For power generation, transmission and distribution, retailers, gas, oil and refining, water, renewables and IT/OT suppliers to the energy sector. We deliver demonstrable value across the IT layer (NIS2, ENS, ISO 27001/27019, M365, IAM, SOC/MDR, 24/7 retainer) and at the IT/OT boundary with IEC 62443 judgement. For pure OT depth we work with specialist partners — we don't over-claim experience we don't have.
Useful for public-sector ties and IT suppliers ENS HIGH category + 5 in-house ISO certifications RD 311/2022 · cert. ENS_2.026.061 Subsectors
9 covered · electricity + gas + water + renewables
Operational focus
IT layer · IT/OT boundary · 24/7 SOC
Regulatory framework
NIS2 · PIC · NCCS · IEC 62443 · ISO 27019
Verifiable qualifications
Hard2bit is certified to ENS HIGH category (RD 311/2022) and to ISO/IEC 27001:2022, with five in-house ISO certifications (27001, 22301, 20000-1, 9001, 14001). For energy operators with public-sector ties (public-private utilities, municipal concession holders, regional infrastructure) and for IT suppliers with public-sector contracts in energy, this combination simplifies onboarding as a critical supplier and streamlines regulatory due diligence.
Executive summary
Sector context
Energy is one of the most critical sectors of the economy and, under NIS2, it is classified as a HIGHLY critical sector (Annex I): electricity, gas, hydrogen, oil, district heating and cooling. Criticality translates into short notification deadlines, a high sanctions regime and maximum requirements for security governance, supply-chain management and mandatory training of leadership.
On top of that regulatory bar, two very different technical realities coexist. The corporate IT layer (control room, engineering, maintenance, commercial, billing) follows modern patterns: M365, Entra ID, ERP, cloud platforms, massive connectivity. The OT layer (SCADA, DCS, telecontrol, telemanagement, RTUs, PLCs, inverters, wind turbines) has long-lifecycle assets (15–25 years), industrial protocols (IEC 61850, Modbus, DNP3, IEC 60870-5-104) and historical connectivity designed for an air-gap that no longer exists.
Hard2bit delivers demonstrable value on the IT layer (NIS2 on its IT layer, ENS, ISO 27001/27019, M365, IAM, 24/7 SOC/MDR, DFIR retainer) and on the design of the IT/OT boundary with IEC 62443 judgement: zones and conduits, governance of vendor and maintainer accesses, auditable segmentation. For pure OT depth (ICS forensics, industrial-protocol retrofits, IEC 62443 component-level certification) we work with specialist partners — we don't over-claim experience we don't have. Transparency about where we deliver demonstrable value and where we lean on a specialist partner is the basis of the conversation with the client.
Audience
Power generation, transmission and distribution, retailers, gas, oil and refining, water and sanitation, renewables and IT/OT suppliers to the sector. We adapt the service to the operator type, its PIC designation where applicable and its NIS2 classification (essential vs important entity).
Thermal generation plants (combined cycle, cogeneration), nuclear, hydro and pumped storage, biomass plants. Distributed control systems (DCS), SCADA, plant historians and connectivity with the system operator. Highly critical sector under NIS2 and, where applicable, Spanish PIC designation under Law 8/2011.
Transmission system operators of the peninsular, Balearic and Canary grids. Very-high-voltage substations, control centres, protection systems and IEC 61850 communications. Common PIC designation and maximum NIS2 obligations.
Low, medium and high-voltage distribution operators: Iberdrola, Endesa, Naturgy, EDP, Viesgo and the rest of the Spanish landscape. Smart meters, metering systems, distribution-grid management platforms. Massive IT/OT coexistence across thousands of substations and transformer centres.
Reference retailers (COR) and free-market retailers, demand aggregators, portfolio managers. Billing platforms, customer portals, integration with OMIE and MIBGAS, large-scale consumption data. Crosses with the financial sector (portfolio management, market risk).
