An overview of NIS2 and IEC62443 regulations and the measures implemented by GreenpowerMonitor, a DNV company (GPM) to comply
Cyberattacks on the renewable energy sector are a real threat that can disrupt supply and compromise network security. An attack can affect monitoring systems, smart grids and meters, potentially leading to cascading failures or worse.
Among the most severe are network attacks, such as DoS (denial of service), infrastructure attacks, which can affect power generation, or information theft attacks that can directly affect a company’s reputation.
This manifests itself in conflicts that can destabilize supply chains, increase cyberattacks in times of crisis (such as a political crisis) and generate competition for control of critical infrastructure and technologies.
According to DNV Cyber’s report Energy Cyber Priority 2025: Addressing evolving risk, enabling transformation, the energy industry is taking cyber threats seriously, and 65% of energy professionals say their leadership sees cybersecurity as a top risk to their business. The industry is making progress, however challenges remain, as threat actors become more sophisticated.
This article explores the European NIS2 and IEC62443 regulations on cybersecurity, including obligations and measures to be adopted. Following this we detail how GreenPowerMonitor, a DNV company (GPM) complies with these regulations. Our goal is to offer a clear overview of cybersecurity requirements influencing the renewable energy sector across Europe.
The challenges facing companies in the renewable energy sector: implementation of NIS2
For all the reasons mentioned above, the European Union created the NIS2 Directive in December 2020, as an update to the original (NIS) directive of 2016, with the aim of strengthening cybersecurity throughout the EU by harmonizing standards and expanding the number of entities covered, including the energy sector.
Although all EU Member States were required to transpose the directive into their national legislation by 17 October 2024, several countries have yet to incorporate it into their legal frameworks. The obligations imposed under this directive are as follows:
1) Risk management measures: following the PDCA Cycle (Plan-Do-Check-Act), companies can use the Plan phase to assess cybersecurity risk management and plan security measures, the Do phase to implement them, the Check phase to monitor performance, and the Act phase to take corrective action and standardize improvements.
2) Incident reporting: when an incident occurs, an early warning must be communicated within 24 hours; an incident report must be prepared within 72 hours; finally, a final incident report must be submitted within one month.
3) Supervision: by supervisory authorities through audits, inspections or requests for evidence and documentation.
The penalties imposed under this directive are as follows: €10 million or 2% of annual turnover. These penalties are aimed at essential entities that do not comply with the obligations and come from the ministries involved in the regulation (Defense, Interior or Digital Transformation).
The measures proposed by the Directive to be adopted by essential entities are:
- Secure design of IT/OT networks: applying the ‘Zero Trust’ principle.
- Digital surveillance: recognizing the potential threats facing the entity prior to an attack.
- Security patch management: periodic vulnerability scans of systems must be performed, and these must be kept up to date.
- Monitoring events and networks and managing alerts when patterns are detected may put systems or infrastructure at risk.
- Access control through physical and digital security (with a robust user management policy).
- Penetration testing to strengthen system defenses or adopt new defense systems if necessary.
- Incident response with the aim of minimizing the impact of the attack.
- Ongoing staff training in cybersecurity with the aim of preventing social engineering attacks.
- National and international regulatory compliance and strengthening the company’s reputation.
This directive is in line with other regulations such as IEC 62443, a series of international standards for the cybersecurity of Industrial Automation and Control Systems (IACS). It establishes a reference framework to protect OT (operational technology) systems and the various actors (manufacturers, integrators, and end users) against cyber threats. It provides security requirements and guidelines to protect critical infrastructure in sectors such as manufacturing, energy and transport, from conception to the end of the system’s life cycle.
Measures adopted by GPM to comply with the NIS2 directive
At GPM we are very aware of the commitment to this standard and have adopted measures and controls in order to comply with it.
One of the most relevant aspects of our cybersecurity offering is the tiered security model we provide to customers. Depending on the size, complexity, and criticality of their network, different levels of protection can be implemented. GPM offers five distinct tiers of security solutions, ranging from basic to advanced, designed to meet the specific needs and budgets of each customer.
To address diverse requirements, GPM presents a spectrum of security tiers, accommodating varying network scales, complexities, and risk profiles. From the foundational Tier 0 to the sophisticated Tier 4, each tier represents a tailored approach that balances protective measures with resource considerations.
GPM’s security tier overview
- Tier 0 – Basic Security Level
- Includes two redundant firewalls to control external access.
- Tier 1 – Enhanced Network Segmentation
- Adds functionalities for DMZ and OT zones, centralized patch management (WSUS), antimalware console, jump server for remote connections, and a SIEM system.
- Tier 2 – Advanced Monitoring and Backup
- Includes all Tier 1 features, plus an Intrusion Detection System (IDS) and NAS storage for system backups.
- Tier 3 – Physical Isolation for OT
- Adds two additional firewalls to physically isolate the OT zone from external connections.
- Tier 4 – Full Redundancy and Resilience
- Provides redundancy for DMZ services, including centralized patch management (WSUS), antimalware console, and jump server.
A deep dive into GPM’s security tiers
By isolating the OT zone from external connections and implementing DMZ zone services, GPM enhances the protection of OT assets against external threats. Jump servers enable GPM to securely monitor and control remote access, using IPsec VPN and two-factor authentication (2FA) to ensure secure connections.
The Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) tools allow GPM to detect anomalies and vulnerabilities across the network and systems. These tools help reduce incident response time and support compliance with log retention policies.
The Network-Attached Storage (NAS) solution strengthens GPM’s backup strategy, improving both the Disaster Recovery Plan (DRP) and the Business Continuity Plan (BCP). By significantly reducing Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), NAS ensures faster and more reliable recovery in the event of a disruption.
GPM’s work with DNV Cyber
At GPM we are collaborating with DNV Cyber to identify gaps in compliance with various security directives by auditing our assets. You can read the recent Energy Cyber Priority 2025 report to find out more about DNV Cyber and their latest research. In addition, we are also creating joint workflows to create new opportunities for both parties.
This ensures we comply with the NIS2 directive, providing a guaranteed service to our customers, covering all recommended points and applying the best practices.
For more details, please request and consult our on-site security policy document.
The impact of investing in cybersecurity and complying with the NIS2 directive
The renewable energy sector faces significant cyber threats that can disrupt operations, compromise data, and damage reputations. In response, European regulations such as the NIS2 Directive and IEC 62443 standards provide stringent cybersecurity requirements to protect critical infrastructure and operational technology within the sector.
GPM has implemented comprehensive measures, including secure network design, redundancy (the practice of building backup systems), data backup, access control, incident response, and ongoing staff training to meet these regulatory obligations.
By aligning with these frameworks, GPM ensures resilience against evolving cyber threats and supports the secure energy transition in Europe, emphasizing the importance of regulatory compliance and proactive security management in safeguarding renewable energy systems.
Do you want to meet us and talk to our renewable energy experts?
For more information about the NIS2 directive or IEC 62443 standards and the technical solutions that GPM apply to comply with these regulations, fill in the form to request a meeting with our renewable energy experts who will be available to answer questions, provide demonstrations, and offer insights into best practices.
