NIS 2 Directive: What operators of wind farms and wind turbines need to know now

This article sheds light on who is affected in the wind industry, which sectors and facilities fall within the scope and what requirements arise from the Directive. In doing so, we refer significantly to the statement of the German Wind Energy Association (BWE) of July 2024 on the draft bill of the BMI.

1. Who is affected by the NIS 2 Directive?

The Directive applies to all companies that critical services in specific sectors and provide a specific company size. In particular, the following are crucial:

• Sector affiliation (such as power generation)
  
• size of the company (e.g. number of employees, annual turnover, balance sheet total)
  
• importance of the institution (classified as "important" or "particularly important" institution)
  

Classification of companies

The German Implementation Act distinguishes:

• "Particularly important facilities": great importance for the Security of supply and IT criticality.
  
• "Important institutions": less critical, but still relevant for social functions.
  

wind energy companies are covered by the law if they:

• Operators of power generation plants (§ 3 no. 18d EnWG),
  
• Services for such operators (e.g. SCADA systems, operational management),
  
• IT-based processes with external access (e.g. remote control, data transmission).
  

Special Challenge for operating companies

In the wind industry, it is common for wind farms can be spun off into independent companies (e.g. GmbH & Co. KG). These companies alone are usually not covered by the regulation, as they are too small. However, § 28 of the draft law provides: that in the case of affiliated companies , the number of employees and sales can be attributed to the parent company on a pro rata basis – provided that there is no independence .

In practice, these subsidiaries are but often completely dependent on the parent company's IT systems, resulting in – even if they themselves have no control over IT have.

2. Which Sectors are affected?

The NIS 2 Directive applies to institutions from 18 sectors, divided into two categories:

2.1 Sectors with high criticality ("particularly important institutions")

These include, among others:

• energy (electricity, including power generation, transmission and distribution)
  
• Digital infrastructure
  
• Transport
  
• Finance and Insurance
  

2.2 Others critical sectors ('key entities')

These include:

• Manufacture of components for Energy technology
  
• Waste management
  
• Postal and courier services
  
• Chemicals, Food, Healthcare
  

For the wind industry relevant:

• Operators of power generation plants
  
• IT service providers in the field of SCADA systems, condition monitoring, operations management software
  
• Companies with access to remote control of plants
  

3. Which Are there any requirements?

3.1 Technical and organizational measures

Affected companies must implement risk management measures in accordance with Section 30 of the draft law. These include:

• Concepts for risk assessment and IT Security
  
• Ensuring business continuity (e.g. backups, contingency plans)
  
• Access and access controls
  
• employee training and Personnel verification
  
• Security Incident Management
  

Special feature for the wind industry: operators who carry out tasks at the external operators or IT service providers, the implementation of these measures.

3.2 Cybersecurity Certification

Section 30 (6) of the draft law provides for a Obligation to certify ICT products, services and processes before – based on European schemes in accordance with Article 49 of Regulation (EU) 2019/881. This obligation concerns:

• products such as wind farm controllers, SCADA Systems
  
• Operations management software
  
• Remote Access Solutions
  

Currently, the concrete regulations are still missing and schedules – that's why uncertainty is high among companies. The BWE calls for early clarity so that companies can start implementing can.

3.3 Reporting obligations

Facilities must be aware of security incidents within defined deadlines:

• Within 24 hours: Early warning
  
• Within 72 hours: detailed report
  
• Within 30 days: Final report
  

These obligations apply only to the "affected".

4. Practical challenges for the wind industry

Unclear demarcation of consternation

The BWE's central criticism concerns the unclear definition of "independence". If an operating company does not has its own IT systems, but is formally covered by the law, is implementation is hardly realistic. The BWE therefore demands:

• A differentiated view of Subsidiaries
  
• No obligation for companies without De facto influence on IT security
  
• Clear demarcation between operator and IT managers
  

Interface to the Net Zero Industry Act

In the context of the Net Zero Industry Act (NZIA), cybersecurity will also be used as a prequalification criterion for tenders . Therefore, the BWE proposes that the NIS 2 Implementation Act to the requirements of the NZIA. Goal: Tenders should only be given to providers who use secure IT systems – and on an EU-based basis.

5. Deadlines and transitional provisions

• Companies that are subject to the new regulations, the requirements must be met within 3 years of Prove entry into force.
  
• The deadline replaces earlier, stricter requirements (e.g. every two years).
  
• It is still open whether and how transitional periods for certification obligations.
  

6. What is What to do now?

Recommended actions for Entrants:

• Make a self-assessment: Does your company fall under the NIS-2 categories?
  
• Analyze IT risks: Which systems are critical? Which one accesses?
  
• Checking contracts: Can service providers ensure compliance with the requirements?
  
• Establishing employee training: Raising awareness of cybersecurity is mandatory.
  
• Seek contact with associations: Stay connected via the BWE or other Trade associations informs about future regulations.
  

Result

The NIS 2 Directive introduces a new dimension in the cybersecurity of the wind industry. Many operators, Service providers and management companies are – directly or indirectly – be affected. Particularly critical: the current uncertainty about the concrete affected as well as the practical implementation possibilities for Subsidiaries without their own IT access.

This makes it all the more important to take action at an early stage deal with the new requirements, review processes and prepare for certification and reporting obligations in good time. The Legislators have a duty to provide clarity – but also to ensure that the Companies must act now.