NIS2 and the Cyber Resilience Act in the Everyday Life of Energy Supply Companies

The first part of this blog series classified why cybersecurity is becoming a strategic management task for energy suppliers. The new EURegime fundamentally changes the framework conditions and shifts responsibility, control, and Governance. This second part goes one step further. It examines the operational implications of NIS2 for energy suppliers and the Cyber Resilience Act, and outlines the specific obligations in procurement, operations, supply chain, and Incident Response.

The requirements of the Cyber Resilience Act (CRA) directly affect energy suppliers. From December 11, 2027, only products with digital elements that comply with the CRA requirements may be placed on the EU market. Although energy suppliers are not usually manufacturers themselves, they are responsible for the safe selection, integration, and operation of these products. This applies to grid control technology, smart meter gateway,s as well as IT and OT systems.

The CRA requires comprehensive supply chain transparency. Energy suppliers must ensure that manufacturers meet safety requirements, provide updates, and submit the necessary documentation by evaluating suppliers and drafting contracts. In addition, new cybersecurity requirements for specific radio equipment will apply from August 1, 2025, in accordance with the RED Delegated Regulation. Since then, devices that do not meet RED requirements may no longer be placed on the market.

Central measures for energy suppliers

• Create transparency around the products used and verify CRA compliance at an early stage.

• Require safety documentation and SBOM from manufacturers.

• Establish supplier evaluations and contractually secure safety standards.

• Customize the procurement guidelines to make CRA and RED compliance-binding criteria.

• train teams so that procurement and technology can safely implement the new requirements.

With NIS2 for energy suppliers, the requirements for detecting and reporting security incidents are increasing significantly. With significant IT security incidents, energy suppliers must submit an advanced warning within 24 hours, a more detailed report within 72 hours, and a final or progress report after one month at the latest. At the same time, the CRA manufacturer will be obliged to report actively exploited vulnerabilities and serious security incidents from September 2026. Energy suppliers should integrate this information directly into their own processes.

Central measures for energy suppliers

• Develop an integrated incident response concept that combines CRAM messages and NIS2 obligations.

• Establish continuous security monitoring, for example, through SOC structures or SIEM solutions.

• Define transparent reporting chains and responsibilities, and ensure accessibility.

• Prepare contacts with authorities to know reporting channels and contact persons in case of emergency.

• Conduct regular exercises to test processes and deadlines realistically.

The Cyber Solidarity Act strengthens European cooperation on large-scale cyber threats. This includes joint preparedness mechanisms and the EUCybersecurityReserve, which provides technical support in the event of a crisis. Energy suppliers should set up their emergency organization in a way that aligns with national and European structures to ensure smooth cooperation.

Central measures for energy suppliers

• Extend emergency and restart plans to include Europe-wide scenarios.

• Fix communication structures with the BSI.

• Participate in industry-wide exercises and conduct internal stress tests.

• Build and train multidisciplinary crisis teams.

• Technical and organizational Resilience measures, such as redundant control centers and offline communication.

The third part of the blog series is dedicated to the organizational and legal dimensions of the new EU requirements. The focus is on governance, liability, insurability, and the necessary cultural change that permanently anchors cyber resilience in the corporate management of energy suppliers.