The IT Security Catalogue under §5c EnWG: What Grid and Facility Operators Must Do in 2026
This article sets out the new legal position: what §5c, §5d and §5e require, who is now in scope, how the revision roadmap with a consultation in August 2026 looks, which certification stays mandatory, where the criticism lands and what grid and facility operators should do now.
The IT security catalogue under §5c EnWG sets the binding IT security requirements for operating energy supply networks and energy facilities in Germany. With the NIS2 implementation act, the earlier rules from §11 (1a) to (1g) EnWG were moved into the new sections 5c, 5d and 5e. §5c requires appropriate protection against threats through a certified information security management system per DIN EN ISO/IEC 27001 and 27019, §5d governs proof and reporting with an initial notice within 24 hours and a report within 72 hours, and §5e makes the management board personally responsible and liable. The scope grows sharply: it now covers all electricity and gas grid operators regardless of size, energy facility operators classified as particularly important or important entities under §28 BSIG, and for the first time operators of digital energy services such as aggregators running virtual power plants. Nationwide, the number of regulated entities rises from around 2,100 to about 29,000, of which only around 11,500 were registered with the BSI by the deadline of 6 March 2026. The BNetzA and the BSI have been revising the catalogues since early 2026, are aiming for an industry consultation in August 2026, and the consolidated new catalogue is intended to apply from 1 January 2027. Until then the old §11 catalogues remain in force. The Association of Local Utilities criticises the draft as half-baked and warns of double regulation. For grid and facility operators this means confirming their classification, reserving certification capacity early and bringing the management board on board.
Why §5c EnWG reorders IT security
With the NIS2 implementation act, the German legislator has re-sorted the IT security rules for the energy sector. The familiar rules from §11 (1a) to (1g) EnWG now sit in the new sections 5c, 5d and 5e. For you as a grid or facility operator this changes not only the reference but the bar itself: more operators in scope, clearer proof duties and personal responsibility at board level.
The legal basis is Germany's transposition of the EU NIS2 directive, anchored in the EnWG and flanked by the BSIG. The sector-specific IT security catalogue of the Federal Network Agency stays the central instrument, but it is being redrafted.
- The old paragraphs §11 (1a) to (1g) EnWG were repealed and moved in substance into sections 5c to 5e.
- The core duty under §5c (1) EnWG is appropriate protection against threats for the systems that keep network operation secure.
- The catalogue will be reviewed every two years and updated as needed, so it is a moving target rather than a one-off task.
What §5c, §5d and §5e require
The three sections split the duties into protection, proof and responsibility. §5c sets the protective measures, §5d the documentation and reporting duties, and §5e addresses the management board. The core stays the certified information security management system.
- §5c, protection: risk analysis, incident management with backup and recovery, supply chain security, security by design, regular audits, cyber hygiene and training. In future this also includes the use of ICT products with cybersecurity certification under EU Regulation 2019/881.
- §5d, proof and reporting: documentation of catalogue compliance, transmission to the BNetzA, and a staged reporting procedure with an initial notice within 24 hours, a report within 72 hours and a closing report.
- §5e, responsibility: personal responsibility of the management board for strategy, resources and effectiveness monitoring, mandatory training, and liability for negligent violations under §93 AktG and §43 GmbHG.
Who is now in scope: three groups instead of one
The circle of obligated operators is much wider than before. Alongside all grid operators, the rules now also cover larger energy facilities and, for the first time, digital energy services. For the latter two groups, the decisive factor is the classification under §28 BSIG as a particularly important or important entity.
Nationwide, the number of regulated entities rises from around 2,100 to about 29,000. By the registration deadline of 6 March 2026, only around 11,500 of them were registered with the BSI. The gap shows how many operators are still at the start.
- Grid operators: all operators of electricity and gas supply networks, regardless of size and voltage level, from extra-high voltage down to low voltage.
- Energy facility operators: facilities that count as a particularly important entity from 250 employees or 50 million euros of revenue and 43 million euros of balance sheet total, or as an important entity from 50 employees or 10 million euros each of revenue and balance sheet total.
- Digital energy services: covered for the first time, for example aggregators running virtual power plants, load management or energy management systems. How such data-driven services rest on metering data is set out in the article on the smart meter rollout .
The roadmap: consultation and effect in 2027
The new determination is not final yet. Until the new catalogue applies, the existing §11 catalogues stay in force and existing certificates keep their validity. The timeline is tight because the legal basis and the catalogue are taking shape in parallel.
The existing catalogues under §11 (1a) (grid operators, since 2015) and §11 (1b) (energy facilities, since 2018) remain in force during the transition.
