Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

AI in energy: critical infrastructure and NIS2

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

AI that manages or operates energy supply can be high-risk under the AI Act (Annex III, critical infrastructure). The energy sector also falls under NIS2 for cybersecurity. Two regimes with partly overlapping demands on robustness and oversight.

Short answer: AI in energy triggers two regimes. If the AI system, as a safety component, manages or operates critical infrastructure โ€” think grid balancing, smart grids or security of supply โ€” it can be high-risk under Annex III of the AI Act. The sector also falls under NIS2 as an "essential entity". Both impose requirements on robustness, security and oversight that are best met together.

Annex III: critical infrastructure

Annex III of the AI Act classifies AI systems intended as a safety component in the management and operation of critical digital infrastructure, road traffic and the supply of, among others, electricity as high-risk. The test is functional: does the system co-determine whether supply stays safe and reliable? An AI that forecasts load for planning is different from an AI that intervenes on the grid in real time โ€” the latter leans towards high-risk.

NIS2: cybersecurity

NIS2 (Directive (EU) 2022/2555) designates energy as a sector with essential entities. That brings obligations for risk management, incident reporting, supply-chain security and management accountability. For AI systems running on critical processes, NIS2 means the security of the system itself โ€” against manipulation, data poisoning or failure โ€” is part of the statutory duty of care, not optional.

Where the regimes meet

The AI Act requires accuracy, robustness and cybersecurity for high-risk systems (Art. 15). NIS2 requires appropriate technical and organisational measures for the whole entity. These overlap in practice: an attack that fools a grid AI is at once an AI Act robustness issue and a NIS2 incident. The smart move is to embed AI risk management in the broader NIS2 security policy, so one governance structure covers both.

Not everything is high-risk

Much energy AI is not a safety component: consumption forecasting, tariff optimisation or customer analytics. These fall outside Annex III, but may fall under the GDPR (smart meters, profiling) or under NIS2 if they run on critical systems. The pattern of overlap between safety and sectoral rules resembles that of AI in manufacturing.

What to do

  • Classify per system: is the AI a safety component for supply, or supporting?
  • Integrate governance: bring AI Act robustness into your NIS2 security policy.
  • Secure incident reporting: make sure AI failures fit the NIS2 reporting chain.
  • Protect data and model against manipulation and poisoning โ€” that is both AI Act and NIS2.
  • Assign accountability at board level; NIS2 makes this explicit.

In the energy sector AI is rarely a standalone IT project. It is part of critical infrastructure, and is assessed by the AI Act and NIS2 together.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Annex III lists AI as a safety component in the management and operation of critical infrastructure as high-risk.
  2. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): cybersecurity obligations for essential entities, including the energy sector.

Share on LinkedIn

Read next

A

Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

W

The AI Act for CISOs: Article 15, NIS2 and the CRA

The AI Act sets requirements in Article 15 for the accuracy, robustness and cybersecurity of high-risk AI. For the CISO this stacks on top of NIS2 and the Cyber Resilience Act. This guide explains the overlap and what security teams must concretely arrange.

W

Accuracy, robustness and cybersecurity: Article 15 of the AI Act

Article 15 requires high-risk AI to achieve an appropriate level of accuracy, robustness and cybersecurity across its lifetime. The system must withstand errors, faults and attacks such as data poisoning and adversarial input. This guide explains what that means.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.