Originally published in H2 View on July 24, 2025.
As renewable hydrogen becomes ever more embedded in critical energy infrastructure, increasing reliance on the fuel for powering transportation, industries and homes, the sector is likely to elevate as a target for cyber attacks.
The good news, however, is that the sector’s early-phase status and digital-first nature align with efforts that are well underway across the EU to ensure that companies involved in the production, storage and distribution of clean hydrogen are well-equipped to detect threats and defend themselves.
The EU's Network and Information Security (NIS) 2 Directive, which came into force in October last year, expanded the scope of EU cybersecurity rules to include the hydrogen sector as an essential entity. The Directive seeks to further modernize the existing legal framework to keep pace with increased digitization, and an evolving cybersecurity threat landscape.
Unlike legacy power systems like oil and gas that were already regulated under NIS2, many hydrogen entities are new entrants into the regulatory ecosystem. That means the NIS2 framework represents an opportunity to embed cybersecurity into operations from day one.
Companies in the hydrogen sector must now implement robust cybersecurity programs to meet the obligations of NIS2, which include reporting obligations along with technical and organizational measures.
Unique cybersecurity pressures facing hydrogen
From electrolysis plants to hydrogen fueling stations, the sector is building itself from the ground up — and with it, a complex digital footprint.
Like other parts of the energy industry, hydrogen systems increasingly rely on interconnected digital controls, linking pressure valves, electrolyzer stacks, storage tanks, and transport systems via both IT and OT layers. But hydrogen faces distinct challenges to its cyber risk profile.
Firstly, hydrogen projects often involve cross-sector collaboration, from energy providers to chemical producers to logistics companies. This can result in complex partnerships where cybersecurity accountability can become blurred. Unlike mature power grids or oil pipelines, many hydrogen facilities are part of early-phase joint ventures or public-private partnerships, adding layers of organizational complexity.
Secondly, as a fast-growing and relatively young sector, hydrogen operations can lack the legacy systems that dominate traditional energy infrastructures. This presents both opportunity and risk: while security can be built into greenfield projects, they may not have the cybersecurity maturity models that electricity or oil and gas companies have refined over decades.
Finally, this translates to hydrogen value chains, which are often a patchwork of novel technologies. From electrolysis and liquefaction to drone-based leak detection and smart metering, many of these processes are deploying networked controls for the first time. There’s an expanded attack surface, making uniform security strategies harder to apply.
What will NIS2 mean for the hydrogen sector?
According to the AV TEST Institute, over 280,000 new malicious programs are detected daily, adding to the nearly 1.5 billion pieces of malware found since 1984. On a more granular level, this equates to new malware being detected every 3.3 seconds.1
NIS2 addresses such vulnerabilities by requiring companies to include a robust cybersecurity risk assessment of production systems and to define critical components.
Operators must improve incident handling, establish procedures to detect cybersecurity incidents and ensure prompt restoration of production through clearly defined protocols.
NIS2 also elevates the importance of supply chain security to close the door on one of the most common attack vectors. Operators must determine information security requirements for their direct suppliers and establish programs for supplier monitoring and verification.
The nascent hydrogen sector has an opportunity to build in robust cybersecurity measures from the ground up, ensuring NIS2 compliance from the outset. Protective measures can be considered in the design phase of new systems or implementations and be more seamlessly integrated into the industry's operations.
IT and OT teams need to collaborate on cybersecurity
However, while “cyber-mature companies” have most likely addressed the requirements of NIS2, especially in enterprise IT, the same may not be true in OT.
The biggest gaps appear here. OT requires a different approach than IT when applying rules and mitigations. OT security teams must lead the effort, working closely with their IT counterparts.
Another challenge will be the reporting obligations. Many industries are not ready for incident handling in OT, which is the basis for timely reporting capabilities.
Early warning needs to happen without delay and within 24 hours after learning of incidents that could have a significant impact. Misalignment between people, process and technology poses a major challenge.
While the cybersecurity demands of NIS2 appear daunting, the need to protect critical infrastructure, both for the benefit of industry and society, is paramount.
IBM estimates that the global average cost of a data breach in 2024 was $4.88 million compared with the average cost savings for organizations that used cybersecurity prevention versus those that didn’t, at $2.22 million.2
Making NIS2 work for hydrogen
- Start early with OT and IT collaboration by building cross-functional teams that align operational and IT security from the outset.
- Conduct sector-centric risk assessments that go beyond generic checklists, mapping hydrogen-specific risks, from electrolysis plant control systems to hydrogen storage monitoring.
- Embed cybersecurity in procurement processes with requirements for suppliers to meet clear security standards and conduct joint exercises.
- Prioritize incident readiness by establishing clear reporting lines and rehearsing incident scenarios, focusing on both digital and physical impacts.
By taking these steps to meet NIS2, the hydrogen sector can turn its position as a digital newcomer into an advantage, embedding resilience from the start, rather than retrofitting it later.
1 https://portal.av-atlas.org/malware
2 https://www.ibm.com/reports/data-breach
