⚡NIS2 for Electricity — deadlines, obligations, fines

A documented framework covering risk policies, IT/OT segregation, identity management on SCADA and EMS/DMS, cryptographic controls on automation protocols, training and effectiveness assessment. NIS2 Art. 21(2) imposes the ten minimum measures (a-j), all-hazards approach, aligned with European and international standards, including ISO/IEC 27001:2022 and the IEC 62443 (IACS) and IEC 62351 (security for IEC 61850 and IEC 60870-5-101/-104 communications) series [C3][C11]. NCCS adds a sectoral layer: an EU-wide cybersecurity risk-assessment methodology adopted by ENTSO-E and the EU DSO Entity (deadline 13 March 2025), EU-wide assessment every three years, regional mitigation plans (deadline 13 June 2031), minimum and advanced controls differentiated between high-impact and critical-impact entities [C7][C8]. The management body approves and oversees implementation (NIS2 Art. 20); members must undergo training and are personally liable for breaches [C3].

For a TSO or large DSO subject to both NIS2 and NCCS, the same cyber event can trigger two parallel reporting flows. NIS2 Art. 23 to CSIRT/DNSC: early warning within 24 hours of awareness, incident notification within 72 hours, final report within one month [C4]. NCCS adds a sectoral channel: reporting of incidents with impact on cross-border flows to the competent national authorities and ACER, with regional escalation routes through ENTSO-E and the EU DSO Entity [C7][C8]. Under OUG 155/2024 + Law 124/2025, DNSC is the lead authority in Romania; ANRE cooperates on the sector-specific component [C6][C13]. In practice, the OT control room and the corporate CSIRT share a single runbook that feeds the DNSC form, the NCCS report and the internal notifications to ANRE / Transelectrica (for those connected to transmission) simultaneously.

For a grid operator, business continuity means delivering electricity to end consumers at the set frequency, cross-border exchanges in line with schedules, and 24/7 dispatching. NIS2 Art. 21(2)(c) requires business continuity and crisis management as minimum measures [C3]. Regulation (EU) 2019/941 requires a National Risk-Preparedness Plan in the electricity sector, with national, regional and bilateral measures, applicable from 4 July 2019 [C9]. Regulation (EU) 2017/1485 (SOGL) imposes operational requirements for TSOs/DSOs/SGUs on the security of the interconnected system [C9]. In practice: RTO under 4 hours for critical dispatching functions; offline plans for coordination with neighbouring TSOs on the key 220/400 kV nodes; annual crisis exercises that include combined cyber and physical scenarios (cyber-physical co-attack); immutable offline backups for EMS/DMS/SCADA, and tested black-start procedures.

An electricity operator buys more than IT: it buys transformers with digital monitoring, IEDs (Intelligent Electronic Devices), RTUs, SIPROTEC/Multilin protection relays, EMS/DMS/SCADA systems, EV charging stations, smart meters, BESS batteries — all with firmware, software and connectivity. NIS2 Art. 21(2)(d) requires supply-chain security [C3]. NCCS introduces specific supply-chain recommendations for the electricity sector and a list of applicable European/international standards [C7][C8]. The Cyber Resilience Act (Regulation (EU) 2024/2847), in force since 10 December 2024, imposes security-by-design, vulnerability handling and reporting obligations on manufacturers of products with digital elements; the main obligations apply from 11 December 2027, active-vulnerability reporting from 11 September 2026 [C10]. Concretely: contractual clauses (SBOM, patching SLA, audit rights, sub-outsourcing), a technical inventory of OT devices with IPs/firmware, VLAN segregation by device class, behavioural monitoring for anomalies on IEC 60870-5-104 and IEC 61850. The lesson of the 2022 Industroyer2 attack: the attackers prepared the binary with the hardcoded IEC 104 addresses of the target substation — an up-to-date OT inventory and OT threat-hunting detect the preparation before detonation.

