EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
The EU NIS2 Directive has the potential to deliver transformative benefits for energy sector organisations.
In brief
- Any disruption to Europe’s highly interconnected energy system could cause massive disruptions across business and society.
- The NIS2 Directive introduces enhanced cybersecurity requirements, new reporting obligations and heavy fines for non-compliance.
- Energy organisations need to take a strategic approach to the implementation of NIS2 that goes beyond mere compliance.
The EU Network and Information Security Directive (NIS2) is aimed at improving cybersecurity and protecting critical infrastructure across Europe. It will have far reaching implications for energy sector organisations as well as businesses in the broader energy ecosystem.
Europe faces the twin challenges of meeting rising energy demands at the same time as protecting its energy infrastructure from increasing cyber threats. A single failure in the interconnected European network can have knock-on impacts across the whole system and disrupt a wide range of essential services, making robust cybersecurity vital for public safety and societal stability. Amid geopolitical uncertainty, the risk of a cyberattack destabilising Europe's energy system is a real concern.
Disruptions to the energy system have far-reaching effects for other sectors. In healthcare, for example, power cuts can cause life-saving equipment to fail. In finance, a loss of power may cause transaction failures and market disruptions. In the transport sector, power outages can disrupt logistics and cause the growing EV fleet to grind to a halt with negative impacts on national economies and everyday life.
The NIS2 Directive aims to address these issues by enhancing security requirements and crisis management capabilities as well as by imposing additional reporting obligations. The directive, with its focus on harmonising cybersecurity measures, promises to redefine the security landscape of the EU. It is an enterprise-wide transformation exercise, not merely a compliance requirement, and organisations within its scope must understand and invest in aligning their broader business goals with its requirements.
Failure to comply with the new directive can result in severe penalties for essential entities like energy companies of fines of at least €10 million or 2% of global revenue, whichever is higher.
The directive shouldn’t be viewed as another compliance exercise, however. It should be seen as an opportunity to transform an organisation’s approach to cybersecurity to turn it into a value-adding business practice. If used effectively, NIS2 does more than just secure operations - it ensures an organisation has the ability to adapt to the constantly evolving cyber threat landscape.
Preparing for compliance
In preparing for NIS2, organisations need to accept the realities of cyber risk and bolster their defences in a number of ways:
- Risk changes dynamically and continuous risk assessments and risk monitoring are critically important for the energy generation and distribution sectors.
- Compliance is important but can offer a false sense of security in the face of rapidly changing cyber risks. Energy companies need to ensure their compliance efforts actively contribute to strengthening the overall resilience of their operations.
- Unwanted events are likely to happen despite preventative measures. Energy companies need to ensure that those measures are complemented by robust, proactive detection and response capabilities. This will bolster resilience in the face of power outages, grid failures and cyberattacks.
- People play a crucial role in dealing with emergencies. Regular training and participation in simulated emergencies could equip leadership teams and staff to make informed decisions when crises do arise.
A robust and resilient energy sector is critically important, not just for economic development but for a functioning society as well. Adherence to the very highest standards in the areas of cybersecurity and compliance with the NIS2 Directive are vital in this regard.
Sean Casey
EY UK&I Energy & Infrastructure Consulting Leader
Implementing NIS2 requires key strategies for organisational change
Navigating the complexity of operations and cybersecurity under the NIS2 Directive requires organisations to adopt a strategic approach encompassing the following elements:
Identify and prioritise your core business and assets
Energy companies, including power producers, transmission system operators (TSOs) and distribution system operators (DSOs), need to identify their key assets to maintain efficient energy generation, transmission and distribution.
Address the interconnection of IT and OT
The critical intersection of information technology (IT) and operational technology (OT) requires strategic action from energy companies to tackle unique cybersecurity challenges and build resilience. This is increasingly important as digital transformation brings these systems closer together, creating a situation where a security breach can cause widespread disruption and impact entire regions. Implementing robust protection measures and remaining adaptable in the face of rapid technological evolution are vital steps and will help build a foundation of resilience that prepares organisations for future cybersecurity challenges.
Plan for success
The planning process is critically important. It is not just about having procedures but anticipating sector-specific challenges. This involves moving beyond theoretical plans to practical simulations and drills that test strategies for real-world crises. This preparation builds organisational readiness and resilience and helps management and employees to effectively handle emergencies.
It is vitally important to have the right team in place to prepare for NIS2. Organisations need to ensure that they have the right mix of people from diverse backgrounds with a wide range of experience across both sector and cybersecurity to have the capacity and capability to respond to new challenges as they arise.
Megan Conway
EY Ireland Technology Consulting Partner
Understand external risks
The energy sector is a complex system of interdependent suppliers, distributors and consumers, where disruptions can cause widespread issues. Managing these interconnections requires the use of advanced technology and human expertise. Energy companies must gain insights into potential risks from third-party relationships and put in place measures to mitigate the increased risk of cyberattacks.
Move beyond compliance
Compliance alone is not enough, and true resilience requires more than just a tick box exercise. Energy sector organisations must use their own knowledge and expertise to implement best cybersecurity practices within their own unique operational setting.
Moving from cybersecurity to cyber safety
The NIS2 Directive focuses on resilience, reflecting organisations’ critical societal roles. Implementing the directive requires extensive strategic planning, collaboration and a commitment to cybersecurity across value chains. Focusing on the transformational aspects of NIS2 is key to success, both in terms of compliance and improved resilience. To prepare for NIS2 compliance and to deal with the threats of tomorrow, organisations need to understand what their key assets are, what the key risks to their operations and business strategy are and use that knowledge to strengthen their preparedness and overall resilience.
NIS2 is far more than just another regulatory compliance exercise. It will be transformational for the organisations within its scope and must be treated as such. That means viewing it from a ‘whole of organisation’ perspective and not merely through a cybersecurity lens. That will be key to success now and in the future.
Tom Slattery
EY Ireland Technology Consulting Partner
Summary
The EU NIS2 Directive addresses the pressing need for robust cybersecurity measures to protect energy services and infrastructure from cyberattack. This will help to build energy system resilience and benefit multiple sectors while safeguarding society at large. Implementing NIS2 requires strategic planning by energy sector organisations and goes beyond mere compliance. Preparation, continuous risk monitoring, and ongoing training in cybersecurity will not only help organisations meet the new requirements of NIS2 but will also protect them from future threats and support them in performing their vital role in society.
Related articles
NIS2: How starting your compliance journey now will safeguard your future
New EU cybersecurity directive NIS2 will help strengthen organisational resilience in this digital age.
What strategic actions can organisations take to be NIS2 compliant
Individual accountability under NIS2 will be a gamechanger for how organisations approach cybersecurity. Find out the strategic way forward.