News
Gomero delivers SIPP to solar power plant in Australia
August 2025
On 15 January 2026, Sweden's Cybersecurity Act came into force, implementing the EU's NIS2 Directive into national legislation. For the NIS2 energy sector framework, this marks a clear shift: cybersecurity is no longer solely an IT issue, but a strategic and operational obligation that affects the entire organisation.
The energy sector is classified as essential, meaning highly critical, under the NIS2 Directive, which entails the strictest requirements and the most active supervision. The scope is broad: electricity, district heating, district cooling, gas, oil and hydrogen are all covered by the Cybersecurity Act.
One significant change is that the legislation now captures considerably more energy companies than previous NIS legislation. Even smaller operators may now be included, based on the criticality of their operations to society rather than solely the size of the company.
The law sets out concrete requirements across four areas:
Risk management and security measures Energy companies must have defined processes for identifying, assessing and managing risks in their network and information systems, and continuously update their protections as new threats emerge.
Incident reporting In the event of a serious incident involving energy infrastructure, a preliminary notification must be submitted to the competent authority within 24 hours. This requires that procedures and responsibilities are in place in advance, not once a crisis has already occurred.
Supply chain security Energy companies bear clear responsibility for ensuring that external suppliers of digital services and systems also meet security requirements. An incident at a supplier can quickly have consequences for their own critical infrastructure. Certifications therefore become an important tool for verifying that suppliers meet the required security standards.
Management accountability One of the most significant changes introduced by NIS2 is that boards and senior management now bear ultimate responsibility for cybersecurity work. It is no longer a matter that can be delegated solely to the IT department.
Energy companies that do not meet the requirements of the Cybersecurity Act risk penalty fees of up to 10 million euros or 2 percent of global turnover. The supervisory authority, the Swedish Energy Markets Inspectorate, has the right to carry out both planned and unannounced inspections.
A central part of meeting NIS2 requirements is maintaining good oversight of critical infrastructure. Energy companies that already work in a structured way with monitoring, condition analysis and maintenance of their equipment, including transformer stations, switchgear and distribution networks, are better positioned both to prevent incidents and to respond quickly when something does occur.
Many energy companies have a strong understanding of their physical infrastructure, but the digital picture is often fragmented. NIS2 puts pressure on organisations to bring the two together. Companies that have built structures for continuous monitoring and data-driven maintenance planning early on are now finding that this work pays off, both operationally and from a compliance perspective.
NIS2 sets clear requirements for energy companies to actively manage security risks in their supply chain. Gomero is certified to ISO 27001, the international standard for information security, meaning that our security work around data, access control and cybersecurity risks is structured and reviewed by an independent party each year.
"What we are seeing is that energy companies are increasingly requesting concrete proof that their suppliers meet the required security standards. ISO 27001 provides exactly that: an independent confirmation that information security is structured and meets international standards," says Malin Giselsson, CTO at Gomero.
Want to know more about how Gomero works with operational reliability and predictive maintenance for energy infrastructure, and what our ISO 27001 certification means for you as a customer? Contact us