The EU Cable Security Toolbox: What offshore infrastructure operators need to know

In February 2026, the European Commission published the Cable Security Toolbox as part of the implementation of the broader EU Cable Security Action Plan. The Toolbox sets out a comprehensive set of risk mitigation measures designed to enhance the protection and resilience of subsea cable infrastructure within the European Union. In parallel, the Commission identified thirteen priority investment areas and earmarked approximately €347 million in funding to support strategically significant cable projects.

The Cable Security Toolbox does not itself constitute a legally binding instrument. Its recommendations fall into two broad categories: strategic measures directed at Member States and national authorities, and technical support measures directed at the private sector, including cable operators and other infrastructure stakeholders. Nonetheless, the Toolbox operates in conjunction with two binding legislative frameworks: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (“NIS2), and Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities (CER), which governs the physical resilience of critical infrastructure.

What does the toolbox mean for offshore operators?

The Toolbox does not directly impose obligations on individual energy companies. Rather, it is a recommendation framework that authorities, courts, insurers, and financiers will use as a benchmark when assessing the adequacy of an operator’s practices. In this respect, it establishes the applicable “due care” standard for the industry.

Non-compliance with the Toolbox recommendations does not in itself give rise to regulatory penalties. However, the binding obligations that flow from the Toolbox derive from NIS2  and CER. Failure to adhere to the standards reflected in the Toolbox may therefore expose operators to liability under these regulatory frameworks.

The following sections set out what NIS2 and CER each require in practice, and what steps operators should be taking now.

Cybersecurity requirements (NIS2)

The core objective of NIS2 is to raise digital resilience across critical sectors. NIS2 significantly broadens the scope of EU cybersecurity law and now covers a much wider range of market operators in the energy sector than its predecessor, including electricity supply, district heating, and gas supply.

Where an offshore operator falls within the scope of NIS2, it is subject to extensive cybersecurity risk-management and incident-reporting obligations. Importantly, corporate structure will not necessarily limit the applicability of NIS2: a special purpose vehicle (SPV) may fall within scope where its parent undertaking meets the relevant size thresholds. The framework distinguishes between “essential” and “important” entities based on sector significance and company size.

Concrete obligations for energy operators within the scope of NIS2 include:

  • Management accountability: Directors are personally liable for ensuring compliance, including ongoing supervision and regular cybersecurity training.
  • Incident reporting: Significant security incidents must be reported within strict deadlines: an early warning within 24 hours, a notification within 72 hours, and a final report within one month.
  • Risk management: Operators must identify, assess, and address cybersecurity risks across their entire value chain.

Administrative penalties for non-compliance may reach €10 million or 2% of total worldwide annual turnover, whichever is higher.

Looking ahead, the scope of NIS2 is set to expand further. On 20 January 2026, the Commission proposed targeted amendments to NIS2 that would bring operators of submarine data transmission infrastructure (SDTI), including submarine cables, landing stations, and associated terrestrial infrastructure, within Annex I of NIS2 as a highly critical sector. Operators exceeding the size threshold would be classified as essential entities, triggering the most stringent obligations under the Directive.

Physical resilience requirements (CER)

Under CER, Member States are required to identify critical entities, carry out risk assessments, and adopt a resilience strategy. The Directive covers both man-made and natural disaster risks across more than ten sectors, including energy and digital infrastructure.

Where a national authority designates a company as a “critical entity” under CER, the operator is required to:

  • Conduct periodic risk assessments relating to threats to critical infrastructure
  • Develop and maintain resilience and continuity plans
  • Implement appropriate physical security measures
  • Cooperate with competent national authorities in monitoring and incident response

EU Member States must complete the identification of critical entities by 17 July 2026, meaning many offshore infrastructure operators may soon find themselves within this regime.

What should offshore operators do now?

Operators should prioritise three actions without delay.

  • Assess NIS2 applicability: NIS2 is already in force and national transpositions are progressing across Member States, making it essential to determine now whether the company exceeds the relevant size and sector thresholds.
  • Map consortium arrangements: Operators involved in consortium arrangements should begin mapping those structures and preparing contractual provisions that allocate NIS2 liability among members. This should be completed before the proposed SDTI expansion enters into force, as no clear EU-level guidance currently exists on how obligations are distributed within joint arrangements. These matters must be resolved contractually, within joint build agreements, cable and maintenance agreements (C&MAs), or landing party agreements.
  • Monitor CER designation and benchmark against the Toolbox: Operators should closely monitor the CER designation process in their Member State ahead of the 17 July 2026 deadline. If designated, the nine-month risk assessment obligation commences immediately. Throughout 2026, operators should also benchmark the Toolbox’s four technical measures (TM01–TM04), covering route planning, monitoring, response, and maintenance, against their existing infrastructure, as regulatory authorities and insurers are expected to use the Toolbox as a practical yardstick when assessing compliance and risk. Incident response processes should also be reviewed and documented to satisfy the 24-hour, 72-hour, and one-month reporting requirements applicable under both Directives.

The common thread is clear: the window for preparation is narrowing. For offshore infrastructure operators, proactive engagement with the regulatory framework, across cybersecurity, physical resilience, and contractual liability, is no longer optional. The question is not whether these obligations will apply, but whether operators will be ready when they do.

HPP advises clients across energy regulation, cybersecurity law, and critical infrastructure resilience. If you would like to understand how the Cable Security Toolbox and the evolving NIS2 and CER landscape affect your operations, please contact our team.

010_HPP_Riski_Lasse_final_lores
Lasse Riski
Partner
061_HPP_Lindqvist_Noora_final_lores
Noora Lindqvist
Associate

Share

Similar topics

View all news

18_teknologia_ISO

Securing Europe’s digital backbone: The EU ICT Supply Chain Security Toolbox

Read more

silma

Cybersecurity Act emphasises management responsibility – What boards and CEOs need to know about their new personal duties?

Read more

Vaaka-some-nettisivut-5

Meta’s WhatsApp AI ban: Why the European Commission’s interim measures matter for digital markets and innovation

Read more

Services

People

Clients

Careers

About

News

Contact Us

2026