Quick summary

NIS2 pulls operational technology into the same compliance perimeter as corporate IT, and the energy sector sits at the top of its priority list. For substation automation, SCADA and RTUs, the practical work is securing equipment that was never designed for connected threats while producing the documentation regulators now expect.

Introduction

For two decades, substation security was largely a question of locked doors and isolated networks. The NIS2 Directive changes the frame entirely, treating the digital integrity of grid operations as a legal obligation rather than an engineering preference. Energy operators are now classed among the most critical entities in the EU, and the controls that used to be optional are becoming auditable requirements.

The difficulty is that the rule lands on infrastructure that predates it by decades. Remote terminal units, protection relays and SCADA front ends were specified for reliability and longevity, not for a threat model where a distribution operator can be probed from anywhere. Closing that gap is the real work of NIS2 compliance in the energy domain.

Why substations sit at the centre of NIS2

NIS2 designates energy as an essential sector, which places electricity generation, transmission and distribution operators in the strictest compliance tier. The transposition deadline was 17 October 2024, and the political pressure behind it has been unusually visible: the European Commission opened infringement procedures against 23 member states in November 2024 and issued reasoned opinions to 19 of them in May 2025 for incomplete transposition (European Commission, 2025).

The reason this matters for substation teams is that uneven national timelines do not pause the underlying obligation. An operator running assets across Denmark, Germany and the Benelux faces a patchwork of registration deadlines and supervisory authorities, yet the technical baseline the directive demands is broadly consistent across all of them.

Substations are no longer judged on whether they are connected, but on whether their connectivity can be governed, monitored and proven secure.

That shift is what turns a familiar engineering asset into a regulated one. A substation that exchanges data with a control centre is now a node in a reportable security architecture, and its protocols, access paths and logging all fall within scope.

Takeaway: Energy operators fall into NIS2’s strictest tier, so substation connectivity is now a governed, auditable obligation rather than an internal engineering choice.

What NIS2 actually requires in an OT context

The directive is deliberately outcome-focused, which can frustrate engineers looking for a checklist. Article 21 sets out risk management measures that essential entities must implement, and translating them into an OT environment is where most of the effort goes. The core expectations include:

• Documented risk management covering both IT and OT estates, not IT alone

• Network segmentation that isolates control zones from corporate systems

• Asset inventories detailed enough to identify every device that touches a control process

• Incident detection and response capable of recognising anomalies in industrial traffic

• Supply chain security, extending obligations to integrators and component vendors

The gap between policy and reality is stark. According to ENISA (2024), 32 percent of energy sector operators do not have a single critical OT process monitored by a security operations centre, and only 52 percent integrate operational and information technology under one monitoring function. The implication is that a large share of operators cannot currently see an attack on their control systems, let alone report it within the directive’s timelines.

Bringing legacy field equipment into a monitored, segmented architecture is rarely a clean replacement exercise, and that constraint shapes how substation automation projects are scoped long before any procurement decision is made. The pragmatic path is layering visibility and segmentation onto existing assets rather than waiting for a full hardware refresh that may be years away.

Takeaway: NIS2 demands OT-specific risk management, segmentation and monitoring, yet a third of energy operators still have no security visibility into their control processes.

Securing SCADA and RTUs that predate the rule

The hardest part of NIS2 in the grid is that the assets in scope often cannot be patched, re-authenticated or re-architected the way a modern server can. An RTU commissioned fifteen years ago may speak IEC 60870-5-104 with no native encryption, run firmware that the vendor no longer supports, and sit in a substation visited only a few times a year.

This is where compensating controls become central. Rather than forcing modern security onto equipment that cannot accept it, operators wrap vulnerable assets in protective layers: segmentation so a compromised zone cannot spread, secure gateways that mediate legacy protocol traffic, and passive monitoring that detects abnormal commands without disturbing the control loop.

The threat data justifies the urgency. In its latest threat landscape, ENISA found that operational technology now accounts for around 18 percent of all identified threat categories across roughly 4,875 analysed incidents, a marked move towards industrial and critical systems (ENISA, 2025). The reason this matters is that attackers are no longer treating OT as too obscure to target; the same ransomware and intrusion techniques that hit IT are increasingly aimed at the control layer.

The most defensible substation is not the newest one, but the one where every legacy weakness has a documented, monitored control wrapped around it.

Takeaway: Where SCADA and RTUs cannot be modernised quickly, segmentation, secure gateways and passive monitoring are the compensating controls that make legacy estates defensible under NIS2.