NIS2 Art. 21(2)(f) requires policies and procedures to assess the effectiveness of cyber risk-management measures [C3]. NCCS Art. 29 introduces minimum and advanced controls differentiated by criticality; for critical-impact entities, the advanced controls include red teaming, ICS pentesting and regional crisis exercises [C7][C8]. Difference from the financial sector: electricity does not yet have a uniform mandatory TLPT-equivalent framework (DORA remains lex specialis for banking), but sectoral good practices converge on annual OT-perimeter pentesting at a minimum and an annual combined cyber-physical crisis exercise with TSO + DSO + competent authority participation. Scope reaches the critical production functions: SCADA, EMS, DMS, protection systems, charging stations, the communications backbone (radio teleprotection, dedicated fibre). The lessons of 2015 Ukraine (BlackEnergy) and 2022 Industroyer2 show that attackers sit in the IT environment for 3-6 months before pivoting to OT [C-I1][C-I4] — that validates periodic pentesting and continuous threat-hunting on IT with OT-level visibility.

Type: Spear-phishing with Office macros delivering BlackEnergy 3 + KillDisk; HMI / VPN control; attributed to the Sandworm group

Impact: On 23 December 2015, approximately 225,000 consumers lost power for 1-6 hours across three regions in western Ukraine. The first publicly acknowledged successful cyber attack on an electricity grid. The attackers accessed HMIs through the operators' VPN, manually opened circuit breakers and ran KillDisk on workstations to prevent rapid recovery; serial-to-Ethernet firmware was overwritten, blocking digital recovery — operators switched to manual operation.

Lesson: A banal initial vector (email with a macro) escalated over 6+ months in the network up to the HMI. NIS2 Art. 21(2)(a) (risk analysis) + 21(2)(g) (cyber hygiene + training) + strict IT/OT segregation stop the chain early. Manual operation as plan B for dispatching remains an operational necessity, not a luxury.

Type: Industroyer / CrashOverride — first malware specifically built for electricity grids; targeted industrial protocols (IEC 60870-5-101, -104, IEC 61850, OPC DA); attributed to Sandworm

Impact: On 17 December 2016, around midnight, the Pivnichna substation was de-energised for about 1 hour; roughly 1/5 of Kyiv's consumption was cut. Dragos analysis showed the attack was not just a point blackout but an attempt at physical damage — with special code for the SIPROTEC relays that, on restart, could have caused hardware damage. The same group as in 2015.

Lesson: The attackers knew the power automation protocols (IEC 61850, IEC 104) and built malware specifically for them. IEC 62351 (protocol-level security) and mutual authentication between devices are no longer "nice-to-have" — they are minimum controls required by NCCS for critical-impact entities [C8].

Type: DarkSide ransomware (RaaS affiliate); entry via a compromised VPN password without MFA

Impact: On 7 May 2021, Colonial Pipeline shut down all 5,500 miles of petrol and jet-fuel pipeline to the south-east of the United States — the first full shutdown of the infrastructure in 57 years. Ransom paid: 75 BTC (~USD 4.4 million); the FBI later recovered 63.7 BTC (~USD 2.3 million at the lower price). State of emergency declared in 17 states + DC; fuel prices rising; full operational restart on 15 May 2021. The largest cyber attack on energy infrastructure in US history.

Lesson: A petrol/jet-fuel pipeline, not direct electricity — but the lesson applies identically to electricity grid operators: one VPN password without MFA on remote access shut down critical infrastructure. NIS2 Art. 21(2)(j) requires MFA for relevant accounts and 21(2)(d) supply-chain security — DarkSide later rebranded as BlackCat/ALPHV and hit operators in Luxembourg [C-I5].

Type: Industroyer2 — custom variant compiled on 23 March 2022 with hardcoded IEC 60870-5-104 addresses; co-distributed with wipers (CaddyWiper, ORCSHRED, SOLOSHRED, AWFULSHRED); attributed to Sandworm

Impact: Attack averted on 8 April 2022 by CERT-UA + ESET + Microsoft. The attackers had been in the IT network since February 2022 and in the ICS environment since mid-March 2022 — roughly 1-2 months of OT preparation before detonation. Target: high-voltage substations. Approximately 2 million consumers would have been affected if the attack had completed. Industroyer2 was executed as a scheduled task on 8 April 2022 at 16:10 UTC; detected and stopped before propagation.

Lesson: The attackers spent months inside the network preparing a custom binary with the exact IEC 104 addresses of the target substation. Behavioural monitoring on the IT-OT perimeter + continuous threat-hunting + strict segregation detect reconnaissance before the pivot. NCCS Art. 29 requires advanced detection controls for critical-impact entities; ENISA NIS360 confirms electricity is the sector with the highest maturity, but the main target [C12].

