23 April 2026

6 min read

The impact of the NIS2 directive on the energy sector: operator obligations and risks to critical infrastructure.

Bartosz Pyrczak

Head of Growth

Linkedin
Wpływ dyrektywy NIS2 na sektor energetyczny: obowiązki operatorów i ryzyka dla infrastruktury krytycznej

Cyber threats in Poland are intensifying. The energy sector, which includes traditional power plants, transmission grids, and constantly developing renewable energy sources (RES), has repeatedly been the target of sophisticated attacks. A new act regulating the energy sector – NIS2 – has been created in response to this problem. What actions should be taken to protect against cyber threats in accordance with the regulation?

Who is subject to the NIS2 directive?

The energy sector in the context of the NIS2 directive has been significantly expanded and precisely defined in Polish law. Although many companies confirm their preparedness against cyberattacks, the number of such attacks in Poland in 2024 reached as many as 110,000. This record-breaking number further illustrates the scale of the challenge we are facing.

The group covered by the regulations includes, among others, enterprises from sectors such as: energy, transport, health, water management, digital infrastructure, public administration, banking, and the production of selected products – including medical devices and electronic components. These entities must meet specific criteria, e.g., regarding the number of employees or annual turnover. This means that the obligations resulting from NIS2 will apply to both operators of critical infrastructure and many private companies that have not been subject to such regulations until now.

In the case of electricity, the regulations cover, among others:

  • Enterprises involved in the generation, transmission, distribution, storage, and sale of energy.
  • Transmission and distribution system operators.
  • Energy producers and designated market operators.
  • Companies providing services such as aggregation, demand response, management of charging points, or energy mobility.

These entities must meet cybersecurity requirements, regardless of whether they operate as system operators, service providers, or participants in the energy market.

NIS2 – Obligation to register entities for verification

One of the most significant changes introduced by the NIS2 directive is the expanded scope of subject matter. Unlike the previous model, where state authorities designated operators of essential services, the new system is based on self-identification and self-reporting by enterprises. Enterprises operating in the energy sector are required to independently conduct an assessment of their activities against the criteria defined in the NIS2 directive. The new regulations also impose an obligation to report both actual incidents and potential threats, which requires the implementation of advanced mechanisms for monitoring, analysis, and incident response.

A number of new rules require companies to, among other things:

  • Implement advanced SIEM/SOC systems.
  • Integrate IT, OT, and IoT environment monitoring.
  • Automate incident detection and reporting processes.
  • Regularly conduct cyber risk analyses.

This is a major challenge for a company that must operate continuously while undergoing general changes. For this reason, the number of enterprises that entrusted digital security to external providers reached as high as 84% in 2024.

Main cyber threats in the energy and RES sector

Cyberattacks occur at every turn, but what threats does the energy and RES sector actually face? Due to its critical importance to national security, energy infrastructure is becoming the target of increasingly sophisticated attacks.

Ransomware and DDoS attacks – a growing threat to supply continuity

Cybercriminals exploit the complexity of modern energy systems by simultaneously attacking IT systems responsible for management and OT systems controlling physical infrastructure.

  • DDoS (Distributed Denial of Service): This is a type of attack that originates from multiple locations simultaneously. Its target is computer systems or network services. Device owners may be completely unaware that their devices connected to the network are being used by fraudsters in this way.
  • Ransomware and DDoS attacks are currently among the most common forms of threats. They result in the locking of control systems, data loss, or even the suspension of energy supplies.
  • Increasingly, there are also supply chain attacks that allow for the takeover of infrastructure through vulnerabilities in the systems of partners and suppliers.

