Security in the energy sector
Historically, the energy sector has always placed a strong emphasis on security, especially given the critical nature of its infrastructure. However, the focus has evolved from primarily physical security to incorporating increasingly sophisticated cybersecurity measures as the sector has become more digitized.
In the early days of energy production, particularly in the era of oil, gas, and coal, the primary security concerns revolved around physical protection of infrastructure. This included securing power plants, pipelines, electric grids, and storage facilities from natural disasters, accidents, or sabotage.
The development of Supervisory Control and Data Acquisition (SCADA) systems in the 1970s and 1980s marked a major turning point in energy sector security. SCADA systems allowed remote monitoring and control of energy production and distribution, dramatically improving efficiency and reliability. However, with the introduction of SCADA came new vulnerabilities. While initially isolated, these systems became increasingly connected to corporate networks and the internet over time, exposing them to cyber risks.
By the late 1990s, the energy sector began facing cyber threats as operational technology (OT) and information technology (IT) became more integrated. The rise of the internet and networked systems made energy infrastructure a target for hackers and nation-state actors.
With the rise of smart grids, IoT devices, and increased digitalization in energy operations, the sector began to face more sophisticated cyber threats, including nation-state actors and cybercriminals targeting energy infrastructure.
As the world becomes more interconnected, the energy sector must protect itself against a wide range of threats, from cyberattacks to climate change impacts on physical infrastructure.
The energy sector’s approach to security has evolved significantly from a focus on physical protection to a comprehensive strategy that addresses both physical and cyber threats. The integration of technology and the growing complexity of the global energy grid has made cybersecurity a top priority, with stringent regulations and frameworks like NIS2 guiding the way forward.
EU’s framework on security
As cybersecurity becomes more complex, cooperation within the EU is even more critical to ensure uniform preparedness in systems, organizations, and processes. The energy sector is subject to heightened scrutiny because any disruption could have far-reaching societal and economic consequences.
In recent years, the EU has introduced several directives, acts, and regulations aimed at preparing Europe for the digital age. While the General Data Protection Regulation (GDPR) is widely known, there are around 15 additional regulations expected in the coming years, ranging from sector-specific (e.g., DORA) to more general frameworks (e.g., the AI Act).
The Cybersecurity Act (CSA), implemented in 2019, is designed to strengthen cybersecurity across the EU. The CSA introduces a certification framework, mostly voluntary, for various digital products and services. It also enhances the role of ENISA, the EU Agency for Cybersecurity, which supports member states and is responsible for incident response coordination.
NIS2 differs from the CSA in its focus. While the CSA primarily deals with certification, NIS2 is aimed at improving cybersecurity across essential and important sectors in the EU. NIS2 applies to a broad range of public and private entities providing critical services, such as those in energy, transport, healthcare, finance, water, and public administration, as well as digital service providers. It introduces specific risk management and incident reporting requirements and imposes stricter penalties for non-compliance. Its main focus is securing the networks and information systems that underpin critical industries and services.
Supervisory authorities have significant powers under NIS2 to enforce compliance, including the ability to impose substantial fines on companies that fail to meet the required standards. These fines can be up to €10 million or 2% of global turnover, whichever is higher.
The NIS2 Directive is set to be implemented into national laws across EU countries by October 2024.
NIS2 implementation in the Nordics
As part of its obligations under the European Economic Area (EEA) agreement, Norway is required to adopt the NIS2 Directive. In December 2023, the Digital Security Act was passed by the Norwegian Parliament and subsequently sanctioned by the King in Council. This legislation, along with accompanying regulations, will incorporate the EU’s original NIS Directive (2016) into Norwegian law, with an expected enforcement date in 2024. Concurrently, Norway is conducting an assessment of the NIS2 and CER Directives, with the goal of updating national regulations to align with NIS2 as soon as possible.
In Sweden, the NIS2 Directive is being implemented through a new Cybersecurity Act, which will replace the existing Information Security Act (2018:1174). This new legislation is scheduled to take effect on January 1, 2025, following the release of a final report, expected in September 2024.
Denmark is currently in the process of implementing the NIS2 Directive, but it is expected to miss the October 2024 deadline. The delay is due to the complexity of the legislative work, which has pushed the implementation phase into the next parliamentary session in October 2024. Full adoption of NIS2 in Danish law is now projected for early 2025.
EU NIS2 will be transposed in Finland into national law by the Cybersecurity Act, “Kyberturvallisuuslaki”, the Finnish NIS2 implementation law. It transposes EU minimum requirements for cybersecurity of the EU NIS2 directive into Finnish law. On May 23, the Finnish Government submitted a proposal of the draft law to the parliament. As in other EU member states, it is expected to come into force in October 2024.
Conclusion
For the energy sector, compliance with NIS2 is not just about meeting regulatory requirements; it’s about protecting critical infrastructure from the growing threat of cyberattacks. Focusing on supply chain security, incident response, governance, and business continuity are key areas where the energy sector must strengthen their operations. Given the high stakes, the energy sector need to adopt a proactive approach to cybersecurity, ensuring they are well-prepared for both the regulatory scrutiny and the evolving threat landscape.
Where to start your NIS2-process? Read more here
Want to learn more about NIS2 and how it impacts your business?
Our experts are here to help. Whether you need guidance on compliance or strategies to strengthen your cybersecurity posture, don’t hesitate to reach out.