NIS-2 Implementation Act in Germany about to come into force – implications for renewable energy companies

The implementation of the NIS 2 Directive in Germany is imminent. The NIS-2 Directive is being implemented in Germany by the NIS-2 Implementation Act. This reflects key obligations in the revised Federal Office for Information Security Act (BSIG-E), while retaining the previous special legal provisions – including those for the energy sector – albeit in a modified form (EnWG-E).

Companies that operate facilities for generating or using renewable energies (renewable energy companies) now face the question of whether and, if so, to what extent the implementation of the NIS-2 will create requirements for their IT security for the first time, or to what extent the existing regulation is going to be expanded. This article outlines the differences for renewable energy companies between the current and future legal situation and provides an outlook of the further legislative process.

1. Current legal situation

Renewable energy companies are already currently subject to the obligation to implement IT security measures, in particular under Section 11 (1) EnWG (operation of energy supply networks and energy facilities). Moreover, these obligations only apply to operators of energy facilities if the renewable energy company operates facilities that are also considered critical infrastructure and meet various supply-related thresholds (rule of thumb: supply of 500,000 people).

The specific IT security measures to be taken pursuant to the EnWG are set out in the IT security catalogues of the Federal Network Agency (BNetzA). Of particular importance is the introduction of a certified information security management system (ISMS).

However, those affected are not yet obliged to align all their IT systems, components or processes (IT landscape) with the IT security catalogues. The IT landscape is only covered by the EnWG regulation to the extent that it is necessary for secure network operation.

2. Future legal situation

The BSIG-E now covers renewable energy companies that either operate critical infrastructure or have at least 50 employees or EUR 10 million in annual turnover and annual balance sheet total (group affiliation is taken into account proportionally) and that perform an activity regulated in Annexes 1 and 2 of the BSIG-E.

These include the following activities in particular:

(a) Electricity suppliers pursuant to Section 3 No. 31c EnWG

(b) Operators of electricity distribution networks pursuant to Section 3 No. 3 EnWG

(c) Operators of transmission networks pursuant to Section 3 No. 10 EnWG

(d) Operators of generation plants pursuant to Section 3 No. 18d EnWG

(e) Aggregators pursuant to Section 3(1a) EnWG

(f) Operators of energy storage facilities pursuant to Section 3 No. 15d EnWG

(g) Charging point operators pursuant to Section 2 No. 8 LSV

(h) Operators in the field of hydrogen production, storage and transmission

The obligations of the BSIG-E apply to the entire company. Accordingly, Section 30 BSIG-E covers the IT landscape used to provide the services. According to the explanatory memorandum to the law, this already includes general office IT.

The situation is now becoming complex for renewable energy companies that fall within the scope of application of the newly created Sections 5c to 5e EnWG-E.

These are: 

(a) Operators of an energy supply network

(b) Operators of an energy facility

(c) Operators of a digital energy service

This is because these operators are then exempt from most of the obligations under BSIG-E and, with regard to the scope and extent of the risk management measures to be taken, it is not Section 30 BSIG-E that applies, but rather Section 5c EnWG.

§ 5c EnWG setzt aber dem Wortlaut nach die bisherige Systematik fort und die IT-Landschaft ist nur insoweit zu schützen, wie sie für den sicheren Betrieb notwendig ist. Demgegenüber soll nach der Gesetzesbegründung aber auch nach § 5c EnWG die gesamte IT-Landschaft des betroffenen Unternehmens reguliert werden.

However, in terms of wording, Section 5c EnWG continues the previous systematics, and the IT landscape only needs to be protected to the extent this is necessary for safe operation. In contrast, according to the explanatory memorandum to the law, Section 5c EnWG should also regulate the entire IT landscape of the company concerned.

This raises the question of how to deal with this ambiguity. In all events, for renewable energy companies that perform other activities regulated by BSIG-E in addition to the energy sector, Section 28 (5) sentence 2 BSIG-E states that the obligations of BSIG-E additionally apply in this respect (i.e. the entire remaining IT landscape is subject to BSIG-E).

Ultimately, it remains to be seen whether the Federal Network Agency will define its scope of application in its future security catalogues (as it has done in the past) and provide clarity on this issue, also in order to be able to classify cases in which, for example, there is no separation of the IT landscape, but individual IT systems (such as an ERP system) are used by the entire company.

3. Sanctions, fines and management responsibilities

The BSIG-E and EnWG provide for strict legal consequences for violations of compliance requirements. For affected renewable energy companies, this means, depending on the severity of the violation:

(a) Fines of up to EUR 10,000,000 or 2% of their global annual turnover;

(b) The Federal Office for Information Security or the Federal Network Agency may order security measures to be taken in the event of non-compliance with obligations, such as the introduction of certain security systems.

Board members and managing directors of renewable energy companies should also bear in mind that Section 38 BSIG-E and Section 5e EnWG explicitly state that failure to observe compliance regulations leads directly to corporate liability vis-à-vis the company concerned – monitoring NIS 2 compliance is thus the responsibility of senior management and part of the personal responsibility of managing directors. Managers must also undergo regular training. In our opinion, in cases of doubt a lack of training will lead to subsequently identified violations of NIS 2 implementation regulations being classed as organisational negligence on the part of the management.

4. Outlook and recommendations

BSIG-E and EnWG-E stipulate strict and complex IT compliance measures. Due to hidden reference structures, the new regulations make it challenging to identify which renewable energy companies fall under which regulations. It is therefore even more important that board members and managing directors quickly gain an overview of possible action required, carry out gap analyses and, if necessary, update their ISMS. This is because the NIS 2 Implementation Act does not only hold management directly and personally liable. Furthermore, the current draft law also does not provide for any implementation deadlines.

Following its reading in the Bundestag, the Bundesrat issued a statement on the law on 26 September 2025, which, however, only contains individual comments on domains and support tasks of the federal states. The law is therefore expected to come into force in the near future (possibly before the end of this year).

Back to list