NIS2 in Energy Supply: Municipal Utilities, Grid Operators, Smart Meter

April 27, 2026· Category: NIS2· As of: 2026-05-02· Reading time: ~5 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Energy is a NIS2 essential entity sector from 50+ employees and EUR 10M turnover
All grid operators are in scope regardless of size
SMGAs (Smart Meter Gateway administrators) need separate BSI certification
Triple regulation: NIS2 / Section 30 BSIG, EnWG Section 11, KRITIS Ordinance
OT/IT convergence: SCADA security per IEC 62443 and NIST 800-82

1. Who is in scope?

Energy suppliers from 50 employees plus EUR 10M turnover are essential entities. Grid operators are in scope regardless of size, due to their systemic role. SMGAs (Smart Meter Gateway administrators) face an additional layer: BSI certification of the gateway itself.

2. Triple regulation: NIS2 + EnWG + KRITIS

Three regimes apply in parallel:

EnWG Section 11 (German Energy Industry Act) - sector-specific IT security duties
KRITIS Ordinance - quantitative thresholds for critical infrastructure
Section 30 BSIG / NIS2UmsuCG - the 10 cybersecurity measures

Mapping the three onto a single ISMS is the practical challenge.

3. SCADA security

OT/IT convergence is the single biggest risk surface. Industrial control systems must be segmented, monitored, and patched. Reference standards: IEC 62443 (industrial automation), NIST SP 800-82 (ICS security), BSI ICS-Compendium.

4. Smart Meter Gateway security

BSI certification is mandatory for the gateway. Strict protection objectives apply for consumer metering data, including end-to-end encryption and protected administrative interfaces.

5. Supply-chain audit specifics

Prioritize SCADA vendors (Siemens, ABB, Schneider) and Smart Meter manufacturers in supplier audits. Patch SLAs, secure-development evidence, and incident-notification clauses are the must-haves.

Summary

Energy operators sit in the highest NIS2 tier and combine three German regulatory regimes. The way forward is a unified ISMS that maps NIS2, EnWG, and KRITIS to a single set of controls, with IEC 62443 covering the OT side.

View NIS2 Kit →

Frequently Asked Questions

Wholesaler vs. end-supplier?

Both are affected, with different KRITIS thresholds.

Is BSI certification mandatory?

For SMGAs, yes. For municipal utilities, recommended but not mandatory.

Sources

Directive (EU) 2022/2555 — NIS2 (Annex I energy) (As of: 2026-05-02)
BSIG 2025 (Section 30 cybersecurity measures) (As of: 2026-05-02)
NIS2 — German consolidated text (As of: 2026-05-02)

Tools & self-assessments

NIS2 Readiness Check Assess your NIS2 readiness in 10 minutes. Fining Calculator Estimate the potential fine exposure for your organisation. NIS2 Self-Test Am I in scope? Check thresholds and sector criteria. NIS2 Mandatory Measures Audit 10 mandatory measures from Section 30 BSIG with maturity rating.