Type: BlackCat/ALPHV ransomware (DarkSide rebrand); exfiltration of 150 GB of data / 180,000 files

Impact: Attack on the night of 22-23 July 2022. The Creos and Enovos customer portals became non-operational; the companies stated that electricity and gas supply was not interrupted — the effect was on corporate IT and the customer relationship. ALPHV claimed the attack on 29 July 2022 and threatened to publish the data. The same group that rebranded DarkSide from Colonial Pipeline.

Lesson: Shows that the attackers who hit US operators come back to Europe against operators with a similar public role. NIS2 Art. 21(2)(d) supply-chain + Art. 21(2)(b) incident handling + public communication with customers in a crisis separate from OT. The separation of corporate IT from OT saved supply — proof that segregation works.

Reg. (UE) 2024/1366 - Network Code on Cybersecurity (NCCS) pentru electricitate · Directly applicable from 13 June 2024; supplements Regulation (EU) 2019/943 [C7][C12]

The sectoral cybersecurity framework for cross-border electricity flows. Full overlap with NIS2 for TSOs/DSOs + producers + NEMOs + identified ICT service providers. Key differences: NCCS requires high-impact vs. critical-impact classification (Art. 24), an EU-wide risk assessment every three years (Art. 19), regional mitigation plans (Art. 22), differentiated minimum and advanced controls (Art. 29), and incident reporting to the competent national authorities and ACER [C7][C8]. ACER + ENTSO-E + EU DSO Entity are the institutional actors; in Romania, the designated competent national authority cooperates with DNSC on the horizontal NIS2 side.

Directiva (UE) 2019/944 - Internal Market for Electricity (recast) · Transposition deadline 31 December 2020; applicable from 1 January 2021 [C9]

Framework directive for the internal electricity market — rules on generation, transmission, distribution, supply and storage; consumer protection; third-party access to infrastructure; independence of regulators. ANRE is the regulator in Romania. The definitions in Directive 2019/944 Art. 2 are the semantic source for the entities listed in NIS2 Annex I (electricity undertaking, TSO, DSO, NEMO, aggregator, demand response, etc.).

Reg. (UE) 2017/1485 - System Operation Guideline (SOGL) · Directly applicable from 14 September 2017; consolidated on 15 March 2021 [C9]

Harmonised rules for TSOs, DSOs and SGUs (significant grid users) on operating the interconnected system. Sets the legal framework for grid operation, data exchange and regional coordination. Operational cyber resilience maps directly onto the SOGL articles on regional coordination (Art. 76-77) and exchange of critical data.

Reg. (UE) 2019/941 - Risk-preparedness in the electricity sector · Directly applicable from 4 July 2019 [C9]

A common framework for the prevention, preparation and management of electricity crises, explicitly covering cyber attacks as a crisis trigger. Requires a National Risk-Preparedness Plan, regional + bilateral measures, exercises. In the NIS2 + NCCS context, the risk-preparedness plan becomes the umbrella document over the TSO/DSO cyber BCP.

Cyber Resilience Act - Reg. (UE) 2024/2847 · In force since 10 December 2024; active-vulnerability reporting from 11 September 2026; main obligations from 11 December 2027 [C10]

Horizontal cybersecurity requirements for products with digital elements — including PLCs, RTUs, IEDs, smart meters, EV charging stations, BESS battery controllers. Grid operators become demanding buyers: products placed on the EU market must be CRA-compliant before installation; SBOM, coordinated vulnerability handling, incident reporting to ENISA. Devices classified as important products (class I or II) face stricter conformity-assessment processes.

IEC 62443 (IACS) + IEC 62351 (power-system communications) · International IEC standards not legally transposed but referred to as state-of-the-art in NCCS and recommended by ENISA for the electricity sector [C11]

IEC 62443 (Part 4-2: security requirements for IACS components; Part 3-3: system security requirements) is the industrial reference for the security of PLCs/SCADA/HMIs/sensors — the Security Levels framework (SL1-SL4) is used as a benchmark in supplier contracts. IEC 62351 covers the security of power-automation protocols (IEC 61850 on digital substations, IEC 60870-5-101/-104 on telecontrol). Together they form a defence-in-depth layer at communication and component level — mandatory for modern digital substations.