The Spanish energy sector underpins the economic and social activity of the country. Companies such as Iberdrola, Endesa, Naturgy, Repsol, Red Eléctrica de España and Enagás operate infrastructure that cannot afford one hour of downtime without immediate consequences for hospitals, transport, industry and households. The NIS2 directive recognises this criticality by placing virtually the entire sector in the essential entities category, with reinforced obligations on cybersecurity governance, incident management and continuous supervision.
This article describes the regulatory framework applicable to Spanish energy utilities, the specific attack vectors that affect smart grids and energy SCADA environments, the priority technical controls and the compliance roadmap that energy companies must articulate to close 2026 with a defensive posture aligned with NIS2.
The essentials. The energy sector operates as an essential entity under NIS2 with virtually no exceptions, also coexisting with the Critical Infrastructure Protection Law (Ley PIC), the ENS scheme when there is public participation, and the technical supervision of CCN-CERT. Real threats include state APTs against the electricity grid, smart meter manipulation, vulnerabilities in cloud SCADA and supply chain risks for PLCs and photovoltaic inverters. The compliance plan must combine PCS-DCS-SCADA segmentation, passive OT monitoring, exercises coordinated with CCN-CERT and CNI, and, for large operators, TLPT testing.
The energy sector is a NIS2 essential entity without exception
NIS2 broadens and reinforces the classification of entities within the energy sector. The directive considers as an essential entity any company that operates, distributes, transmits, supplies or stores electricity, natural gas, oil, district heating and cooling, as well as infrastructure linked to renewable hydrogen, a category that will gain regulatory weight as industrial projects currently under development consolidate.
In practice, this means that a transmission operator such as Red Eléctrica de España, a regional distributor, a retailer, a combined cycle plant or a wind farm of a certain size are all subject to equivalent obligations in terms of cybersecurity governance, even if specific technical measures are adapted to each typology. The traditional distinction between large and small operators loses force when a coordinated outage of several mid-sized actors can have a systemic effect on the grid.
The sector also includes oil logistics operators, refineries, liquefied natural gas terminals and underground storage operators, all of which have connected industrial systems that clearly fall within the NIS2 perimeter.
Multi-layered Spanish regulatory framework
The Spanish energy company operates under a layered regulatory framework. NIS2 sets the European obligations for cybersecurity risk management and incident notification. Alongside it, national instruments that have been in force for years remain applicable, and NIS2 does not replace them but complements them.
Law 8/2011 on Critical Infrastructure Protection (Ley PIC) and its implementing regulations require operators designated as critical to draft Operator Security Plans, Specific Protection Plans for each facility and to coordinate with CNPIC, the national centre for the protection of critical infrastructures. The energy sector includes a significant number of designated operators, and their PIC obligations remain in parallel to the new NIS2 requirements.
The National Security Framework (ENS) applies when the utility provides services to the public sector or has significant public participation. In these cases the organisation must demonstrate the implementation of measures according to the basic, medium or high categories, subject to periodic external audit.
Royal Decree 43/2021 develops the security obligations for operators of essential services and digital service providers, aligning with the progressive transposition of NIS2. The STIC guides from the National Cryptologic Centre provide the detailed technical layer that organisations apply to satisfy ENS requirements and, by extension, demonstrate due diligence under NIS2.
In terms of sectoral supervision, the National Markets and Competition Commission (CNMC) and the Ministry for the Ecological Transition and the Demographic Challenge (MITECO) act as regulators of the energy market, while CCN-CERT provides incident response capability for public sector entities and critical operators.
Sector-specific risks
The attack vectors of greatest concern to energy companies in 2026 combine traditional threats with new realities arising from the energy transition and the digitalisation of the grid.
State APTs against the electricity grid. Groups associated with intelligence services, historically linked in public vendor reports to actors such as Sandworm or APT28, have demonstrated capability and intent to operate against European electricity infrastructure. The strategic interest of the transmission grid and the control centres places them among the assets most closely watched by national defence units.
Exposed smart meters. The mass deployment of smart meters has multiplied the attack surface down to the last connected household. While the individual impact of a compromised meter is limited, coordinated manipulation at scale could introduce noise into consumption measurements, hinder system operation or be used as a vector toward the distributor's central systems.
Cloud SCADA. A growing number of operators are considering moving parts of industrial monitoring to cloud environments to leverage analytics and telemetry consolidation. This evolution requires redesigning the trust, segmentation and authentication model, because traditional SCADA architectures were not conceived to live outside the physical perimeter of the plant.
Accelerated OT/IT convergence. The integration between industrial systems and corporate platforms creates bridges that attackers exploit. Initial access often occurs in the IT network, and from there attackers pivot toward historians, engineering workstations and ultimately controllers that act on the physical process.
