Infrastructure Funds and NIS2: Critical Service Provider Obligations

How NIS2 Classifies Infrastructure Assets

NIS2^[1] (EU Directive 2022/2555) captures the overwhelming majority of infrastructure fund assets. Annex I (“sectors of high criticality”) includes energy (electricity, district heating/cooling, oil, gas, hydrogen), transport (air, rail, water, road), drinking water, wastewater, digital infrastructure (IXPs, DNS, TLD registries, cloud, data centres, CDNs, trust services, public electronic communications), and ICT service management (B2B).

Annex II (“other critical sectors”) extends to waste management, manufacturing of critical products (chemicals, medical devices, electronics, machinery, motor vehicles), food production, and digital providers. For diversified infrastructure portfolios spanning utilities, transportation, telecoms, and industrial assets, most portfolio companies will fall within scope.

Classification depends on sector and size. Large enterprises (250+ employees, or €50M+ turnover with €43M+ balance sheet) in Annex I are essential entities with the most stringent obligations. Medium enterprises in Annex I and large enterprises in Annex II are important entities. Certain infrastructure types—qualified trust service providers, DNS providers, TLD registries, public electronic communications networks—are essential regardless of size.

Essential Entity Obligations

Article 21 requires essential entities to adopt appropriate technical, operational, and organisational measures across ten minimum domains: risk analysis, incident handling, business continuity, supply chain security, network/system acquisition and maintenance security, effectiveness assessment procedures, cyber hygiene and training, cryptography, access control and asset management, and MFA/secured communications.

Incident response reporting under Articles 23 and 30 requires a 24-hour early warning, 72-hour incident notification with severity assessment, and one-month final report with root cause analysis and mitigation measures. Management body accountability under Article 20 requires board approval and oversight of cybersecurity measures, with personal liability for infringements and mandatory training. For infrastructure fund portfolio companies, nominated directors and board observers bear direct personal exposure for governance failures.

OT/IT Convergence Security

Infrastructure assets are distinguished by their operational technology (OT) environments: industrial control systems, SCADA networks, PLCs, and field devices controlling physical processes. OT/IT convergence has created attack surfaces bridging digital and physical domains, enabling cyber attacks to produce kinetic consequences—disrupted power generation, contaminated water, or impaired transportation.

NIS2 explicitly encompasses OT environments. Article 21 measures apply to all network and information systems used in service provision, including industrial control systems. Many infrastructure companies have historically treated OT security as separate from IT cybersecurity, often with less mature governance. NIS2 closes this gap.

OT security challenges differ fundamentally from IT. Industrial control systems were designed for reliability and safety, not security—many run legacy platforms that cannot be patched without production downtime, use protocols lacking authentication, and were engineered for isolated networks. Convergence has exposed them to threats they were never designed to withstand.

SCADA and ICS Security

SCADA and ICS form the operational backbone of energy, water, and transport infrastructure. The patching challenge is qualitatively different from IT: operational lifecycles of 20–30 years exceed vendor support periods, patching often requires production shutdown affecting thousands of end users, and firmware updates may require physical visits to hundreds of remote locations. The risk calculus must balance cybersecurity, operational, and safety risks.

Network segmentation between IT and OT is the foundational control. The IEC 62443 standard^[2] and Purdue Model provide reference architectures, but practical reality in many infrastructure companies is that segmentation has eroded as business requirements created IT/OT connections bypassing security boundaries. NIS2 will require comprehensive segmentation assessments and remediation.

OT monitoring requires specialised capabilities. Standard IT tools are often incompatible with industrial protocols and may disrupt OT systems. Purpose-built OT monitoring solutions that passively observe industrial traffic and detect anomalous ICS communications without introducing latency are essential for NIS2 compliance.

Fund-Level vs Portfolio Company Obligations

NIS2 obligations attach primarily to portfolio companies that operate critical infrastructure, not to fund vehicles or management companies. However, fund managers are not insulated from consequences. Non-compliance penalties (up to €10M or 2% of global turnover for essential entities), operational disruption, and reputational damage flow directly to fund returns. Management body accountability creates personal liability for fund-nominated directors. And the duty of care to limited partners arguably encompasses ensuring portfolio compliance with obligations that could materially affect investment value.

Fund-level governance should include: minimum cybersecurity standards incorporated into investment agreements, allocated cybersecurity resources (internal or advisory), and standing NIS2 compliance reporting from portfolio companies in review processes.

Practical Compliance Approach

Phase 1: Classification and scoping. Assess each portfolio company against NIS2 sectoral and size criteria, accounting for national transposition variations. Phase 2: Gap assessment against Article 21's ten domains, encompassing both IT and OT, producing a prioritised remediation roadmap. Phase 3: Remediation, prioritising management body accountability, incident reporting capability (24-hour and 72-hour timelines), and supply chain security. Phase remediation investment with capital planning cycles and enforcement timelines.

Phase 4: Ongoing compliance management. NIS2 is not a project with a defined end state but a continuous obligation. Maintain measures, conduct regular effectiveness assessments, update for evolving threats, and report incidents within mandated timeframes. Fund-level governance should incorporate regular monitoring, periodic re-assessment, and escalation of material issues to theInvestment Committee.

Investment Implications

NIS2 compliance status should be a standard technical due diligencecomponent for any infrastructure acquisition. Factor compliance costs for non-compliant targets into deal pricing and address deficiencies through warranties or post-completion undertakings.

For existing portfolio companies, compliance protects enterprise value by reducing regulatory risk and improving resilience. Prospective acquirers will assess NIS2 compliance in due diligence—demonstrated compliance supports valuation while gaps create price risk. Compliance investment, typically €200,000 to €2 million per company depending on size and maturity, should be viewed as value-preserving.

Cybersecurity governance has moved permanently into infrastructure fund management. NIS2 is the foundation of a permanent European framework. Fund managers who develop robust capabilities will manage portfolios more effectively, avoid penalties, and realise stronger exit valuations. Those who defer will manage accumulated risk that becomes progressively more expensive to address.