Reporting, governance and the cost of getting it wrong

NIS2 raises the stakes through two mechanisms that OT teams sometimes underestimate: mandatory incident reporting and personal accountability for management. Essential entities must report significant incidents on tight timelines, which is only possible if monitoring and response are already in place. An operator that cannot detect an intrusion cannot meet a 24-hour early warning obligation.

The financial exposure is concrete. Under the directive, essential entities can face fines of up to 10 million euros or 2 percent of global annual turnover, whichever is higher, and important entities up to 7 million euros or 1.4 percent. For a transmission or distribution operator, the larger figure is almost always the turnover percentage, which reframes cybersecurity spending as protection against a material business risk rather than a discretionary cost.

Governance is the other lever. NIS2 makes senior management responsible for approving and overseeing risk measures, so cybersecurity decisions can no longer sit unread at the engineering level. This is a meaningful cultural change for organisations where OT and the boardroom have historically operated at arm’s length.

Takeaway: NIS2 ties tight reporting deadlines and turnover-based fines to senior accountability, so detection capability and board-level governance become compliance prerequisites, not optional extras.

Building a NIS2 readiness programme for OT

A workable programme starts with honesty about what is actually deployed. Most operators discover that their asset inventory is incomplete the moment they try to map every device that influences a control decision, and that discovery alone justifies the exercise.

From there, the sequence is straightforward even when the execution is not: classify entities and assets, segment the network around criticality, instrument the environment so control traffic is visible, and document everything in a form an auditor can follow. The DACH and Nordic markets, where many operators run mixed fleets of equipment across multiple vendor generations, tend to feel this complexity most acutely because no single tool covers the whole estate.

The interpretive point is that NIS2 rewards demonstrable process over perfect technology. An operator that can show a risk-based plan, evidence of segmentation and a functioning detection capability is in a far stronger position than one with newer equipment but no documentation tying it to the directive’s requirements.

Takeaway: A credible NIS2 programme prioritises asset visibility, risk-based segmentation and audit-ready documentation over wholesale equipment replacement.

Conclusion

NIS2 has redefined substation and SCADA security from an internal engineering concern into a governed, reportable obligation backed by significant penalties. The directive does not expect operators to replace decades of installed infrastructure overnight, but it does expect them to see, segment and document it.

For energy operators across Denmark, the Nordics, DACH and the wider EU, the most effective response treats compliance as a byproduct of genuine operational visibility. Build the ability to monitor and govern the control environment, and the reporting, accountability and audit requirements become far easier to satisfy.

FAQ

Does NIS2 apply to operational technology or only to IT systems?

NIS2 applies to both. Article 21 requires essential and important entities to manage risk across their information and operational technology environments, which explicitly brings SCADA, RTUs, protection relays and substation automation systems into scope. Treating OT as out of scope is one of the most common compliance mistakes energy operators make.

What are the penalties for non-compliance with NIS2 in the energy sector?

Essential entities, which include most transmission and distribution operators, can face fines of up to 10 million euros or 2 percent of global annual turnover, whichever is higher. Important entities face up to 7 million euros or 1.4 percent. NIS2 also makes senior management personally accountable for approving and overseeing cybersecurity risk measures.

How can operators secure legacy RTUs and SCADA systems that cannot be patched?

The standard approach uses compensating controls. Network segmentation isolates legacy assets so a compromise cannot spread, secure gateways mediate insecure protocol traffic such as IEC 60870-5-104, and passive monitoring detects abnormal commands without interfering with the control loop. This allows operators to protect equipment that cannot accept modern security features directly.

When did NIS2 take effect and is it already enforceable?

The transposition deadline was 17 October 2024. Although several member states were late, the directive is live, and the European Commission has pursued infringement procedures against states that missed full transposition. Operators are expected to comply regardless of local delays, because waiting for national gazette publication leaves no time to implement controls that take months to deploy.

Sources

• NIS2 Directive transposition status and infringement procedures – European Commission – 2025 – https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

• ENISA Threat Landscape 2025 – ENISA – 2025 – https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape

• Cyber Europe tests the EU cyber preparedness in the energy sector (NIS Investments findings) – ENISA – 2024 – https://www.enisa.europa.eu/news/cyber-europe-tests-the-eu-cyber-preparedness-in-the-energy-sector

• NIS Investments 2024 report – ENISA – 2024 – https://www.enisa.europa.eu/publications/nis-investments-2024