Distributed renewables. Residential photovoltaic generation, home batteries and electric vehicle charging points form a fragmented ecosystem of devices connected to the internet through mobile applications, web portals and cloud APIs from each manufacturer. When the aggregate of this capacity reaches several gigawatts, its security becomes a grid stability matter.
Hardware supply chain. Programmable logic controllers, protection relays and photovoltaic inverters come mostly from a reduced set of international manufacturers. The public discussion in different European countries about manufacturers such as Huawei or Sungrow reflects a real concern about the geopolitical risk associated with components present in critical infrastructure.
Historical cases in the energy sector
The historical evidence of attacks on the energy sector is solid enough to justify sustained defensive investment, without needing to resort to speculation or sensationalism.
Industroyer. The malware deployed against the Ukrainian electricity grid in December 2016 successfully disrupted supply in several districts of Kyiv. Its modular design and its deep knowledge of the industrial protocols used in substations evidenced remarkable technical capability. In 2022, a second variant was publicly documented on Ukrainian territory and was contained before causing significant operational impact.
Colonial Pipeline. In May 2021, the pipeline that supplies much of the United States east coast stopped operations after a ransomware incident. Although the malware affected IT systems and not OT environments directly, the preventive decision to halt operations produced fuel shortages for several days. The episode illustrates how an attack on IT can paralyse OT due to the operational dependence between both planes.
Campaigns against European infrastructure. Public reports from intelligence vendors and national agencies have documented sustained reconnaissance activity against electricity operators in different European countries. The presence of advanced actors in early phases of the attack chain forces organisations to assume that the detection and response window is narrow.
These cases are not cited to feed alarmism, but to support investment decisions, simulation exercises and audit priorities on an empirical basis.
Priority technical controls
The energy company that wants to close 2026 with a solid defensive posture concentrates investment in a set of controls that operational experience and sectoral frameworks identify as priorities.
PCS-DCS-SCADA segmentation. The classic Purdue model architecture separates process control systems, distributed control systems and the upper supervisory layers. Maintaining this segmentation with industrial firewalls, data diodes where appropriate and explicit access policies drastically reduces the lateral movement surface.
Passive OT monitoring. Solutions designed for industrial environments such as those offered by manufacturers specialised in OT visibility allow asset inventory, anomalous traffic detection and alerts on configuration changes without introducing latency or risk into operations. Passive monitoring is one of the first investments we recommend in a mature NIS2 programme.
MFA for plant remote access. Remote access by engineers, maintenance providers and external operators must be protected with strong multifactor authentication, auditable jump hosts and full session logging. This single measure closes one of the intrusion paths most used in real sector incidents.
PLC configuration backups. Maintaining verified copies of PLC programs, protection relay parameters and HMI configurations allows a plant to be restored after an incident without depending on the personal memory of engineers. Periodic verification of the integrity of these backups is as important as the copy itself.
Incident response runbooks coordinated with CCN-CERT and CNI. Response plans must include notification flows within NIS2 deadlines, integration with the Ley PIC procedures for designated operators and communication channels with CCN-CERT, INCIBE-CERT and, where appropriate, with bodies linked to the National Intelligence Centre.
CIBER-CERT exercises for the energy sector. Participation in coordinated sectoral exercises, both national and European, provides evidence of response capability and helps identify improvement points under conditions close to real ones.
TLPT and red team in utilities
The extension of advanced TLPT-style testing frameworks to critical energy infrastructure is under active discussion. TIBER-EU was born in the financial sector, but its philosophy of intelligence-led testing, with mandatory coordination between authority, entity and provider, fits the validation needs of large utilities.
A TLPT exercise applied to an energy company combines cyber scenarios against corporate and industrial systems with physical scenarios when scope justifies it. Coordination with the regulator and with CCN-CERT ensures that the test is executed within the legal and operational limits of the sector, without risk of affecting real supply.
Large operators that have not yet undergone an exercise of this nature should incorporate TLPT in their roadmap for the next twenty-four months. Mid-sized operators can benefit from scoped red team exercises that reproduce a representative part of the attack chain without the organisational complexity of a full TLPT.
Distributed renewables and new vectors
The energy transition is redefining the boundary between IT and OT. A residential photovoltaic installation with self-consumption is managed through a mobile application connected to the cloud of the inverter manufacturer, which in turn communicates with the aggregator, the retailer and the system operator. The home battery adds an additional layer of intelligence that decides when to charge and when to discharge. The electric vehicle with V2G capability introduces one more actor, capable of injecting energy into the grid under certain conditions.
