8 min read<\/p>\n
On 29 April 2026, CISA, the US Department of Energy and four other agencies issued a joint recommendation on applying Zero Trust principles to Operational Technology. Three weeks later, Germany\u2019s first BSI audits under the NIS2 Implementation Act-effective since 6 December 2025-kick off. Energy suppliers now face double pressure. Operators running flat networks with shared identities across IT and OT no longer meet the state of the art under the BNetzA\u2019s new IT security catalogue. Last year\u2019s Volt Typhoon campaign showed exactly what that looks like in practice.<\/strong><\/p>\n Key Takeaways<\/p>\n Related:<\/span>Adaptive MFA as a Zero-Trust lever<\/a> \/<\/span> NIS2 enforcement hits 29,500 firms<\/a><\/p>\n The graphic below distils a typical programme from several publicly discussed utility initiatives-not a single company. Real names are omitted because verifiable public sources are scarce. If you\u2019re hunting for a vendor success story, look elsewhere. If you need an anchor for your own roadmap, here\u2019s a realistic approach.<\/p>\n Baseline: a mid-size distribution grid operator (mid-hundreds of MW), multiple substations, its own control room, a Microsoft-centric IT estate and a historically grown ICS network. In 2025 the BNetzA listed the utility as KRITIS; with the NIS2 Implementation Act taking effect in December 2025, the compliance pressure doubled. The audit squeeze now comes from both the BNetzA IT security catalogue and the upcoming ISO 27019 re-certification.<\/p>\n The first hard audit finding from the internal pre-assessment was uncomfortable: 41 service accounts with privileges spanning both worlds, five maintenance VPNs reaching OT segments without MFA, and an Active Directory structure that would have propagated a domain-admin compromise straight into the control room. Exactly the pattern the CISA guidance explicitly warns against.<\/p>\n Rather than designing a zero-trust architecture on paper, the team worked in five prioritized steps. Each produced an audit artifact the auditor can understand without further explanation.<\/p>\n The sequence is not a matter of preference. Starting with step three without knowing your asset and identity posture means segmenting on assumptions-an approach that collapses under real pressure.<\/p>\n The joint advisory dated 29 April 2026 is not just for U.S. readers. It highlights four points every DACH utility audit will spotlight. First, identities must not be shared between IT and OT. Second, visibility at asset and protocol level is a prerequisite for segmentation. Third, default-deny must work in OT without disrupting operations. Fourth, incident response in OT requires its own playbooks and exercises.<\/p>\n Volt Typhoon is explicitly named in the advisory. The pattern of compromising IT credentials to pivot into OT is now standard. A utility that does not separate OT identities is banking on the protection of its IT domain-protection that has failed in multiple public incidents.<\/p>\n Three mistakes crop up most often in practice. The first is organisational. OT security sits with operations, IT security with the CIO. Without shared responsibility anchored at board level, every zero-trust strategy falls apart at the seam. NIS2 makes management explicitly liable, rendering the split politically untenable.<\/p>\n The second mistake is technical. Maintenance VPNs for plant manufacturers are treated as exceptions and thus excluded from micro-segmentation. Exactly this vector has been cited in several public energy incidents over the past two years. Any blanket exemption here undermines the entire concept.<\/p>\n The third mistake is procedural. The 24-hour NIS2 initial-reporting deadline is rarely rehearsed. In reality it means an on-call team must be able to authorise the report without waking the executive board. Without test reports and a documented escalation chain, the deadline will be missed when it matters.<\/p>\n The utility in the case study above tackled precisely these three gaps before rolling out the technical programme-three months before the first BSI audit. That is the pragmatic window in which open issues can actually be closed. Starting in June, you will only have slides by September.<\/p>\n The NIS2 Implementation Act entered into force on 6 December 2025; the registration obligation is live. BSI supervision moved into the operational phase in May 2026, with first audits at critical-infrastructure energy suppliers expected for summer 2026. If you cannot document the risk-management measures required by Article 21 NIS2, you will face a problem.<\/p>\n OT environments have hard availability and latency demands, legacy protocols without encryption, and devices that cannot be patched. An IT logic that relies on continuous verification for every request cannot simply be applied to a control system. The CISA recommendation of 29 April 2026 therefore sets out a dedicated OT interpretation: segmentation, identity boundaries and asset visibility come first; continuous verification is phased in.<\/p>\n ISO 27019 is the energy-specific extension of ISO 27001. It covers OT-specific controls that the plain 27001 catalogue does not address. In the BNetzA IT security catalogue, certification to ISO 27001 plus 27019 is mandatory. NIS2 risk-management and ISO 27019 requirements overlap, so audits can be combined if documentation is clean.<\/p>\n Yes-with dedicated, time-limited identities and in-line detection. Blanket exemptions for plant manufacturers are no longer defensible under CISA guidance and audit practice. Just-in-time access combined with session recording replaces the permanent site-to-site tunnel.<\/p>\n The KRITIS umbrella law addresses physical resilience, sabotage and hybrid threats, while NIS2 covers IT security. Both tracks run in parallel, with separate registrations. Suppliers must also register with the BBK by 17 July 2026. Operationally, it makes sense to structure incident reports, exercises and contingency plans so that a single report serves whichever track is relevant, avoiding duplication.<\/p>\n\n
How a DACH energy supplier kicked off Zero Trust in 2026<\/h2>\n
Five steps that actually drove the program forward<\/h2>\n
What the CISA recommendation means for DACH utilities<\/h2>\n
Where suppliers will still fail in 2026<\/h2>\n
Frequently Asked Questions<\/h2>\n
When does the first BSI audit start under the NIS2 Implementation Act?<\/h3>\n
How does zero-trust in OT differ from zero-trust in IT?<\/h3>\n
What role does ISO 27019 play in NIS2 audit practice?<\/h3>\n
Do maintenance VPNs have to be fully integrated into micro-segmentation?<\/h3>\n
How can the BBK under the KRITIS umbrella be used alongside the BSI?<\/h3>\n
Editor\u2019s Reading Picks<\/h3>\n