19 Apr 2024
 IT specialist using tablet computer in data center

NIS2 Directive: A game-changer in Nordic energy cyber defense

By Frank U. Eriksen

Associate Partner, NIS2 Lead, Cybersecurity, EY Norway

Cyber specialist and technology nerd with a keen interest in cycling and football. Likes taking long bike rides and spending time with friends and family. Enjoys fine wines and food.

Local contact

EY Sweden, Cybersecurity Partner

Unai is focused on cyber risk management and strategy, helping clients improve their cybersecurity posture.

19 Apr 2024
Related topics Cybersecurity

The EU's NIS2 Directive marks a leap in cybersecurity, offering decision makers vital tools for defense.

In brief: 
  • The NIS2 Directive is set to redefine EU's cybersecurity with stringent measures, broader coverage and significant penalties for non-compliance.
  • Preparation for the NIS2 Directive demands strategic planning, collaboration, a proactive approach to risk management and a commitment to cybersecurity.
  • The directive's emphasis on unified cybersecurity illustrates the importance of strong digital protection for business stability.

As we navigate through the digital era, cyber threats are emerging as pressing issues. Businesses serving as the pillars of Europe's critical energy infrastructure are particularly at risk. These threats aren't hypothetical, a successful cyber attack could cause far-reaching disruptions that ripple through our daily lives. To combat this, the EU has stepped in with a solution: the Network and Information Security (NIS2) Directive.

The NIS2 isn't just another rule book. Instead, it's an opportunity to transform your approach to cybersecurity from a simple compliance task to a value-adding business practice. If utilized effectively, NIS2 does more than just secure your operations - it ensures your organization is ready and versatile enough to adapt to the constantly evolving landscape of cyber threats.

But before delving further, it's essential to gain a clear understanding of the comprehensive scenario. This encompasses everything from the geopolitical climate affecting cybersecurity to the potential risks associated with procrastinating the application of the NIS2 Directive. Keep in mind, such delays could result in wide-scale disruptions and significant reputational damage.

Contextualising NIS2: energy, interdependence and geopolitical climate

Europe faces intertwined challenges of managing rising energy demands, especially in harsh winters and protecting its large energy infrastructure from increasing cyber threats. A single failure in the interconnected network can disrupt essential services, making cybersecurity vital for public safety and societal stability. Amid geopolitical uncertainty, the risk of a ripple effect destabilizing Europe's energy balance is a real concern. The NIS2 Directive aims to enhance security measures and broaden their scope to address these issues, reflecting the evolving nature of cyber threats.

The cost of delay: risks beyond the energy sector

Delaying the implementation of the NIS2 Directive can have severe consequences, especially undermining national security and impacting key sectors like health care, banking, finance and transport. Failure to implement the directive can cause disruptions leading to collapsing vital sectors and significantly interrupting supply chains.

Such disruptions not only impact the energy sector but also have far-reaching effects for other sectors. For instance, in health care, power interruptions can cause life-saving equipment to fail. In finance, a loss of power may cause transaction failures and market disruptions. In the transport sector, power outages can disrupt logistics, influencing national economies and everyday life. Beyond these considerations, non-compliance can lead to substantial financial penalties.

Future-proofing energy companies through balanced risk management

To successfully navigate the future challenges, companies need to first realize some underlying hard facts, but they also need to accept that these are fundamental rules of the game:

  • Risk dynamically changes, thus continuous risk assessments and risk monitoring are paramount in energy generation and distribution sectors. This approach will allow organizations to adapt to varying risk landscapes and implement effective strategies.
  • Compliance is important, but in the face of rapidly changing cyber risks, it can offer a false sense of security. Energy companies must go beyond simply ticking boxes on checklists and ensure their compliance efforts actively contribute to strengthen their overall operative resilience.
  • Unwanted events are not a question of if, but when. While preventive measures reduce the likelihood of incidents, energy companies must balance these efforts with robust, proactive detect and response capabilities. This approach will bolster organizational resilience against power outages, grid failures and cyber attacks.
  • Just like societies, companies are made up of individuals and the human element often plays a crucial role in handling emergencies. Regular training and exposure to simulated emergency scenarios will equip leadership teams and staff to make informed decisions during real crises.

Implementing NIS2 requires key strategies for organizational change

Navigating the complexity of operations and cybersecurity under the NIS2 Directive requires organizations to adopt a strategic approach. This includes recognizing the directive's requirements, understanding their societal impact, identifying critical aspects, synergizing IT and OT, planning continuously, understanding their role in the energy ecosystem and treating NIS2 as more than just a compliance exercise.