Gas system operator, transmission operators, distributors, underground storage, regasification plants. Gas SCADA, telecontrol of regulation and metering stations. Highly critical sector under NIS2 and PIC designation on key assets.
Refineries, pipelines, strategic storage, logistics distribution and fuel-station networks. Plant control systems, loading terminals, pipeline telemetry and commercial platforms for the retail network.
Drinking-water supply, municipal and supra-municipal distribution networks, wastewater treatment, irrigation. Concession holders and public-private utilities tied to municipalities, joint authorities or river basin authorities. NIS2 where applicable by scale and, in many cases, ENS through public-sector contracts.
Owners and operators of wind and PV portfolios, distributed-generation aggregators, biomass plants. Plant SCADA across thousands of inverters or wind turbines, telemanagement systems, integration with the system operator and market. Explosive growth of the attack surface driven by distributed-asset scale.
OT/ICS integrators, SCADA vendors and maintainers, telecontrol providers, IEC 61850 specialists, RTU and remote-terminal vendors. NIS2 may apply through the criticality of their role in the supply chain, on top of contractual requirements from the end client.
Regulatory framework
NIS2 (highly critical sector), Spanish Law 8/2011 PIC for designated operators, European network codes (NCCS) for electricity, IEC 62443 and IEC 61850 as the technical reference for the OT layer, ENS for public-sector ties and ISO 27001/27019 as a certifiable IT framework with energy-specific extension.
Energy is a HIGHLY CRITICAL sector under NIS2 (Annex I): electricity, district heating and cooling, oil, gas, hydrogen. Maximum obligations: security governance, short-deadline incident notification, supply-chain controls, training, cryptography, continuity. The Spanish transposition through Law 11/2022 and Royal Decree 43/2021 specifies competent authorities and the sanctions regime.
Designation of critical operator and critical infrastructure by the Spanish CNPIC. Operator Security Plan (PSO), Specific Protection Plan (PPE) per facility, designation of Security and Liaison Officer, exercises and notification. Applies to designated operators in electricity, gas, oil and drinking water.
Delegated Regulation establishing the Network Code on Sector-specific Cybersecurity for cross-border electricity flows. Common framework for European electricity operators: risk management, information security, supplier requirements and impact-assessment processes for digital systems in the electricity sector.
IEC 62443 family (62443-2-1, 62443-3-3, 62443-4-1, 62443-4-2) for industrial automation and control systems. Zones and conduits, security levels SL-1 to SL-4, certification of products and vendor processes. Technical reference for the IT/OT boundary and for OT supplier audits.
International standard for communications in electrical substations (GOOSE, MMS, Sampled Values). It is not a security standard, but defines the language on which the protection and control systems operate — the systems we must protect on the OT side of electricity networks.
Applies to public-private utilities, concession holders and operators with public-sector contracts (typical in municipal water, street lighting, regional infrastructure). Also to IT suppliers with systems in scope of the public client. Coexists with NIS2 — most evidence is reusable across both.
ISO 27001 as the baseline ISMS. ISO 27019 is the specific extension for the energy industry: it adds controls for process control systems, telecontrol, dispatch and operation of electrical installations. A common combination for operators that want a certifiable IT framework with sector-specific operational guidance.
Spanish Electricity Sector Law (Law 24/2013), Hydrocarbons Law (Law 34/1998), water laws (RD-L 11/1995 and Law 9/2018), regional and municipal ordinances. They define actors, functions, supervision schemes and continuity-of-supply obligations that translate into operational security requirements.
Applicable Hard2bit services
Ten services from Hard2bit's catalogue ordered with the right focus: NIS2, ENS, ISO 27001/27019 and the IT layer first, followed by SOC, DFIR retainer and continuity. For pure OT depth, specialist partners.
End-to-end landing of the NIS2 framework for energy operators: governance and policies, risk management, Annex controls, supplier and supply-chain management, mandatory training for management, incident notification within legal deadlines and continuity procedures. Built on top of the IT layer — the IT/OT boundary is handled with IEC 62443 judgement and, where pure OT depth is required, with specialist partners.