Characteristics of ransomware attacks in the energy sector:

  • Double extortion – data encryption combined with the threat of publication.
  • Targeted attacks – precisely planned attacks on specific organizations.
  • Supply chain compromise – infiltration through software or service providers.
  • Living off the land – using legal system tools to mask activities.
our service

Turn NIS2 compliance into real strength for your firm

This directive requires strict security measures from the energy sector. We guide you through gap analysis to a full implementation roadmap. Meet regulations avoid heavy fines and build resilience against critical incidents.
Comprehensive NIS2 compliance program

Threats specific to the RES sector

In Poland, in the second half of 2024, a 37% increase in ransomware-type threats was recorded compared to the first half of the year. Remote control of photovoltaic inverters represents one of the most serious new cyber threats to the stability of the energy system. The high risk associated with the possibility of remote shutdown of PV inverters by entities outside the EU can lead to:

  • Sudden power losses in the system – simultaneous shutdown of thousands of PV installations.
  • Destabilization of the transmission grid – difficulties in maintaining system balance.
  • Domino effect – cascading failures throughout the energy system.
  • Coordinated attacks – exploitation of vulnerabilities during peak demand.

Examples of cyberattacks

On the day of the Russian invasion of Ukraine, February 24, 2022, a massive cyberattack was launched against the KA-SAT satellite communication network, managed by Viasat Inc. Hackers exploited a vulnerability resulting from a misconfiguration of the virtual private network (VPN), which allowed them access to a trusted segment of the network management infrastructure. The attackers took control of thousands of satellite modems that provided internet connectivity, including for critical infrastructure installations. Using a DoS (Denial of Service) method, they partially reflashed the device firmware, rendering them inoperable.

Although the main target of the attack was Ukraine, the effects also reached neighboring countries, including Poland. One of the most noticeable effects was the failure of approximately 5,800 wind turbines belonging to the company Enercon in Germany. While these turbines still produced energy, they lost the remote access necessary for their monitoring, maintenance, and software updates.

In 2022, the Municipal Heating Company (PEC) in Elbląg fell victim to a cyberattack, resulting in malicious software infiltrating the company’s IT network. Although the incident did not directly disrupt heat supplies, the attackers’ goal was to take over some of the PEC clients’ data. This attack fits into the growing trend aimed at local critical infrastructure units, which often have limited resources in terms of cybersecurity.

There is an increasing number of similar large-scale actions, and the events of April of this year highlighted the importance of system stability. We dealt with a total blackout in Spain and Portugal – elevators, traffic lights, and even public transport were not working. Such incidents show that the stability of energy systems requires not only advanced technologies but also appropriate risk management and incident response procedures. For Poland, which is dynamically developing its RES sector, the blackout on the Iberian Peninsula serves as an important warning. The increase in the number of photovoltaic installations and other renewable sources requires simultaneous investment in grid infrastructure as well as systems ensuring energy stability and security.

Have questions? Contact us.

Recommendations for the energy and RES sector

Effective protection of energy infrastructure against cyber threats requires a comprehensive approach that combines advanced technological solutions with appropriate organizational processes. The following recommendations have been developed based on industry best practices and the specifics of the NIS2 directive requirements. Key recommendations for companies in the industry include:

  • Remote access restrictions: Restrictions on remote access to critical devices, particularly PV inverters and components originating from outside the EU, should be implemented. Limiting unauthorized control significantly reduces the risk of sabotage or disruption to the energy system.
  • Strengthening SOC structures: Security Operations Centers (SOC) should monitor not only the IT environment but also OT (Operational Technology) systems and IoT devices. An integrated approach enables faster detection and reaction to incidents.
  • Regular audits and security tests: Systematic risk assessment, penetration tests, and security audits allow for the ongoing identification of vulnerabilities and the minimization of potential attack consequences.
  • Education and building awareness: Cybersecurity starts with people. Training for employees and management increases the organization’s resilience to phishing, human error, and social engineering manipulations. It is also worth including partners and suppliers in this process.

Violation of the NIS2 directive regulations can result in severe financial penalties, which are intended to mobilize enterprises to prioritize cybersecurity issues. Cybersecurity in the energy and renewable energy sector is now more important than ever. The approaching NIS2 directive introduces new protection standards, which is a signal for the entire industry to verify and strengthen its defenses. If you are looking for support in adapting your organization to the requirements of NIS2, check the Tenesys offer.

Author

Bartosz Pyrczak

Head of Growth

Head of Growth at Tenesys. Connects people, builds relationships, and ensures the company grows in the right direction. Convinced that in IT sales, the one who listens better than they speak wins. Privately a traveler and cyclist.

Linkedin

Przeczytaj również