Any Questions?

Feel free to reach out if you would like to find out how Athereon GRC can support you with current governance, risk and compliance issues.

8.7.2026
7 minutes

ISMS for Energy Providers and Municipal Utilities: Securely and Compliantly Positioned with Athereon GRC

Energy supply is the backbone of a functioning society and, at the same time, a preferred target for cyberattacks. As grid control, generation facilities, and metering systems become increasingly digitalized, the attack surface continues to grow. For energy providers and municipal utilities, an Information Security Management System (ISMS) is therefore no longer optional but a legal obligation. An ISMS for energy providers consolidates processes, responsibilities, and technical measures into an auditable system. This creates the foundation for demonstrable compliance in the energy sector. This article outlines the regulatory requirements and shows how you can meet them in a structured way with Athereon GRC.

Why an ISMS Is Indispensable for Energy Providers

Electricity and gas grids, power plants, and their associated control technology depend entirely on information and communication technology. If this fails or is manipulated, the consequences are immediately felt, ranging from supply disruptions to threats to public safety. Lawmakers therefore classify the energy sector as a Critical Infrastructure (CI or KRITIS in Germany).

The threat landscape has intensified significantly in recent years. Attacks on operational technology ( OT) are increasing, and the interconnection of IT and OT—for example in smart grids and intelligent metering systems—opens up new attack vectors. An ISMS addresses this challenge not with isolated individual measures, but with a continuous management cycle: identifying risks, deriving measures, reviewing effectiveness, making adjustments. It is precisely this cycle that makes information security manageable and—crucially, vis-à-vis supervisory authorities—demonstrable.

The regulatory framework in the energy industry

For energy providers, the obligation to implement an ISMS arises from several legal bases, some of which apply in parallel. Those who clearly distinguish between the requirements avoid gaps and duplicated effort.

IT Security Catalog pursuant to Section 11 (1a) of the German Energy Industry Act (EnWG): Electricity and gas network operators are required to operate an ISMS based on ISO/IEC 27001 and have it certified. The standard is supplemented by the industry-specific ISO/IEC 27019, which reflects the particularities of process and network control in the energy supply sector. Network operators have been required to demonstrate implementation through certification since January 31, 2018. Verification follows a three-year audit cycle with annual surveillance audits by an accredited certification body.

The catalog is not limited to the ISMS as such. Network operators first appoint an IT security officer and report them to the Federal Network Agency before building and certifying the ISMS in accordance with the requirements. In addition, attack detection systems (Systeme zur Angrifsserkennung, SzA for short) must be operated that continuously detect and log attacks on the IT systems in use. Even after the most recent legislative changes, these SzA requirements remain in effect; for implementation, operators can follow the BSI's guidance or demonstrate an equivalent level of security by other means.

IT Security Catalog pursuant to Section 11 (1b) EnWG, in the future Section 5c EnWG: Operators of energy facilities classified as critical infrastructure under the BSI Critical Infrastructure Ordinance and connected to an energy supply network are subject to a corresponding obligation. Here, too, the focus is on an ISMS in accordance with ISO/IEC 27001, taking ISO/IEC 27019 into account. It should be noted that, following a clarification by the Federal Network Agency, the certification requirement also applies to operational managers: Anyone who operates systems, applications, or components within the scope of the catalogs on behalf of an operator must have their own ISMS certified.

Changes introduced by the NIS2UmsuCG: With the entry into force of the Act implementing the NIS2 Directive on December 6, 2025, amendments were made to the Energy Industry Act (EnWG). The risk management measures and the tightened reporting obligations for the energy sector are governed through the EnWG. Important for practice: Until a revised IT security catalog is published, the existing catalogs under Section 11 (1a) and (1b) EnWG continue to apply to grid and facility operators. The Federal Network Agency is currently revising the catalog and expanding it to include the groups of addressees newly regulated in the course of the NIS2 implementation.

Two aspects deserve particular attention here. First, the tiered reporting obligation for significant security incidents: an initial report within 24 hours, a confirmation within 72 hours, and a final report within one month. An ISMS that records incidents in a structured manner and clearly assigns responsibilities is the prerequisite for meeting these deadlines. Second, the responsibility of executive management: The law establishes personal liability at management level for the implementation of risk management measures. Information security has thus definitively become a matter for top management and is no longer a purely technical concern of the IT department.

For compliance in the energy sector, this means that the established ISMS obligations remain in place and are not replaced by NIS2 but expanded. A resilient ISMS therefore forms the common foundation on which both the IT security catalog and the NIS2 requirements can be mapped.