NIS2 service →Adequacy to RD 311/2022 for public-private utilities, concession holders and energy-sector IT suppliers with public contracts (typical in municipal water and street lighting). DICAT categorisation, gap analysis, plan, evidence and accompaniment during the audit performed by the ENAC-accredited certification body.
ENS service →ISO 27001 as a certifiable ISMS, with the ISO 27019 extension when the operator wants a sector-specific framework for the energy industry. A good vehicle to build the operator's IT baseline before facing the depth of NIS2 and, where applicable, the European network codes.
ISO 27001 →Technical review of corporate network, IT/OT boundary, zones and conduits in the IEC 62443 sense, segmentation between operations network, maintenance network, vendor network and corporate network. Server and platform hardening. The IT layer and the boundary are our direct perimeter; pure OT is addressed with specialist partners when depth is needed.
Infrastructure & network audit →Hardening of M365 / Entra ID tenant and identity governance for corporate staff (control room, engineering, maintenance, commercial). The usual entry point for recent sector incidents — ransomware in energy operators tends to enter through here, not through SCADA.
Microsoft 365 Security →Identities, privileges, accesses for vendors and external maintainers, service-account management, posture across Azure / AWS / GCP when telemanagement, historians or analytics infrastructure runs in cloud. Priority on privileged accounts with access to SCADA or to operational platforms.
IAM & cloud posture →Operational vulnerability lifecycle adapted to the sector's pace: change windows coordinated with planned plant outages, priorities on critical dispatch assets, prior validation on a mirror environment when possible and traceability for NIS2 audits and, where applicable, PIC supervision.
Vulnerability management →Detection, investigation and response 24/7. Prioritised use cases: ransomware precursors on the corporate network, abuse of maintenance VPN credentials, anomalous behaviour at the IT/OT boundary, pivot attempts to telemanagement platforms and exfiltration of large-scale consumption data at retailers.
Managed SOC/MDR →24/7 contract with activation in minutes and prior readiness onboarding. Designed for operators where a security incident may translate into a preventive plant or service shutdown. NIS2 notification deadlines are honoured from minute one thanks to the prior onboarding.
24/7 IR retainer →BIA focused on the operator's critical services (dispatch, telecontrol, billing, customer service in crisis), realistic RTO/RPO validated with the business, continuity plans for incidents, tabletop exercises with leadership and drills against degraded scenarios. ISO 22301 as the applicable framework.
Business continuity →Hard2bit methodology
Six phases adapted to the energy operator's rhythm: regulatory criticality, change windows coordinated with planned outages and NIS2 deadlines covered from minute one through a 24/7 retainer.
We identify the operator type (generator, TSO, DSO, retailer, gas operator, oil operator, water utility, renewables, IT/OT supplier), its scale, its PIC designation where applicable, and we map the obligations under NIS2, PIC, ENS, ISO 27001/27019 and European network codes.
Inventory of the IT layer, the IT/OT boundary and the operational platforms (SCADA, DCS, historians, telemanagement). Hard2bit covers the IT layer and the boundary in depth with IEC 62443 judgement; when scope demands pure OT depth, we deliver with specialist partners without over-claiming experience we don't have.
Plan design that reuses evidence across NIS2, ENS (where applicable), ISO 27001/27019 and, where applicable, NCCS and PIC obligations. The goal is no duplicated work: a single technical and governance picture that answers multiple audits and supervisors.
Technical landing respecting the operator's calendar: planned outages, change windows coordinated with operations, validation on mirror environments when possible, coordination with vendors and external maintainers, and tracking of changes under management.
Accompaniment during NIS2 audits (national competent authority), ENS (ENAC-accredited certification body), ISO 27001/27019 (certification body) and, where applicable, PIC supervision by the Spanish CNPIC. Periodic reporting to the CISO, IT director, operations director and security committee.