  1. Identify and prioritize your core business and assets
    Energy companies, including power producers, transmission system operators (TSOs) and distribution system operators (DSOs), must identify their key assets to maintain efficient energy generation, transformation and transmission. Understanding their minimum viable company (MVC) and implementing this strategy necessitates a detailed analysis to determine operational maturity, resilience and imperative role in society. This approach enables energy companies to align their activities more strategically with societal needs and obligations, thereby strengthening their commitment to providing reliable and sustainable energy and ultimately benefiting the community at large.

  2. Blending IT and OT for robust cyber resilience
    The critical intersection of information technology (IT) and operational technology (OT) requires strategic action from energy companies to tackle unique cybersecurity challenges and build holistic resilience. This is increasingly important as digital transformation brings these systems closer together, creating a situation where a security breach can cause widespread disruption and impact entire regions. Understanding the synergies between IT and OT, implementing robust protection measures and remaining adaptable in the face of rapid technological evolution are all vital steps. The implementation of these strategies not only helps maintain continuous service and protect our digital society, but it also builds a foundation of resilience that prepares companies for future cybersecurity challenges.

  3. “The plan is nothing, planning is everything”
    Echoing Dwight D. Eisenhower's quote, “The plan is nothing, planning is everything,” for energy companies like power producers, TSOs, or DSOs, the essence lies in the planning process. It is not just about having procedures but anticipating sector-specific challenges. This involves moving beyond theoretical plans to practical simulations and drills that test strategies for real-world crises. This preparation builds organizational readiness and resilience and helps management and employees to effectively handle emergencies. It highlights the company's dedication to reliability and safety, which are essential for the stability of society.

  4. Remember, you are a critical part of the energy ecosystem
    Understanding the value chain is critical for energy companies as it affects their efficiency, profitability and the broader stability of the energy market. The energy sector is a complex system of interdependent suppliers, distributors and consumers, where disruptions can cause widespread issues. Managing these interconnections requires the use of advanced technology and human expertise. Energy companies must leverage this dual approach to gain insights into potential risks from third-party relationships and mitigate the increased risk of cyber attacks. This resilience safeguards not only the company's assets but also the integrity of the whole energy ecosystem.

  5. Driving resilience beyond compliance in the energy sector
    Being a resilient organization demands more than mere compliance with standards and other regulatory frameworks. Given the rapidly evolving environment of the energy sector, these norms sometimes cannot keep up. Compliance is a part, but understanding and applying leading practices in the context of one's own organization is critical. Compliance alone can lead to a false sense of security and true resilience requires more than just a checkmark or not incurring a fine. Each organization must use its own knowledge and competence to effectively implement best practices within their unique operational setting. This goes beyond just financial considerations, as it affects the organization's capacity to consistently deliver energy services and can significantly impact the company's reputation among the public and within the industry itself.

The journey from cybersecurity to cyber safety

The NIS2 Directive, with its focus on harmonizing cybersecurity measures, promises to redefine the security landscape of the digitally driven EU economy. It is an enterprise-wide transformation exercise, not merely a compliance requirement, organizations vital to societies, must understand and invest in aligning broader business goals with the requirements of NIS2.

The NIS2 Directive focuses on resilience, reflecting organizations' critical societal roles. Implementing NIS2 requires extensive strategic planning, collaboration and a commitment to cybersecurity across value chains. The EY organization believes that focusing on the transformational aspects of NIS2 is key to succeeding, both with compliance and an improved resilience. From our experience in assisting companies across the globe with required process improvements and transformations, based on regulatory requirements or others, we observe that companies that embrace such improvements from the top and across the business succeed with the needed change journey. To ensure you are ready to embrace NIS2 as well as the threats of tomorrow, you need to understand what your key assets are and what the key risks to your operations and business strategy are - and based on this strengthen your company's preparedness through strategically planning and training, and combine this with a documented understanding of how you will ensure your business comes back from an attack - as this will be your strongest defence.

Download PDF here - EY’s view of NIS2 in the energy sector


In this era of rapid digitalization, the EU's NIS2 Directive addresses the pressing need for robust cybersecurity measures to protect widening energy demands and infrastructure. Ensuring energy resilience benefits multiple sectors and safeguards society at large. Complying with NIS2 calls for strategic planning and adaptive risk management in organizations, thus going beyond a mere compliance checklist to induce a transformational approach. Overall, preparation, collaboration and continuous training in cybersecurity will not just adhere to regulations, but ultimately protect businesses from future threats, reflecting their vital role in the society.

About this article

By Frank U. Eriksen

Associate Partner, NIS2 Lead, Cybersecurity, EY Norway

Cyber specialist and technology nerd with a keen interest in cycling and football. Likes taking long bike rides and spending time with friends and family. Enjoys fine wines and food.

Local contact

EY Sweden, Cybersecurity Partner

Unai is focused on cyber risk management and strategy, helping clients improve their cybersecurity posture.

Related topics Cybersecurity