Each of these elements is a control point connected to the internet, frequently without sustained security updates and with telemetry that travels through channels that were not conceived to support the scrutiny of electricity system operators. Aggregated residential photovoltaic capacity in a region can reach hundreds of megawatts, a figure that no operator can ignore from a grid stability perspective.
European regulation is moving toward cybersecurity requirements for connected equipment through the Cyber Resilience Act and harmonised standards specific to inverters, batteries and charging points. Utilities and aggregators must anticipate these requirements when defining contracts with manufacturers and designing management platforms.
NIS2 energy compliance step by step
The NIS2 compliance plan for an energy company is structured in blocks that can be executed in parallel while respecting certain dependencies.
Initial gap analysis. A detailed assessment of the current state against NIS2 requirements and, when applicable, against Ley PIC and the ENS. The result should be a clear map of gaps prioritised by risk and remediation difficulty. This is the basis that management will defend before a possible inspection.
Governance and senior management training. NIS2 holds management bodies accountable. Formal training sessions, minutes and documented decisions are evidence that the regulator demands. Without this block, the rest of the technical investment loses value before an audit.
Eighteen-month investment plan. Technical measures are sequenced over realistic horizons. Network segmentation, passive OT monitoring and MFA are usually early blocks. SCADA modernisation, integration with a SOC capable of reading industrial telemetry and advanced exercises are distributed over the following months.
Incident notification. The response team must have internalised the NIS2 flow: early warning within the first twenty-four hours, detailed notification within seventy-two hours, final report at one month. Regular practice with drills prevents errors at the real moment.
Auditable evidence. All documentation, records and decisions must be traced in an auditable format. The capacity to demonstrate what has been done is as important as having done it. CCN-CERT and other authorities value traceability as a maturity indicator.
Continuous review. The NIS2 programme is not a project with a closing date. The annual review of the risk analysis, periodic tests, sectoral exercises and updates of providers and dependencies must be part of the normal operation of the organisation.
Frequently asked questions
Is a small renewables company obliged by NIS2?
It depends on size, function and criticality of the activity. The NIS2 thresholds are modulated by subsector. A purely installer SME may fall outside the direct perimeter, but a company that operates or aggregates distributed capacity of a certain size enters the scope. Reasonable doubt is resolved with a specific analysis, not with a generic answer.
Who is responsible for a compromised smart meter?
Responsibility is distributed between the distributor that deploys and operates the equipment, the manufacturer that provides the firmware and, to a lesser extent, the end user when manipulation has occurred at the physical point. The distributor maintains the primary duty to operate the fleet with reasonable security conditions and to manage the update lifecycle.
Is it legal to pentest infrastructure of the electricity grid?
Yes, provided that there is express authorisation from the operator, scope defined in writing and, when appropriate, coordination with the supervisory authority. Exercises on truly productive infrastructure also require safeguard measures to avoid operational impact. Any test without authorisation is illegal and falls outside any professional framework.
CCN-CERT or INCIBE-CERT, which one corresponds to a utility?
CCN-CERT serves the public sector and critical operators. INCIBE-CERT serves the private sector in general and citizens. A private utility that is a critical operator under Ley PIC will have direct interlocution with CCN-CERT and, depending on the case, with INCIBE-CERT on sectoral and coordination matters.
Is an electrical maintenance provider under NIS2?
NIS2 introduces supply chain security obligations that fall on the essential entity, but this translates contractual demands to providers. An electrical maintenance provider relevant to the safe operation of the utility will need to demonstrate equivalent controls, even if not directly regulated, because the client will require that demonstration.
Ley PIC or NIS2, which one prevails?
Both coexist. Ley PIC applies to the universe of operators designated as critical in national infrastructure and maintains its specific instruments. NIS2 adds the European layer of cybersecurity risk management and incident notification with its own sanctioning regime. The organisation affected by both must build a single programme that satisfies the two frameworks without duplicating effort where it is not needed.
Related resources
- NIS2 Spain: compliance guide 2026
- Industry 4.0 and OT cybersecurity under NIS2
- IoT and OT cybersecurity: critical threats 2026
- NIS2 audit step by step
- TIBER-EU and TLPT: intelligence-led red team
Utility cybersecurity with Secra
Secra supports energy operators in NIS2 compliance with an approach that combines technical audit over the electricity grid, NIS2 gap analysis aligned with Ley PIC and the ENS, OT threat hunting and red team exercises adapted to the energy sector. Our team connects offensive knowledge with sectoral operational experience, avoiding textbook recommendations that do not match the reality of a plant or a control centre.
If your organisation is building or reviewing its NIS2 programme for the energy sector, let's talk and design together the most efficient path toward a solid and auditable defensive posture.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.