Ongoing operation (SOC/MDR, vulnerability management, continuous hardening, identity governance), 24/7 DFIR retainer with NIS2 deadlines covered from minute one, and continuous improvement based on lessons learned and sector-specific indicators.
Why Hard2bit in energy
Hard2bit delivers demonstrable value on the IT layer (SOC/MDR, vulnerability management, M365, IAM, ENS, ISO 27001, NIS2 on its IT layer) and at the IT/OT boundary with IEC 62443 judgement. For pure OT depth (ICS forensics, industrial-protocol retrofits, IEC 62443 component-level certification) we work with specialist partners — we don't over-claim experience where we don't have it.
Hard2bit is certified to ENS HIGH category (cert. ENS_2.026.061, ACCM under ENAC 48/C-PR503) and to five ISOs (27001, 22301, 20000-1, 9001, 14001). For public-private utilities, municipal concession holders and IT suppliers with public-sector contracts in energy, this combination simplifies regulatory due diligence.
Energy under NIS2 is a HIGHLY critical sector, with short notification deadlines and a high sanctions regime. The combined capability of compliance (NIS2, ENS, ISO 27001/27019, PIC), recurring technical work (24/7 SOC/MDR, vulnerability management, identity hardening) and incident response (24/7 retainer) covers the full lifecycle.
Representative scenario
A Spanish renewables group with a distributed portfolio of several dozen solar and wind plants was facing its first NIS2 audit with an architecture inherited from mergers: plant telemanagement consolidated on a corporate platform but with vendor maintenance connections without clear governance, an inherited M365 tenant configuration, management of operator and external-maintainer VPN credentials outside the corporate directory, and absence of zones and conduits in the IEC 62443 sense between the operations network and the corporate network. The project was organised across five parallel fronts over six months: NIS2 governance with policies, mandatory training of management and incident-notification procedure; redesign of zones and conduits at the IT/OT boundary with auditable ACLs and consolidation of maintenance accesses behind a centralised broker; M365 / Entra ID hardening and identity governance; deployment of 24/7 SOC/MDR with sector-specific use cases over the IT layer and boundary logs; and onboarding of a 24/7 DFIR retainer with readiness over the new architecture. The audit was approached with a plan, evidence and traceability, and recurring operations cover NIS2 deadlines from minute one.
Frequently asked questions
Direct answers to the questions we receive most often from CISOs, IT directors, operations directors, PIC officers and compliance leads in the energy sector.
Energy is classified as a HIGHLY critical sector in Annex I of NIS2: electricity, district heating and cooling, oil, gas and hydrogen. The specific qualification as essential or important entity depends on size and role; large operators are essential entities with maximum obligations. The Spanish transposition through Law 11/2022 and Royal Decree 43/2021 specifies competent authorities and the sanctions regime. We validate it in the initial diagnosis.
They coexist. The Spanish CNPIC's PIC designation is a prior, specific regime that designates the operator and its critical infrastructure, requires an Operator Security Plan (PSO) and Specific Protection Plans (PPE) per facility, and appoints a Security and Liaison Officer. NIS2 is a broader European cybersecurity framework. An operator may fall under both. The right approach is to design a single technical and governance picture that answers both regimes with reusable evidence.
Hard2bit brings judgement to the IT layer and to the IT/OT boundary with IEC 62443 in mind: zones and conduits, segmentation, governance of vendor and maintainer accesses, monitoring at the boundary. For pure OT depth (ICS forensics, industrial-protocol retrofits, IEC 62443 component-level certification) we work with specialist partners without over-claiming experience we don't have. Transparency about where we deliver demonstrable value and where we lean on a specialist partner is the basis of the conversation with the client.
IEC 62443. The 62443-2-1 (policies), 62443-3-3 (system requirements), 62443-4-1 (vendor development process) and 62443-4-2 (component requirements) family defines zones and conduits, security levels and vendor obligations. For electrical substations and operations communications, IEC 61850 defines the language (GOOSE, MMS, Sampled Values) on which the protection and control systems coexist — the systems that need to be segmented and protected.
