Security policy program 2026

February 6, 2026

ENCS organises its knowledge development in 3 programs: policy, architecture, and operations. Below, you can explore what we have planned in these areas for 2026.

The policy program aims to develop and share knowledge to security officers responsible for organizational security measures. It covers security policies, regulation, and the development of information security management systems (ISMSs).

In 2026, we will work on supply chain security, the security of high-power consumer IoT devices, risk assessments, and AI security for grid systems.

Supply chain security

Supply chain risks remain one of the highest priorities for our members and they are coming under increasing scrutiny by regulators under the NIS 2 directive. ENCS has supported members and stakeholders in this area with security requirements for procuring components and systems, and through requirements-based testing.

But besides for components and systems, member also need to define and enforce security requirements for services. Service providers often are key to the cybersecurity of critical systems.

Requirements to service providers are however more difficult to standardise than for components and systems. In 2025, we have collected best practices on cybersecurity in supply chains. This year, we will further develop these best practices, along with webinars and an online workshop will be held where experts from members on supply chain security explain their approach, and also their challenges.

Security of high-power consumer IoT devices

Work from the past few years has shown that high-power consumer IoT devices, such as solar inverters, EV charging stations, batteries, and heat pumps pose a serious security risk for the electricity system. Such devices control enormous amounts of power. If a large number of them is switched off at the same time, the resulting imbalance will cause a serious disruption of the electricity system.

But manufacturers and operators of such devices often do not treat them as critical. Tests of different devices show that they often contain serious vulnerabilities. And the central management systems are often an even greater risk.

Using the three-part approach to mitigate this threat, this year we will:

Continue testing work on new IoT devices selected through risk assessment and coordinate vulnerability reporting with the DIVD
Work on harmonized standard for EV security
Work on legal gap analysis for IoT-related regulations through the Smart Energy Expert Group (SEEG)

Risk assessments

Upcoming cybersecurity regulations such as the NIS2 and NCCS put a strong emphasis on risk assessments. Additionally, the increasing risks of nation state actors will require more in-depth risk assessments. During the implementation of the first NIS directive, most members had a compliance driven approach, focused on implementing a broad set of controls such as ISO/IEC 27002. This broad approach has proven effective against less skilled and motivated threat actors. But against nation state threats a more risk-based approach will be needed to implement members’ most critical assets against advanced attacks.

In 2026, we will address challenges to risk assessments including:

Meeting legal requirements from NCCS and NIS2
Best practices to integrate test and audit results into risk assessments, and define actions based on risk assessment results

AI for grid systems

In 2024, ENCS started working on AI in power grid systems with a whitepaper. In 2025, we hosted two webinars to share experiences with AI at different members. We will continue work in this area in the 2026 program by analyzing the legal requirements and standards, and performing a threat analysis.

Become an ENCS member

Are you interested in our cyber security programs? As an ENCS member, you can contribute to and learn from all our programs. Click below to learn more about our memberships6

become an ENCS member

Subscribe to our newsletter

"*" indicates required fields

back to news