Magazine | Issue 1 2025 RELEVANT ENERGY INDUSTRY LEGISLATION Cybersecurity requirements play a central role in the energy industry and are regulated by numerous laws around the world. This is a selection of them: › Energy Industry Act (EnWG) – Germany: This law regulates, among other things, the security requirements of the energy infrastructure. When the NIS2 Implementation Act comes into force, it will be supplemented by equivalent requirements. › Electricity Supply Act and Ordinance – Switzerland: The ICT minimum standard defines binding measures for grid operators, energy producers, and service providers. › NIS Implementation Act – Austria: The current NIS Act of 2018 will be replaced by an NIS2 version, which is currently under development. › Critical Infrastructure Cybersecurity Act – USA: This law was designed to protect critical infrastructures, including the energy industry. › Critical Entities Resilience (CER) – EU: This regulation obliges companies to take physical protection measures to secure critical infrastructures. › Cyber Resilience Act (CRA) – EU: This law requires the security of digital products and their manufacturers to minimize cyber threats to product users. security requirements into national law by October 2024 – a target that 23 of the EU’s 27 member states have failed to meet. This is a remarkable lapse, especially since cybersecurity issues are nothing new. The 2016 NIS Directive already requires member states to improve their protection of critical systems. NIS2 only reinforced these requirements and extended them to more sectors of the economy, including the food industry and public transport. The vast number of planned or implemented regulations underscore that cybersecurity in the energy industry is no longer an option but an obligation. Specific companies that have been affected by this are defined by the regulations of the respective member states. For example, NIS2 addresses all entities that provide essential or important services to the European economy or society. However, in many countries, regulations still need to be developed. The NIS2 directive’s content The NIS2 Directive outlines mandatory minimum cyber security measures that companies must implement. These include: › Reporting and managing security incidents: Companies must report incidents to the appropriate authorities within a short period of time. › Risk management: Companies are obligated to identify and assess security risks. › Vulnerability management: Companies must identify and remediate IT and OT system vulnerabilities. Many of these measures are based on recognized standards such as ISO 27001, BSI IT-Grundschutz, or the NIST Cybersecurity Framework. The penalties for non-compliance are severe, making compliance a business-critical task. Implications for businesses: Economic and security implications Even without new legislation, investing in cybersecurity has always been advisable from a business perspective. However, the return on such investments has often been difficult to measure, as prevented disruptions or reputational damage to a business are difficult to quantify. 9
RkJQdWJsaXNoZXIy NTkxNzY=