Against the background of the accelerated development of digital technologies and global socio-economic interconnection, cyber security has become essential, especially in critical sectors such as energy. This transformation is illustrated by a series of initiatives and legislation issued at the level of the European Union (EU) aimed at strengthening cyber protection measures for critical infrastructures.
A relevant example of this is the NIS 2 directive (NIS 2), which extends the cyber security requirements for the energy sector, including electricity, oil and gas networks. This regulation is also a priority for Romania becauseArticle supported by Deloitte Romaniait transposed NIS 2 into local legislation by Emergency Ordinance (EOG) no. 155, published in the Official Gazette at the end of 2024. On July 7, 2025, Law 124/2025 was published in the Official Gazette, marking the legislative validation of the measures provided by the GEO and bringing to the fore the intensification of cyber protection obligations for entities that manage critical infrastructures.
Which organizations are covered by NIS 2?
NIS 2 targets a wide range of entities in the energy sector with a crucial role in ensuring the efficient and safe operation of critical infrastructure. A first area of interest that falls within the scope of this directive is represented by the electricity subsector, where companies that supply electricity are included according to the definitions stipulated by Law no. 123/2012. Distribution and transport operators are responsible for the operation, maintenance and development of energy networks, and electricity producers are defined by their specific production activity, including cogeneration. Market participants, incl designated electricity market operators and charging point operatorssuch as concessionaires and developers of wind farms offshoreare targeted by the directive due to their essential role in the stability and functioning of the energy market.
The district heating and cooling sub-sector is another area of interest where thermal energy distribution is a critical component. The directive also includes the oil subsector, being targeted oil pipeline operators and central storage entitiesas well as operators of oil production, refining and treatment facilities. In the gas sector, NIS 2 applies supply companies, distribution and transport operatorsas well as natural gas storage and refining and treatment operatorsalongside those involved in the handling of liquefied natural gas (LNG).
Last but not least, the hydrogen subsector it targets production, storage and transport operatorsalongside beneficiaries of the modernization fund in accordance with national legislation. These sectors and entities are paramount to the smooth functioning, resilience and sustainability of the national energy system, all of which fall under the directive to improve cyber security and protect critical infrastructures against cyber threats.
Challenges in implementing the directive
The implementation of the NIS 2 directive in the energy sector highlights the complexity and difficulties that entities must overcome to achieve the level of cyber security required by the legislation.
The infrastructure in the energy field is extremely complex, unique due to the diversity of integrated and used equipment, from SCADA systems (Supervisory Control and Data Acquisition) and smart networks, up to a mix of old technologies alongside modern solutions, which makes it extremely difficult to secure, a possible breach in these systems being likely to stop energy distribution or affect national stability.
The transposition of the NIS 2 directive into national legislation imposes strict obligations on energy operators, such as the rapid reporting of incidents to the National Directorate of Cyber Security or alignment with the requirements imposed by the standard Cyber Fundamentals. However, Romania still faces specific challenges, such as the lack of a sector-level Cyber Security Incident Response Team (CERT), essential for a critical field such as energy.
Also, the ISAC type center (Information Sharing and Analysis Center) in the country, opened precisely for the energy sector, has not yet reached its expected utility as a result of the low interest and the small number of registered entities, while intersectoral cooperation, but also within them, remains below the expected level. Limited human resources and cybersecurity skills are another obstacle, with a clear need to train and appoint cybersecurity officers.
Financial and logistical challenges are putting additional pressure on companies, both small and medium-sized and state-owned, in the current economic environment, which should invest significantly in security and incident response technologies. Coordination between entities and interoperability are critical to the success of the directive, requiring close collaboration between energy operators, regulators and suppliers, as NIS 2 extends responsibilities to suppliers and subcontractors, increasing the risk of less secure partners becoming vulnerable to attack.
At the same time, the implementation of NIS 2 requires greater attention to the area of operational technology (OT)since in the energy sector SCADA systems and industrial infrastructures represent the core of critical physical processes. Regular and rigorous testing of these systems, performed under controlled conditions and through specialized methodologies for industrial environmentsbecomes essential for identifying vulnerabilities which, if exploited, could generate major disruptions in energy production, transmission or distribution. In addition, the lack of a strict demarcation between OT and IT infrastructure significantly increases the risk that attacks that compromise the IT area will propagate into the operational environment, where the consequences can have physical, economic and even public safety impacts. Thus, the maturation of security mechanisms in the OT area, associated with a robust IT-OT segmentation architecture, becomes a strategic priority for all energy entities targeted by the directive.
Conclusion
The challenges in implementing the NIS 2 directive in the energy sector underline the importance of a concerted and long-term strategy to strengthen cyber security in the face of increasingly sophisticated threats. Given the importance of interconnected and critical infrastructures for the functioning of modern society, it is essential that the energy sector overcomes technical, financial and organizational obstacles to align with the requirements imposed by European regulations.
Opinion article by Dragoș Ionica, Cyber Attack Senior Manager, and Octavian Popa, Cyber Strategy Manager, Deloitte Romania
Article supported by Deloitte Romania
