Cybersecurity in the Energy Supply

Regulatory requirements and recommendations for action for the electricity and gas sector

The ICT minimum standard has been mandatory for the electricity sector since July 1, 2024, while this will apply to the gas sector from July 1, 2025. In addition, a reporting obligation for cyberattacks came into force on April 1, 2025. This increasing regulation underlines the critical role of the electricity and gas supply for national security of supply.

The ICT minimum standard serves as a framework for increasing information and communication security for operators of critical infrastructures. It has been mandatory for the electricity sector since July 2024 and for the gas sector from July 2025. The StromVV (Annex 1a) defines protection levels and maturity levels for protective measures, which are similarly regulated in document G1008 (Gas, May 2024).

Recipe for success for implementation: strategy and assessment

However, implementing the ICT minimum standard is a challenge in terms of organizational, procedural and technical measures. Experience has shown that energy suppliers often find it more difficult to implement the organizational and procedural measures than the technical aspects.

We recommend the following strategic steps for successful implementation of the measures of the ICT minimum standard:

• Establish governance: The management defines the security objectives and responsibilities. Instructions for IT end users and administrators are drawn up based on the security objectives.
• Inventory: Create, revise or complete your inventory of all IT systems and data.
• Risk analysis: Identify and evaluate critical processes, functions and capabilities in the company.
• Derive protective measures: Define and implement protective measures based on the risk analysis (for example, network zoning, backup strategies).
• Implement detection mechanisms: Establish a security monitoring system (for example, EDR, IDS, SIEM).
• Ensure responsiveness: Develop an incident response plan and create playbooks for specific attack scenarios.
• Recovery planning: Create contingency and recovery plans and ensure regular backups (including offline).

Even if the ICT minimum standard has already been implemented, it is advisable to carry out a self-assessment on a regular basis or to commission an external assessment. External assessments offer the advantage that technical experts can provide valuable input and, if necessary, offer an industry benchmark if they have already gained experience in energy supply.

Obligation to report cyber attacks: What needs to be done?

Since April 1, 2025, operators in the electricity and gas sector have been obliged to report certain cyberattacks to the Federal Office for Cybersecurity (BACS) within 24 hours of discovery if the following criteria apply:

• The functionality of the affected critical infrastructure is at risk – especially if employees or third parties are affected by system disruptions or the organization can only maintain its operations with the help of emergency plans.
• Business-relevant information has been viewed, modified or disclosed by unauthorized persons (note: if personal data is affected, a report must also be submitted to the Federal Data Protection and Information Commissioner (FDPIC)).
• The attack remained undetected for a longer period of time, especially if there were signs of preparatory measures for further cyber attacks.
• The attack involves blackmail, threats or coercion.

Content of the notification

The report to the BACS is initially simple information about the incident. The BACS reporting form specifies the type of attack. In addition, the BACS requires information about the affected systems and their criticality. A detailed list of questions can be found on the BACS website.

Scope of the reporting obligation

It is important to note that the reporting obligation does not apply exclusively to the electricity and gas sector. A comprehensive list of the entities concerned can be found in the Federal Act on Information Security in the Confederation (ISG) Art. 74b. It should be noted that Art. 12 of the Ordinance on Cyber Security (CSV) defines exceptions to the reporting obligation. For the electricity sector, the reporting obligation only applies to organizations with protection level A and B. The following applies to the gas sector: If an organization transports more than 400 gigawatt hours per year, it is subject to the reporting obligation.

Incident response plan as the key to compliance with the reporting obligation

To effectively comply with the BACS reporting obligation, it is essential to develop and document an incident response plan (cyber security process). This plan should define clear responsibilities and procedures in the event of a cyber incident.

The plan should specify which internal (management, communications department, data protection officer, etc.) and external (FDPIC, BACS, customers, suppliers, service providers, etc.) bodies are to be informed in the event of an incident.

Another aspect in addition to the incident response plan is to inform your own employees about who they can report cyber incidents to.

Conclusion

The increasing regulatory requirements in the area of cyber security require the electricity and gas industry to take a proactive and structured approach. The consistent implementation of the ICT minimum standard and the establishment of a well thought-out incident response plan are decisive steps in meeting the new legal obligations. Strategic planning, the involvement of experts and the continuous review of the measures taken are crucial to success.

This article originally appeared in bauRUNDSCHAU 02/25.