Up­date to cy­ber se­cu­ri­ty re­quire­ments in the en­er­gy sec­tor

Year of issue 2025
Date of issue 2025.05.07

The Bundesnetzagentur has today published drafts for an update to the IT security requirements catalogues for electricity and gas network operators and for energy plant operators.

"Digitalisation in the electricity and gas sectors and changing geopolitical threats increase security needs. We are updating the cybersecurity requirements and thus ensuring that the energy supply is well secured," said Klaus Müller, President of the Bundesnetzagentur.

Updating the catalogues

The increasing spread of digital technology in the energy sector and changing threats necessitate an update to the security requirements. The planned determination is a revision of the IT security requirements catalogue for operators of electricity and gas networks and the IT security requirements catalogue for operators of energy plants. The content will be consolidated and republished in a joint determination. The aim is to standardise the catalogues as much as possible and align them more closely with the process-oriented approach of ISO/IEC 27001.

Operators that implement the IT security requirements catalogue use an information security management system and improve the measures to protect their systems through continuous risk analysis, audits and certification. The new IT security requirements catalogue creates uniform definitions for all operators and differentiates between measures having to do with general cybersecurity and business continuity management and specific requirements related to security of networks and installations, the fulfilment of which can be demonstrated by certification. The new process orientation enables more effective and efficient risk analyses and an even stronger link between information security and business continuity management.

Background

It is the Bundesnetzagentur’s task, in consultation with the Federal Office for Information Security (BSI), to set minimum standards for IT security in the energy sector.

The IT security requirements catalogue for operators of electricity and gas networks was published (in German) in August 2015. The IT security requirements catalogue for operators of energy plants that are classified as critical infrastructure in accordance with the BSI Critical Infrastructure Ordinance and are connected to an energy supply network was published (in German) in December 2018. The catalogues call for adequate protection against threats to telecommunications and electronic data processing systems.

The determination’s general objective for the energy sector is to adequately safeguard the availability, integrity and confidentiality of critical infrastructure systems in the electricity and gas sectors and to prevent threats to public safety.

The draft determinations have been published at www.bundesnetzagentur.de/1056850 (in German).