How wind farm operators are meeting the stricter NIS2 requirements

Network and infrastructure security is no longer just a concern for the major players in our industry: even small operators and private installations are vulnerable to cyberattacks. We explain the legal framework in place and what operators need to bear in mind.

May 2026

The question today is no longer whether cyberattacks will happen. The question is rather: when and on what scale will they occur? Major energy suppliers, for example, report several hundred attacks every day.[1] But it is not just large companies that are affected: hacking is now automated, and AI actively searches for vulnerabilities in systems. The sector or the size of the company is irrelevant – even small wind farms, solar parks or private micro-systems are at risk.[2]

Cyber resilience is therefore becoming a crucial factor for them too. The aim is to detect and stop attacks quickly enough.

 

Which laws govern cybersecurity?

Apart from the fact that individuals and businesses have a vested interest in cyber resilience, the legislator also sets out requirements, as its priority is the protection of critical infrastructure (KRITIS). The legal basis for this can be found, amongst other places, in the European Network and Information Security Directive (NIS-2), which came into force in January 2023.[3] The German law implementing the Directive is the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG).[4] It came into force on 6 December 2025 and covers companies in 18 sectors.

 

Which companies are affected?

The law distinguishes between ‘particularly important facilities’ (bwE) and ‘important facilities’ (wE). In addition to the generally applicable factors, the classification of operators of renewable energy plants as bwE or wE also depends on their installed capacity and their classification as KRITIS companies.

Particularly important facilities:

  • Plants with an installed capacity of 420 MW or more are classified as critical infrastructure. These are subject to the strictest requirements and immediate reporting obligations.
  • Large enterprises with more than 250 employees or a turnover of over 50 million euros (and a balance sheet total of over 43 million euros).

Important facility:

  • Medium-sized enterprises with more than 50 employees or a turnover of over 10 million euros.

 

In addition, specific requirements apply to many operators. For example, under the Energy Industry Act (e.g. Section 11 EnWG[5]) and the KRITIS Regulation: operators of energy facilities that are classified as “significant” under the Act (often from 104 MW upwards)[6]),  implement state-of-the-art IT security. This requires an information security management system (ISMS) compliant with ISO 27001 or the Federal Network Agency’s IT security catalogue. Companies may also be subject to contractual security requirements via the supply chain, for example when supplying a direct marketer.

 

What do operators need to do?

Operators of wind farms, solar parks or biogas plants should check the following points:

  • Check whether you need to register with the BSI. But be careful: the deadline for this was March 2026.
  • Implement technical and organisational measures such as encryption or access controls in accordance with Section 30 of the BSIG. Also secure remote control systems and pay attention to interfaces with the VPN or the control room. These are critical checkpoints for the BSI.
  • Secure your supply chain and check whether service providers such as maintenance firms and remote control service providers are operating securely.
  • Observe reporting obligations. Significant security incidents must be reported to the BSI within 24 hours (initial report) and 72 hours (update).
  • Ensure you receive training. Managing directors must demonstrate that they have received training on the subject of cybersecurity (Section 38 BSIG).

 

IT Security in our Direct Electricity Supply Contract

We have recently updated our Direct Electricity Supply Contract to include provisions on IT security for our customers. In it, we state – as required by law – that each contracting party is obliged to ensure that appropriate technical and organisational measures are in place for their IT systems, components and processes, as well as for the data exchanged, and to comply with reporting obligations.

 

Do you have any questions about IT security? Please feel free to get in touch!

<a class="arrow">renewables@vattenfall.de</a>

You can find further information about our services here: 

<a class="button">To the article overview</a>

 

[1] https://www.wiwo.de/unternehmen/energie/netzinfrastruktur-eon-zahl-der-cyberangriffe-hat-massiv-zugenommen/100208898.html

[2] https://www.neueenergie.net/artikel/wissen/infrastruktur/cyberangriff-windpark-hacking-automatisiert

[3] https://www.bsi.bund.de/DE/Das-BSI/Auftrag/Gesetze-und-Verordnungen/NIS-2-Richtlinie/nis-2-richtlinie.html

[4] https://www.recht.bund.de/bgbl/1/2025/301/VO.html

[5] https://www.gesetze-im-internet.de/enwg_2005/__11.html

[6] https://www.gesetze-im-internet.de/bsi-kritisv/anhang_1.html