All Posts
9 min read
min read
June 17, 2026
External service providers maintain the network control technology and IT of municipal utilities remotely, one of the biggest attack surfaces in the KRITIS environment. Here is what NIS-2 and the IT Security Catalogue under § 11 EnWG require, and how to make third-party access secure and verifiable.

Municipal utilities operate critical infrastructure: electricity, gas, water, heat and, increasingly, telecommunications. The network control technology and the IT systems behind it, however, are rarely run entirely in house. Control technology manufacturers, system integrators and IT service providers maintain them remotely on a regular basis. This very third-party access is one of the largest and most poorly controlled attack surfaces in the KRITIS environment.
This article explains why third-party access at municipal utilities is both a regulatory and a security problem, which concrete obligations follow from NIS-2 and the IT Security Catalogue under § 11 EnWG, and how external partners can be connected in a controlled, time-limited and verifiable way without slowing down operations.
Key Takeaways
Municipal utilities run a heterogeneous landscape of classic IT (billing, ERP, customer portals) and operational technology (OT): network control technology, SCADA systems, telecontrol technology and smart-metering infrastructure. Few utilities keep their own staff on hand for all of these specialized systems. Maintenance is handled by manufacturers, system integrators and IT service providers, almost always via remote access.
This creates a structural risk that differs from that of a typical company. A compromised service provider account here does not just lead to data leakage but potentially straight into the control of the electricity or gas supply. Typical weak points include:
Attackers have realized that the route via the service provider is more efficient than a frontal assault. A single compromised maintenance account can open access to many utilities at once if the same service provider supports several of them. The energy sector is disproportionately affected: the number of cyberattacks on the energy and utilities sector has more than doubled within two years, and the sector reports many times the OT/ICS incidents of other industries.
"Around 29 % of companies in Germany have already been affected by supply chain attacks, with consequences ranging from operational outages to reputational and financial damage." — Kaspersky, supply chain security study
For municipal utilities, this means that their own security is only as strong as the control they have over their service providers' access.
With the NIS2 implementation act, the energy sector is comprehensively regulated. Municipal utilities regularly fall under it as important or essential entities, regardless of whether they exceed the classic KRITIS thresholds of the BSI-KritisV. Even mid-sized utilities with around 50 employees and 10 million euros in revenue are covered.
Three points are central to third-party access:
More on the regulatory framework: NIS-2: what the new EU directive means for your company and the NIS-2 checklist for mid-sized businesses.
The energy sector is additionally regulated on a sector-specific basis. Through § 11 (1a) EnWG (network operators) and § 11 (1b) EnWG (operators of energy facilities classified as KRITIS), the Federal Network Agency obliges operators to build and certify an information security management system (ISMS) in line with ISO/IEC 27001 and the industry-specific ISO/IEC 27019.
Among other things, the IT Security Catalogue requires controlled access management, documented authorizations and traceability of all access, including that of external service providers. In concrete terms, this means that third-party access must be limited to what is necessary (least privilege), clearly assigned to an individual and documented in an audit-proof way.
The threshold question of the BSI-KritisV, around 3,700 GWh per year in the electricity sector or roughly 500,000 people supplied, becomes less relevant in this context: through NIS-2, utilities below these thresholds are also obligated.
Many municipal utilities still connect service providers through classic VPN access or jump hosts. Neither solves the problem:
Related risks in detail: Securing RDP: best practices against remote desktop attacks.
Secure third-party access rests on a few consistently applied principles:
VISULOX is a decentralized remote PAM platform built precisely for this requirement. External service providers are connected to the systems of municipal utilities in a controlled, time-limited and verifiable way:
More on the topic: Securing third-party access: how to connect external service providers safely.
Contact
Speak directly with a cybersecurity expert.
Third-party access is indispensable for municipal utilities, as network control technology and IT cannot be run in house alone. The key question is therefore not whether external partners are granted access, but how controlled that access is. NIS-2 and the IT Security Catalogue under § 11 EnWG turn what was long considered best practice into a verifiable obligation, with personal responsibility for management.
The combination of least privilege, just-in-time access, unique identity and complete session recording reduces the attack surface to a minimum while at the same time delivering the required proof. VISULOX connects external service providers through a central gateway, without a VPN, audit-proof and live in under two days, with no interference in ongoing operations.
Table Of Content:
Talk to Our Experts
Speak directly with a VISULOX security expert and find out how to protect your infrastructure.
Share:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Expert knowledge, practical tips, and the latest trends in PAM, compliance, and secure remote work — straight from the amitego team.