Zero Trust at the energy supplier: What the NIS2 audits are now revealing

8 min read

On 29 April 2026, CISA, the US Department of Energy and four other agencies issued a joint recommendation on applying Zero Trust principles to Operational Technology. Three weeks later, Germany’s first BSI audits under the NIS2 Implementation Act-effective since 6 December 2025-kick off. Energy suppliers now face double pressure. Operators running flat networks with shared identities across IT and OT no longer meet the state of the art under the BNetzA’s new IT security catalogue. Last year’s Volt Typhoon campaign showed exactly what that looks like in practice.

Key Takeaways

NIS2 in energy went live in December 2025. BSI and BNetzA obligations apply; audits go live in summer 2026. Registration with the BBK under the KRITIS umbrella law must be completed by 17 July 2026.
Zero Trust for OT isn’t copied from IT. The 29 April 2026 CISA guidance makes clear: segmentation, identity boundaries and asset visibility must be engineered for SCADA, protection systems and control centres-not retrofitted.
The most common gap sits at the IT-OT boundary. Shared service accounts, overlapping domain structures and unsegmented maintenance access are the 2026 route by which IT compromises reach the control room.

How a DACH energy supplier kicked off Zero Trust in 2026

The graphic below distils a typical programme from several publicly discussed utility initiatives-not a single company. Real names are omitted because verifiable public sources are scarce. If you’re hunting for a vendor success story, look elsewhere. If you need an anchor for your own roadmap, here’s a realistic approach.

Baseline: a mid-size distribution grid operator (mid-hundreds of MW), multiple substations, its own control room, a Microsoft-centric IT estate and a historically grown ICS network. In 2025 the BNetzA listed the utility as KRITIS; with the NIS2 Implementation Act taking effect in December 2025, the compliance pressure doubled. The audit squeeze now comes from both the BNetzA IT security catalogue and the upcoming ISO 27019 re-certification.

The first hard audit finding from the internal pre-assessment was uncomfortable: 41 service accounts with privileges spanning both worlds, five maintenance VPNs reaching OT segments without MFA, and an Active Directory structure that would have propagated a domain-admin compromise straight into the control room. Exactly the pattern the CISA guidance explicitly warns against.

Five steps that actually drove the program forward

Rather than designing a zero-trust architecture on paper, the team worked in five prioritized steps. Each produced an audit artifact the auditor can understand without further explanation.

Five prioritized steps for zero trust at an energy utility

Step 1

Unified asset inventory across IT and OT. Every policy begins with a definitive list of devices, protocols, firmware versions, and owners. Without this inventory, segmentation remains theoretical. In practice: passive listening on the OT mirror port, cross-checked against the CMDB baseline.

Step 2

Identity separation at the IT-OT boundary. Shared service accounts are eliminated; OT accounts move into a dedicated identity domain with its own lifecycle. Phishing-resistant factors such as FIDO2 for administrative access are no longer optional.

Step 3

Micro-segmentation from Purdue Level 3 onward. The hard line runs between Manufacturing Operations (Level 3) and Process Control (Level 2). Every crossing passes through an explainable gateway; every rule has an owner. Default is deny, not allow.

Step 4

OT-specific threat detection with its own use-case catalog. The BSI-compliant system detects OT patterns-Modbus, IEC 60870-5-104, DNP3-not just IT logic. Anomalies trigger dedicated detectors and escalation paths into the SOC.

Step 5

Incident response with BBK pathway and 24-hour notification. NIS2 mandates initial reporting to the BSI within 24 hours and final reporting within 72 hours. Parallel drills follow the BBK pathway from the KRITIS umbrella law. Playbooks distinguish between IT and OT incidents.

The sequence is not a matter of preference. Starting with step three without knowing your asset and identity posture means segmenting on assumptions-an approach that collapses under real pressure.

29,500

German entities fall under the NIS2 regime-six times more than under the previous KRITIS ordinance. Fines reach up to 10 million euros, and the initial reporting deadline is 24 hours.

Source: BSI / OpenKRITIS, March 2026

What the CISA recommendation means for DACH utilities

The joint advisory dated 29 April 2026 is not just for U.S. readers. It highlights four points every DACH utility audit will spotlight. First, identities must not be shared between IT and OT. Second, visibility at asset and protocol level is a prerequisite for segmentation. Third, default-deny must work in OT without disrupting operations. Fourth, incident response in OT requires its own playbooks and exercises.

Volt Typhoon is explicitly named in the advisory. The pattern of compromising IT credentials to pivot into OT is now standard. A utility that does not separate OT identities is banking on the protection of its IT domain-protection that has failed in multiple public incidents.

Where suppliers will still fail in 2026

Three mistakes crop up most often in practice. The first is organisational. OT security sits with operations, IT security with the CIO. Without shared responsibility anchored at board level, every zero-trust strategy falls apart at the seam. NIS2 makes management explicitly liable, rendering the split politically untenable.

The second mistake is technical. Maintenance VPNs for plant manufacturers are treated as exceptions and thus excluded from micro-segmentation. Exactly this vector has been cited in several public energy incidents over the past two years. Any blanket exemption here undermines the entire concept.

The third mistake is procedural. The 24-hour NIS2 initial-reporting deadline is rarely rehearsed. In reality it means an on-call team must be able to authorise the report without waking the executive board. Without test reports and a documented escalation chain, the deadline will be missed when it matters.

The utility in the case study above tackled precisely these three gaps before rolling out the technical programme-three months before the first BSI audit. That is the pragmatic window in which open issues can actually be closed. Starting in June, you will only have slides by September.

Frequently Asked Questions

When does the first BSI audit start under the NIS2 Implementation Act?

The NIS2 Implementation Act entered into force on 6 December 2025; the registration obligation is live. BSI supervision moved into the operational phase in May 2026, with first audits at critical-infrastructure energy suppliers expected for summer 2026. If you cannot document the risk-management measures required by Article 21 NIS2, you will face a problem.

How does zero-trust in OT differ from zero-trust in IT?

OT environments have hard availability and latency demands, legacy protocols without encryption, and devices that cannot be patched. An IT logic that relies on continuous verification for every request cannot simply be applied to a control system. The CISA recommendation of 29 April 2026 therefore sets out a dedicated OT interpretation: segmentation, identity boundaries and asset visibility come first; continuous verification is phased in.

What role does ISO 27019 play in NIS2 audit practice?

ISO 27019 is the energy-specific extension of ISO 27001. It covers OT-specific controls that the plain 27001 catalogue does not address. In the BNetzA IT security catalogue, certification to ISO 27001 plus 27019 is mandatory. NIS2 risk-management and ISO 27019 requirements overlap, so audits can be combined if documentation is clean.

Do maintenance VPNs have to be fully integrated into micro-segmentation?

Yes-with dedicated, time-limited identities and in-line detection. Blanket exemptions for plant manufacturers are no longer defensible under CISA guidance and audit practice. Just-in-time access combined with session recording replaces the permanent site-to-site tunnel.

How can the BBK under the KRITIS umbrella be used alongside the BSI?

The KRITIS umbrella law addresses physical resilience, sabotage and hybrid threats, while NIS2 covers IT security. Both tracks run in parallel, with separate registrations. Suppliers must also register with the BBK by 17 July 2026. Operationally, it makes sense to structure incident reports, exercises and contingency plans so that a single report serves whichever track is relevant, avoiding duplication.