 dual scope
Critical Entities Resilience Directive layers on top of NIS2. Some risk assessments duplicate, others diverge.
IMPACTTwo parallel programmes if not designed together.
06
AI Act for grid forecasting
ML models optimising grid balancing fall under Annex III high-risk AI for critical infrastructure.
IMPACTConformity assessment and post-market monitoring required.
§ 04 / OFFERING
Our services for energy
EX-01
NIS2 readiness for energy
Entity classification, ISMS aligned with ISO 27001, supply-chain due diligence, incident reporting playbook.
DGap reportDISMSDIncident SOP
EX-02
OT/IT cybersecurity programme
IEC 62443 framework, network segmentation, asset inventory for OT, vulnerability management.
DIEC 62443DSegmentationDInventory
EX-03
REMIT compliance programme
Inside information register, transaction reporting to ACER, market abuse surveillance, training.
DII registerDACER reportingDSurveillance
EX-04
Smart meter GDPR programme
Lawful basis mapping, privacy by design for AMI, customer transparency, data minimisation.
DLB mappingDAMI PIADNotices
EX-05
CER critical entities support
Risk assessment, background checks, incident notification, business continuity planning.
DRisk registerDBCPDNotifications
EX-06
Renewables sustainability
RED III compliance, GO procedures, sustainability documentation across the value chain.
DGO proceduresDSustainabilityDDocumentation
EX-07
AI Act for grid AI
Annex III classification, technical file, human oversight, post-market monitoring.
DClassificationDAnnex IVDPMM
EX-08
Incident response 24/7
Energy-specific runbook, CERT coordination, ACER notification, regulator liaison.
DRunbookDCERTDNotifications
EX-09
Outsourced energy compliance officer
Senior advisor with energy-sector experience, board reporting, programme stewardship.
DRetainerDBoard memosDCalendar
§ 05 / SELECTED WORK
All case studies →Energy engagements.
CASE 01Regional DSO
NIS2 programme live, OT/IT integration complete, first audit cleared.
47
SITES
11K+
ASSETS
Passed
AUDIT
SCOPENIS2 · IEC 62443 · ISMS · Incident SOP
CASE 02Wholesale trader
REMIT programme rebuilt after ACER review, transaction reporting accuracy at 99.7%.
99.7%
REPORTING
Cleared
REVIEW
100% staff
TRAINING
SCOPEREMIT · MAR · ACER liaison · Surveillance
CASE 03Renewables developer
RED III compliance across 12 wind and solar projects. GO certificates issued.
12
PROJECTS
Yes
GO ISSUED
Protected
REVENUE
SCOPERED III · GO procedures · Sustainability · Audit
§ 06 / FREE TOOL
Map your energy stack to the EU rulebook.
Eight questions about your value-chain position, asset base and data flows. Get an indicative obligations map across NIS2, CER, REMIT, RED III and AI Act.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Are you classified as a critical or essential entity under CER or NIS2?
Yes, critical entity under CERA
Yes, essential entity under NIS2B
Important entity under NIS2C
Not classified yetD
INDICATIVE → NIS2 ART. 21 + CER ART. 6
§ 07 / FAQ
Frequently Asked Questions
01Are we NIS2 essential or important?+
Energy sector entities providing electricity, gas, oil, district heating or hydrogen are generally essential under NIS2 Annex I. Specific tests apply for transmission, distribution and generation operators. We confirm classification as the first step.
02How does NIS2 interact with CER?+
CER focuses on physical resilience; NIS2 on cybersecurity. Both can apply to the same entity. We design one integrated risk-assessment that satisfies both directives.
03Do we need IEC 62443 for OT cybersecurity?+
Not mandatory, but it is the most widely adopted framework for OT in energy. The NIS2 implementing acts reference it, and most supervisors expect it as the technical baseline for industrial control systems.
04What is the Network Code on Cybersecurity?+
Sector-specific cybersecurity rules for the electricity sector. Risk assessments, common minimum information-security requirements, and a coordinated incident response framework. Application from 2026.
05Are smart meters GDPR-sensitive?+
Yes. High-frequency consumption data reveals household patterns and can constitute special-category data through inference. DPIAs are typically required for AMI rollouts.
06Do we need a sector-specific DPO?+
Energy companies at scale generally need a DPO. We provide a senior DPO with energy-sector experience under retainer, named to your national authority.
§ 08 / RELATED
Related practices.
NIS2 Compliance
Scoping, ISMS, supply-chain and incident reporting for essential entities.
Open practice →Cybersecurity
ISMS, ISO 27001, IEC 62443 and OT security programmes.
Open practice →Vendor Risk
Supply-chain due diligence and ICT third-party risk.
Open practice →09 / GET STARTED
NIS2 compliance for your energy infrastructure
Typical outcomes: essential entity status confirmed, NIS2 roadmap, minimum controls in 90 days.