We are not a KRITIS operator. Are we affected by NIS-2?

Most likely yes, if you have at least 250 employees or 50 million euros revenue and operate in the energy subgroups (electricity, district heating, oil, gas, hydrogen). NIS-2 is not built on KRITIS thresholds but on company size and sector membership. The legally binding evaluation remains a matter for counsel. We provide the expert classification in the risk check.

What is the difference between NIS-2 and KRITIS regulation for us?

NIS-2 is sector-broad (different energy subgroups), KRITIS is plant-oriented (e.g. supply assets above certain thresholds). KRITIS operators are usually also NIS-2-affected. NIS-2-affected entities are not automatically KRITIS. The obligations overlap but differ in detail. The Cybervize platform maps both control sets together.

Do we have specific obligations for smart-meter gateways?

Yes, smart-meter gateways are additionally subject to the BSI TR-03109 protection profile and §52 of the German metering law. That is a separate regulatory layer alongside NIS-2 and KRITIS. In the NIS-2 context, smart-meter infrastructure is part of the risk analysis and needs documented crypto concepts.

Which reporting paths are relevant for us?

On a cybersecurity incident: 24-hour initial report to the BSI, 72-hour follow-up, one-month final report. KRITIS operators additionally have obligations under §8b of the German IT security law. For energy-specific incidents, obligations towards the Bundesnetzagentur add up. Multi-track reporting needs a system that serves all paths in parallel.

How long does NIS-2 and KRITIS preparation take?

For providers with generation and network infrastructure, typically 12 to 16 weeks for audit-ready NIS-2 readiness, depending on OT complexity and KRITIS status. Multi-asset operators need 20 to 26 weeks. The exact cost estimate comes from the risk check.

NIS-2 for energy providers

Energy is Annex I. Essential entity. Highest obligations.

Annex I of the German NIS-2 implementation act covers energy (electricity, district heating, oil, gas, hydrogen) as an essential entity. From 250 employees or 50 million euros revenue, the obligations apply. For KRITIS operators, the German threshold regulation and BSIG obligations add up. The Cybervize platform covers ISMS, OT assessment and KRITIS reporting in one solution.

Book the NIS-2 risk check

Cybervize Platform maturity report per ISO 27001 as evidence of cross-industry consulting expertise

What NIS-2 means in practice for energy providers

Electricity, gas, heat and hydrogen utilities generally fall under NIS-2 Annex I as „essential entity"; additionally, the KRITIS regulation typically applies once asset-related thresholds are exceeded. Four consequences of this classification for a typical energy provider. Sector alone is not enough: KRITIS status and NIS-2 classification additionally depend on size thresholds and concrete supply scope. The legally binding evaluation remains a matter for counsel.

01 · Scope

Essential entity with proactive supervision

Annex I means the highest sanction tier, active BSI supervision and faster intervention rights. On findings, the BSI does not just send a notice; it arrives on site.

02 · Scope

KRITIS regulation as a second layer

Whoever exceeds KRITIS thresholds (e.g. 500,000 supplied persons for electricity) becomes additionally a KRITIS operator. Obligations overlap but are not identical. NIS-2 is broader in sector scope, KRITIS is deeper on plant requirements.

03 · Scope

Extended BSI reporting obligations

For essential entities, some reaction deadlines tighten and the content of reports is more regulated. Initial report 24 hours, follow-up 72 hours, final report within one month, plus potential customer notification obligations.

04 · Scope

OT focus: control rooms, SCADA, smart grid

Operational technology is the dominant attack surface in the energy sector. Control rooms, SCADA connections, smart-meter-gateway infrastructure and maintenance access need segmented architecture and continuous monitoring.

Five NIS-2 minimum measures with energy examples

Five of the ten minimum measures per §30, translated into energy practice.

Risk analysis and information system security

OT and IT risks assessed jointly, covering smart grid connections, control rooms and generation assets. Smart metering and market communication form their own risk landscape.

Cryptography and encryption

BSI-compliant crypto concepts for smart-meter gateways, control communication and remote-maintenance tunnels. Key management central and audit-ready.

Security in procurement and maintenance

Supplier audits for SCADA vendors and maintenance service providers. Remote-maintenance access documented, patch management for controllers aligned with maintenance windows.

Multi-factor authentication and access control

MFA for control-room access, privileged accounts separated, role model for OT distinct from office IT RBAC. Emergency access documented.

Business continuity and crisis management

BCM plans for generation outages, grid restoration exercises, black-start capability. Plus crisis communication to regulators and end customers.

Cybervize building blocks for energy providers

The Cybervize platform covers ISMS, BCM, Assessment and supplier risk in one solution. For energy providers, KRITIS reporting and OT modules are additionally relevant.

Service 01

NIS-2 risk check

Free 30-minute initial call with an indicative NIS-2 classification, top-5 gaps and a path recommendation.

Learn more Service 02

Cybervize platform

ISMS, compliance and evidence from a single platform. Multi-entity, multi-country, AI-supported.

Learn more Service 03

Virtual CISO

Platform plus permanent CISO function. For organisations without an in-house CISO.

Learn more Service 04

NIS-2 onboarding project

Gap assessment, roadmap, implementation via the platform. Fixed price from 4,500 euros.

Learn more

Self-check available

NIS-2 maturity check: 30 questions, 10 §30 BSIG measures, instant traffic light

Free, no signup, around 5 minutes. Detailed evaluation by email if desired.

Start the check

Why Cybervize fits the energy sector

Industry experience in energy and KRITIS from 25 years of ISMS practice at PwC, Deloitte and KPMG. ISO 27001 Lead Auditor since 2006, BSI IT-Grundschutz auditor. Methodology built for audit-ready evidence towards the BSI.

KRITIS: BSIG and KRITIS regulation coverage
OT: SCADA, control-room, smart-grid experience
2006: ISO 27001 Lead Auditor since
24/72h: BSI reporting paths documented

Frequently asked questions from the energy sector

Classify your NIS-2 and KRITIS position in 30 minutes

Free risk check with indicative NIS-2 classification, KRITIS threshold indicator, top-5 gaps and path recommendation. Ideally with CISO or IT security leadership plus management board present.

Book the NIS-2 risk check

Memberships, programmes and partnerships

Content last reviewed: May 18, 2026

Energy is Annex I. Essential entity. Highest obligations.

Book the NIS-2 risk check

What NIS-2 means in practice for energy providers

Energy is Annex I. Essential entity. Highest obligations.

What NIS-2 means in practice for energy providers