The BNetzA starts the revision together with the BSI. The old catalogues are consolidated and aligned more closely with the process-oriented approach of ISO/IEC 27001.
The BNetzA and BSI aim for an industry consultation. Operators and associations can raise their points before the determination becomes final.
The consolidated new IT security catalogue is intended to apply. From then, proof runs through the new catalogue instead of the §11 version.
The legal anchoring in the EnWG runs through several amendments. The frame of the latest change is described in the article on the EnWG amendment 2026 .
Certification: ISMS per ISO 27001 as mandatory proof
The proof of compliance still runs through a certified ISMS. Certification is carried out by a DAkkS-accredited body on the basis of DIN EN ISO/IEC 27001, complemented by the sector-specific ISO/IEC 27019. Whoever sets up their management system cleanly now only has to fine-tune it later.
- The certificate is valid for three years, with mandatory annual surveillance audits.
- Every operator must name an IT security contact to the BNetzA, and facility operators must additionally register a point of contact with the BSI.
- The number of available auditors is limited. Reserving certification capacity early is advisable, otherwise a bottleneck looms just before the deadline.
Challenges and risks
The switch ties up resources and hits smaller municipal utilities in particular. The Association of Local Utilities warns of double regulation and legal uncertainty. There are open technical points too.
- Double adjustment: the VKU calls the draft half-baked and demands a postponement, because operators would have to adapt their IT security to new requirements twice in a short time.
- Utopian standard: VKU Managing Director Ingbert Liebing criticises the demand for one hundred percent security. A residual risk always remains, so a zero risk is not achievable.
- Room for interpretation: the shift from German to more English-language standards creates room for interpretation by auditors.
- Overlapping jurisdiction: between the BNetzA under the EnWG and the BSI under the BSIG, companies with several fields of activity can face questions of demarcation. The wider frame is described in the article on the NIS2 and KRITIS umbrella law .
What companies should do now
Even without a final catalogue, there is groundwork to do. Whoever sets up their ISMS cleanly now and clears the governance early only has to fine-tune later instead of starting over. Four steps are pressing.
Four priority steps
-
Clarify classification and registration
Check whether the company counts as a particularly important or important entity under §28 BSIG and document the registration with the BSI. That settles which duties actually apply.
-
Reserve certification capacity
Talk to a DAkkS-accredited certification body early and secure an audit slot. Because the number of auditors is limited, the market gets tight towards the cut-off date.
-
Set up reporting and contact processes
Name the IT security contact and set up the reporting processes for the 24-hour and 72-hour deadlines from §5d in practice, including responsibilities and escalation outside office hours.
-
Bring the management board on board
Because §5e provides for personal responsibility and liability, the topic belongs on the leadership agenda early. Strategy, resources and board training are part of the duty, not a later add-on.
IT security does not stand alone. It reaches into the same shift as the growing use of AI in cyber defence, which the article on AI-supported cybersecurity places in context. Network operation, market processes and the security organisation only form a full picture together.
Further reading
Frequently asked questions
The IT security catalogue under §5c EnWG is the set of binding IT security requirements defined by the German Federal Network Agency (BNetzA) in agreement with the BSI for operating energy supply networks and energy facilities. Its core is a certified information security management system per DIN EN ISO/IEC 27001 and 27019. The catalogue replaces the earlier catalogues under §11 (1a) and (1b) EnWG.
Three groups are covered: all operators of electricity and gas supply networks regardless of size, energy facility operators classified as particularly important or important entities under §28 BSIG, and, for the first time, operators of digital energy services such as aggregators running virtual power plants. Nationwide, the number of regulated entities rises from around 2,100 to about 29,000.
The BNetzA and the BSI have been revising the catalogues since early 2026 and are aiming for an industry consultation in August 2026. The consolidated new catalogue is intended to apply from 1 January 2027. Until then, the existing catalogues under §11 (1a) and (1b) EnWG remain in force and existing certificates keep their validity.
The proof runs through an information security management system certified by a DAkkS-accredited body on the basis of DIN EN ISO/IEC 27001, complemented by the sector-specific ISO/IEC 27019. The certificate is valid for three years, with mandatory annual surveillance audits. Every operator must name an IT security contact to the BNetzA.
Grid operators should confirm their registration with the BSI and their classification under §28 BSIG, reserve certification capacity early, name an IT security contact and set up the reporting processes for the 24-hour and 72-hour deadlines. Because §5e makes the management board personally responsible and liable, the topic belongs on the leadership agenda early.