ISMS certification for municipal utilities: specific challenges

Municipal utilities face a particular starting position. They often combine several roles under one roof: Grid operation for electricity and gas, generation, water supply, district heating, and increasingly digital energy services. Each of these divisions can trigger its own regulatory requirements. For the ISMS certification of municipal utilities, this means: The scope must be precisely defined so that all relevant systems, applications, and components are covered, without unnecessarily inflating the project through an overly broad scope.

There is also the resource aspect to consider: Unlike large corporations, municipal utilities rarely have extensive security departments. Responsibility for the ISMS often lies with just a few people who are simultaneously handling other tasks. This is precisely where it is decided whether an ISMS is perceived as a bureaucratic burden or as a manageable instrument. The key lies in avoiding duplicated effort: Those who document ISO 27001, ISO 27019, and NIS2 requirements in a single, shared system rather than maintaining them separately significantly reduce the effort required for setup and operation, and are better prepared for every audit.

A practical example: A municipal utility operates an electricity grid (catalog under Section 11 (1a) EnWG), simultaneously maintains a generation facility classified as KRITIS (Section 11 (1b) EnWG), and falls under NIS2 obligations with additional business lines. Without a common structure, three parallel documentation streams arise, with some identical measures. If, on the other hand, these requirements are consolidated in a single ISMS and mapped to one another, a measure implemented once—for example, for access control or emergency management—can be evidenced for several sets of regulations at the same time.

Efficiently build and operate your ISMS with Athereon GRC

Athereon GRC is the leading European GRC platform and was designed as workflow-driven, integrated software that addresses precisely these challenges. Athereon GRC’s ISMS solution supports energy providers and municipal utilities throughout the entire life cycle of their information security management system.

The platform is framework-agnostic: It maps all relevant standards—from ISO/IEC 27001 to ISO/IEC 27019 and beyond—with editorially prepared standard texts and enables implementation precisely at the requirements level. Advanced mapping allows content-identical requirements from different standards to be consolidated with a single click. For municipal utilities with several parallel sets of regulations, this is a key lever: Document once, provide evidence multiple times.

Additional building blocks for the energy sector:

  • Scope and organizational mapping: Define your scope precisely and map your organizational structure hierarchically as the foundation for audit-proof evidence.
  • Workflows and operationalization: Distribute tasks in a structured way across the organization, from control implementation to automated reporting.
  • Real-time insights: The 360-degree real-time model makes the status of your ISMS compliance visible at any time, enabling you to respond quickly to changes.
  • Audit preparation: With structured tracking, reminders, and detailed evaluations, you enter every certification and surveillance audit well prepared.

Via REST API, Athereon GRC integrates seamlessly into your existing IT landscape. In addition to the ISMS module, the platform's other modules cover adjacent requirements, such as BCM for operational resilience, DSM for data protection, and ERM and SRM for risk and supplier risk management.

Full control with AI agent LAiKA

A modern ISMS benefits from intelligent support without those responsible having to hand over control. AI agent LAiKA supports you with recurring tasks according to a clear escalation logic: from the foundation through LAiKA Assist to the specialized agents Infrastructure Mapper, Compliance Assistant, and Questionnaire Assistant. Throughout, the principle of user control applies: Nothing without your OK. You decide which suggestions are adopted. Responsibility for your ISMS always remains with you.

100% Made in Germany

For operators of critical infrastructure, the storage location of their data is security-relevant. Athereon GRC is developed in Germany and hosted in Germany. Your data never leaves domestic servers at any point. This 100% Made in Germany attribute qualifies the platform as a suitable solution for organizations in the energy sector that handle sensitive data and must meet stringent security requirements.

Viewing compliance as an opportunity

Regulatory obligations are often perceived as a mere mandatory exercise. For energy suppliers and municipal utilities, however, a different perspective is worthwhile: A properly implemented ISMS not only reduces liability and fine risks but also strengthens operational resilience against attacks and outages. It creates transparency about your own security posture, improves the decision-making basis for investments, and signals reliability to customers, municipalities, and regulatory authorities.

In this sense, compliance should be understood as an opportunity — as an investment in supply security and in public trust. A digitally supported ISMS is what makes this value tangible in the first place, because it brings the effort of setup and operation down to a manageable level.

Conclusion

For energy suppliers and municipal utilities, an ISMS is legally mandated through the IT Security Catalog pursuant to Section 11 of the German Energy Industry Act (EnWG), and, since December 2025, has been supplemented by the requirements of the NIS2 transposition. Anyone who consolidates these obligations in a single, audit-ready system saves effort and passes every audit with confidence. Athereon GRC supports you with a framework-agnostic platform, precise scope management, intelligent workflows, and the AI agent LAiKA. Developed and hosted in Germany. This is how you establish your ISMS for the energy sector securely and in full compliance with applicable standards.

Would you like to learn more?

Book a noncommittal demo appointment with our team to analyze your individual use case with us.