As offshore wind has become a cornerstone of European energy independence, it has also emerged as a prime target for physical, cyber and hybrid threats. 

In response, the EU has introduced strengthened resilience and preparedness requirements that are shaping a new regime of sector-specific legislation in Denmark impacting the energy sector, including offshore wind.

In 2022, shortly before Russia’s invasion of Ukraine, 5,800 wind turbines across Europe were affected by a large-scale cyberattack.

At the same time, sabotage-like incidents targeting subsea cables in the Baltic Sea have highlighted the vulnerability of critical offshore energy infrastructure.

A December 2025 report by the Danish Defence Intelligence Service states that “Russia in particular, but also other foreign states, pose a significant threat to critical infrastructure in the West.” 

In addition to the specific incidents, offshore wind installations face recurring security challenges, including vulnerabilities in legacy control systems, communication networks and physical security measures. 

These developments require offshore wind organisations to integrate security and resilience into governance and operational planning.

The scale, complexity and integration of offshore wind make it a cornerstone of the European energy system, where disruptions – physical or cyber – may have serious consequences.

These risks have prompted stronger EU regulation on resilience and preparedness.

Sector-specific regulation in the Danish energy sector

In Denmark the sector-specific Act on Strengthened Preparedness in the Energy Sector implements requirements from the EU’s NIS2 and CER directive through rules on organisational preparedness, physical protection, and cybersecurity. The Act provides that – among many others – electricity undertakings and producers, fall within its scope of application.

The Act is supplemented by an executive order on Resilience and Preparedness in the Energy Sector specifying how these requirements apply to covered entities and their production facilities, including offshore wind installations.

The executive order classifies entities and facilities into levels and classes ranging from 1 to 5 based primarily on production capacity, where 5 is the highest. Higher levels and classes correspond to stricter preparedness requirements.

Supply chain security in the offshore wind sector

The regulation not only addresses internal security measures but also security risks across the supply chain. 

Under the executive order, covered entities must identify, assess and manage risks specific to each direct supplier and service provider.

In this regard, the executive order provides that requirements relating to organisational preparedness, physical protection, and cybersecurity must be reflected in supplier agreements. Suppliers must therefore be able to comply with such contractual requirements. 

At EU level, further clarification is also underway regarding supply chain requirements. The aim is to ensure legal certainty and prevent disproportionate obligations being imposed on entities not themselves within scope of the rules.  

Practical challenges for covered entities

Covered entities face several practical challenges when implementing the new preparedness requirements.

First, the sheer scope and complexity of the regulatory framework – integrating NIS2 and CER into a sector-specific regime – means that many organisations must establish new governance, documentation and reporting capabilities.

Second, many energy operators must balance old and new technology environments. OT systems such as SCADA and turbine control infrastructure were often designed without modern cybersecurity protections.

Finally, supply chain complexity creates challenges for risk management. With large numbers of third-party hardware, software and service providers, ensuring consistent security standards across the network of suppliers is resource-intensive and requires continuous oversight.

Management responsibility

Under the new regulatory regime, security is not merely a technical or operational matter – it is a top management responsibility.

The management body is responsible for approving and overseeing the entities’ risk management and preparedness.

This is not a one-off exercise, but a continuous process that requires the management body to approve the security measures adopted by the entity and to oversee their ongoing implementation. 

As such, accountability rests at the highest level of the organisation, and failures may carry regulatory, reputational and contractual consequences.

Proportionate and risk-based implementation

Implementing the measures require a risk-based approach.

For many offshore wind operators, recognised standards can serve as practical implementation tools. Frameworks such as ISO 27001 and IEC 62443, which are both relevant and risk-based, can be used as guidelines. However, adherence to such standards does not automatically imply compliance with regulatory requirement which must be given specific attention through e.g. gap-analysis and legal compliance analysis and documentation. 

Navigating a complex framework

The Danish regime makes security a structural requirement, forcing organisations to navigate a complex framework covering risk assessment, governance, supply chain security and ongoing compliance.

However, in an environment where regulatory scrutiny and threat levels continue to increase, security in offshore wind is not only a legal obligation – but a strategic strength.

AUTHORS:

Read the full version of the article here.