Implementation
February 03, 2026 6 min read

NIS2 in the Energy Sector: Obligations for Portuguese Energy Companies

The energy sector is among the most critical — and most rigorously regulated — under the NIS2 Directive. Energy infrastructure is a prime target for cyberattacks because disruption carries immediate, wide-ranging consequences for society, public safety, and national security. For Portuguese energy companies, NIS2 introduces comprehensive cybersecurity obligations that go significantly beyond previous requirements.

NIS2 in the Energy Sector: Obligations for Portuguese Energy Companies

Table of Content

Which Energy Organizations Are Covered?

NIS2's Annex I designates the energy sector as essential, meaning that medium and large entities are automatically classified as either Essential or Important Entities. The covered subsectors in energy are extensive:

Electricity

  • Electricity undertakings (suppliers, traders)
  • Electricity Distribution System Operators (DSOs)
  • Electricity Transmission System Operators (TSOs)
  • Electricity producers
  • Nominated electricity market operators
  • Operators of recharging points (EV charging infrastructure)
  • District heating and cooling systems

Oil

  • Operators of oil transmission pipelines
  • Operators of oil production, refining, processing, storage and transportation facilities
  • Central storage facilities (oil stocking entities)

Gas (Natural Gas & LNG)

  • Supply undertakings
  • Distribution system operators
  • Transmission system operators
  • Storage system operators
  • LNG system operators
  • Natural gas undertakings
  • Operators of natural gas refining and treatment facilities

Hydrogen

  • Operators of hydrogen production, storage, and transmission

For small entities in energy, NIS2 applies only where the organization has been formally identified as a critical infrastructure operator by Portuguese authorities. However, the rapid expansion of renewable energy, distributed generation, and EV charging means more organizations than ever are receiving such designations.

Entity Classification in Energy: Essential vs. Important

The classification for energy entities depends on size:

Size Classification Size
Large (≥250 FTE or >€50M turnover + >€43M balance) Essential Entity Large (≥250 FTE or >€50M turnover + >€43M balance)
Medium (≥50 FTE or >€10M turnover/balance) Important Entity Medium (≥50 FTE or >€10M turnover/balance)
Small (if identified as critical) Essential Entity (by identification) Small (if identified as critical)

In practice, the most significant energy infrastructure operators — REN (transmission grid), EDP Distribuição, Galp, and other major players — will be Essential Entities subject to the highest level of obligations and proactive supervision.

The Regulatory Landscape: CNCS + ERSE

In Portugal, energy sector organizations face layered regulatory requirements for cybersecurity:

Energy companies must coordinate their compliance activities across both CNCS and ERSE requirements. Where sector-specific regulations impose stricter requirements than NIS2, those stricter requirements prevail.

Key NIS2 Obligations for Energy Companies

1

Operational Technology (OT) and IT Security

Energy infrastructure is distinguished by its heavy reliance on Operational Technology (OT) — the industrial control systems (ICS), SCADA systems, and distributed control systems (DCS) that manage physical energy infrastructure. NIS2 applies to both IT and OT environments.

This is critical: many energy organizations have historically treated OT security as a separate domain, often with lower maturity than IT security. NIS2 requires a unified approach:

  • Risk assessments must cover OT systems (SCADA, ICS, smart meters, grid management systems)
  • Security measures must be applied to OT networks
  • Incident reporting obligations apply to OT incidents (e.g., manipulation of grid systems)
  • Network segmentation between IT and OT environments is strongly recommended

Recommended standard: IEC 62443 (Security for Industrial Automation and Control Systems) is the primary OT security framework referenced alongside ISO 27001 for energy sector NIS2 compliance.

2

Physical-Cyber Security Integration

Energy attacks are rarely purely digital — they often involve physical access to facilities, tampering with equipment, or combined physical-cyber attacks. NIS2 requires organizations to consider cybersecurity in the context of physical security measures for critical infrastructure sites.

3

Resilience and Redundancy

Given the critical nature of energy supply, NIS2 expects energy operators to maintain high standards of resilience:

  • N-1 redundancy for critical systems
  • Tested business continuity and disaster recovery plans covering cyberattack scenarios
  • Emergency procedures that can function even when digital management systems are compromised

4

Supply Chain Security in Energy

The energy sector's supply chain is highly complex and increasingly global, encompassing:

  • Smart meter manufacturers
  • SCADA system vendors
  • Industrial hardware suppliers (switchgear, transformers)
  • Cloud and IT service providers
  • Telecommunications providers supporting grid communications

All significant suppliers must be assessed under NIS2's supply chain security requirements. The EU's approach to supply chain risk in critical infrastructure includes guidance on high-risk suppliers, particularly for telecommunications and 5G infrastructure that increasingly underpins energy grid communications.

5

Incident Reporting

Energy-sector incidents that meet the "significant" threshold must be reported within NIS2's standard timelines (24-hour early warning, 72-hour notification, 1-month final report). Given the potential for energy incidents to escalate rapidly and affect large populations, early warning is especially critical.

Trigger examples for energy sector reporting:

  • Unauthorized access to SCADA systems or grid management platforms
  • Ransomware affecting operational systems or corporate IT with potential OT impact
  • Disruption to electricity supply caused by a cyber incident
  • Successful phishing attack against personnel with OT system access
  • Compromise of a supply chain partner with access to energy management systems

Practical Compliance Roadmap for Energy Companies

  • Phase 1 – Assessment (Months 1-2)
    • Use our free tool to confirm scope and classification
    • Inventory all IT and OT systems in scope
    • Identify gaps against NIS2 Article 21 requirements
    • Assess supply chain risks for critical vendors
  • Phase 2 – Foundational Controls (Months 2-6)
    • Implement or formalize risk assessment processes covering OT
    • Deploy network segmentation between IT and OT
    • Establish incident detection capabilities across both environments
    • Develop or update incident response plan with energy-specific scenarios
    • Register with CNCS and establish reporting procedures
  • Phase 3 – Advanced Controls (Months 6-12)
    • Conduct OT-specific penetration testing
    • Implement supply chain security program
    • Complete management training and board-level NIS2 engagement
    • Conduct full incident response drill including regulatory reporting simulation
  • Phase 4 – Continuous Improvement (Ongoing)
    • Annual risk assessments
    • Regular supplier reassessments
    • Ongoing employee training
    • Monitor regulatory guidance updates from CNCS and ERSE

Conclusion

For Portuguese energy companies, NIS2 compliance is not optional, and the consequences of non-compliance — financial penalties, operational sanctions, and reputational damage — are significant. More importantly, the cybersecurity measures NIS2 requires are genuinely necessary to protect infrastructure that millions of people depend on every day.

Note:

This article is for informational purposes only and does not constitute legal advice.

Not Sure If NIS2 Applies to Your Organization?

Take our free 5-minute assessment to determine your NIS2 classification and get personalized recommendations for compliance.

Start Free Assessment