Critical Infrastructure Compliance Requirements
Energy companies and utilities are classified as operators of essential services (OES) under the EU NIS2 Directive — subjecting them to mandatory cybersecurity risk management, incident reporting, and supply chain security obligations. Non-compliance carries administrative fines of up to €10 million or 2% of global turnover under NIS2.
NIS2 Directive — Key Obligations
- Cybersecurity risk management measures proportionate to the risk
- Incident reporting: significant incidents to national CSIRT within 24 hours, full report within 72 hours
- Supply chain security — assessing security practices of suppliers and service providers
- Business continuity measures — backup management, disaster recovery, crisis management
- Senior management accountability — NIS2 explicitly holds management bodies personally responsible
ISO 27001 and NIS2 Alignment
ISO 27001:2022 provides the most comprehensive framework for satisfying NIS2 Article 21 cybersecurity risk management requirements. BALTUM's NIS2 readiness programme maps your ISO 27001 ISMS controls to NIS2 obligations — identifying gaps and providing a prioritised remediation roadmap aligned to your NIS2 Member State transposition deadline.
OT and ICS Security
Energy and utilities organisations face the additional challenge of operational technology (OT) and industrial control system (ICS) security — areas not fully addressed by IT-focused frameworks. BALTUM works with OT-specialist auditors to extend ISO 27001 scope to include SCADA, DCS, and ICS environments, with reference to IEC 62443 standards where applicable.