Back to list
23 July 2024

Of sandworms and solar plants

Energy companies face an array of new rules against cyberattacks

In May 2023, hackers used a security gap in the firewall to gain access to the control systems of almost two dozen Danish energy companies. Some had to shut down their internet connections, sometimes for several days. Experts suspect that Sandworm, a hacker group with links to the Russian secret service, is behind the attack. A network of 270 sensors installed in critical infrastructures across Denmark detected the attack.

This is not an isolated incident. According to the International Energy Agency, the number of cyberattacks on energy companies worldwide more than doubled between 2020 and 2022 – over 1,000 weekly attacks were recorded in 2022.

The EU has responded with a directive to protect critical infrastructure. Member states only have until 17 October 2024 to implement the provisions into national law.

The German government’s draft not only introduces a series of new obligations, but also massively expands the group of companies affected.

We provide a brief overview of the current legal situation and the planned changes passed by the Federal Cabinet on 24 July 2024.

Who is a critical infrastructure operator?

Critical infrastructure includes all facilities that are of great importance to the public because their failure or disruption would result in significant supply shortages or threats to public safety. In addition to the energy sector, this also includes the food and IT sectors.

In the energy sector, critical infrastructure includes electricity generation, electricity trading, electricity transmission and electricity distribution above a certain threshold. For power generation facilities, for example, this threshold is currently 104 MW of installed nominal capacity.

The operator of such a critical infrastructure is, in turn, anyone who exercises decisive influence over it. In the case of power generation plants, this is usually the owner. However, the operator can also be the company responsible for the technical management of the plant.

Under the proposed changes, the concept of the critical infrastructure operator will not only be extended to other service providers such as battery storage and charging station operators. In the future, certain service providers in the energy sector will also be subject to obligations, regardless of the size of their facilities, if they employ a certain number of employees or have a certain annual turnover and a certain annual balance sheet total. These service providers include electricity suppliers, grid operators and operators of energy generation or storage facilities.

It is estimated that this will result in an additional 25,150 companies being classified as critical infrastructure operators in Germany, compared to the current 4,700 companies.

What obligations must the operator fulfil?

A company must officially register no later than three months after it is considered to be an operator of critical infrastructure. In addition, the company is subject to numerous other obligations, some of which are very time-consuming and costly. These include the establishment of IT security precautions and an attack detection systems, the installation of a contact point that can be reached at any time and the reporting of security incidents.

The company must regularly provide evidence of compliance with these obligations.

In the future, the obligations will be further tightened and expanded. The new obligations include various management duties and, in certain cases, the obligation for the company to inform its own customers of a security incident.

What happens if the operator fails to fulfil its obligations?

Breaches can result in fines of up to tens of millions of euros. In addition, the authorities can suspend the company’s licence and prohibit the managing directors from working until the measures ordered have been implemented.

Conclusion

The future regulations will not only tighten existing obligations for critical infrastructure operators. Due to the massive expansion of the target group, many companies will have to deal with this issue for the first time ever. As the new regulations will come into force shortly, it is important to act quickly.

 
Log in