With a centralised broker, not separate VPNs and loose credentials. The recommended practice is to consolidate all remote accesses by vendors and external maintainers through a broker that records every session, requires MFA, restricts to specific destinations within an agreed window and leaves audit-grade traceability. On top of that, contractual governance: security clauses in tenders, supplier incident-notification obligation and IEC 62443 requirements where they apply to the product.
NIS2 sets initial notification to the national CSIRT within a short window from detection (typically 24 hours for the early warning), incident notification with details within 72 hours, and a final report with root cause and measures within a later deadline. Exact deadlines are set by the national transposition. The 24/7 DFIR retainer covers those deadlines from minute one thanks to prior onboarding and CSIRT coordination.
Yes for the part of the system or service contracted with the corresponding municipality, joint authority or river basin authority. ENS applies to the public sector and to its IT suppliers with in-scope systems. It coexists with NIS2 and, where designated, with PIC. A good implementation reuses evidence across the three frameworks. We explain it in the framework comparison.
Renewables have led to operators with thousands of PV inverters or wind turbines across distributed plants, telemanagement consolidated on modern platforms and a much larger attack surface. The strategy combines hardening of the telemanagement platform, identity governance for operations staff and vendors, SOC monitoring over platform logs and posture across the cloud when there is infrastructure on Azure/AWS/GCP.
Yes. The 24/7 SOC/MDR includes prioritised use cases for the sector: ransomware precursors on the corporate network, abuse of maintenance VPN credentials, anomalous behaviour at the IT/OT boundary, pivot attempts to telemanagement platforms and exfiltration of large-scale consumption data. Pure OT logs are integrated when the operator requires it and, in projects with ICS-forensic depth, with specialist partners.
With security clauses in tenders (referencing IEC 62443-4-1 and 62443-4-2 where they apply to the product), contractual incident-notification obligation from the supplier, evaluation of default configurations on RTUs, PLCs and inverters before commissioning, governance of firmware updates and SOC monitoring over anomalous behaviour from products of the same vendor. The long-lifecycle rule of OT assets (15–25 years) requires auditing the legacy, not just the new roadmap.
Yes. A large retailer has portfolio management and exposure to wholesale markets (OMIE, MIBGAS) that bring it close to the financial sector in several aspects: risk management criteria, controls over market operations, continuity requirements over billing. We design an integrated NIS2 + ISO 27001 + market-controls package, without entering pure financial regulation (DORA applies to financial entities, not to a typical retailer).
Related
For operators with public-sector ties (public-private utilities, concession holders, municipal water, street lighting): the public administration page covers the wider angle and shares much of the regulatory framework.
Public administration sector →Natural overlap: most energy operators share OT/ICS challenges with industry. The industry page covers IEC 62443, TISAX and the OT reality from the manufacturing angle.
Industry sector →Adequacy to the NIS2 framework for HIGHLY critical sectors: governance, controls, supplier management, notification deadlines and mandatory training.
NIS2 service →Core service for energy: review of the IT layer and IT/OT boundary with IEC 62443 judgement.
Infrastructure & network audit →Detection, investigation and response 24/7 with sector-specific use cases — corporate ransomware, maintenance VPN abuse, IT/OT boundary.
Managed SOC/MDR →Side-by-side ENS vs ISO 27001 vs NIS2 vs DORA to understand overlaps and control reuse.
Framework comparison →Let's talk
A short session to diagnose where the IT layer stands, how robust the IT/OT boundary is, which frameworks apply (NIS2, PIC, ENS, ISO 27001/27019, NCCS) and where to start to reach the next audit with a plan, evidence and recurring operations. Confidential conversation, no commitment.
Page reviewed: 2026-04-29. Hard2bit · Cybersecurity company in Spain since 2013 · ENS HIGH category · ISO 27001 · ISO 22301 · ISO 20000-1 · ISO 9001 · ISO 14001
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
