INDUSTRY SOLUTIONS
Data Security for the Utilities Industry
Utilities are connecting data from operational technology (OT) environments to cloud applications, AI and API-driven services. Every connection creates exposure risk. Frameworks such as NIS2, NERC CIP, and GDPR set cybersecurity, data protection, and risk management obligations that apply wherever that data is processed and whoever handles it.
StratoKey can reduce compliance scope and help secure sensitive information by tokenizing and encrypting it before it enters any cloud or third-party environment.
The Growing Challenge of Cloud Risks in the Utilities Industry
Utilities are increasingly pushing real-time telemetry, equipment performance metrics, grid topology data, customer records, and asset configurations from SCADA systems, historian platforms, billing systems, and asset management tools into cloud analytics platforms, SaaS ERP and billing systems, and OEM vendor monitoring portals. The standard cloud security controls were not designed for the sensitivity of that data and the growing regulatory expectations that come with critical infrastructure.
Customer and Billing Data in Multi-Tenant Cloud Platforms as a Data Sovereignty Risk
Billing systems, CRM platforms, and advanced metering infrastructure generate large volumes of customer data that is processed in cloud environments. When these environments are multi-tenant or hosted in foreign jurisdictions, utilities face exposure to regulatory data residency obligations, and applicable privacy law.
SaaS Providers' Encryption Can Undermine Data Sovereignty
AI Training Data and Sensitive Operational Information
Operational Data Exposure Across IT/OT Boundaries
Access to Critical Control System Data by Third-Party and Vendors
Legacy OT Systems Not Designed for Cloud Connectivity
StratoKey Helps Utilities Organizations Secure Their Workflows
StratoKey operates as a gateway between your users and on-premises systems to your cloud applications, encrypting or tokenizing sensitive data before it leaves your network and controlled boundary. The SaaS and cloud integration is only exposed to ciphertext or tokens keeping sensitive data within your control.
- FIPS 140-3-Validated Field Level Encryption: Encrypted end-to-end before data reaches any SaaS platform.
- Field-Level Tokenization: Sensitive data is replaced with tokens and stored locally, keeping controlled content onshore and reducing compliance scope.
- Secure APIs and AI: Applies tokenization and encryption at the API layer. Sensitive data is protected across every connection including AI-driven services and third-party APIs.
- Legacy System Integration: The API Gateway applies tokenisation and encryption at the integration layer, protecting data as it leaves legacy SCADA systems, PLCs etc. before it reaches any cloud or third-party environment.
- Customer-Controlled Keys: (BYOK / HYOK) Encryption keys never reside with the cloud provider.
- Geofenced Access Controls: Restrict controlled data to local persons and approved locations to meet access requirements.
- Audit Logging: Immutable logs for every access and decryption or detokenization event, supporting regulatory assessments and incident reporting.
- Policy Enforcement and Monitoring: Centralized policy controls govern how sensitive data is handled across every connected system. Real-time monitoring provides visibility into data flows across cloud and third-party environments.
- Application-Agnostic Works across SaaS applications and API-driven and AI-powered services. No changes required to existing application workflows.
Global Regulatory Coverage for Utilities
As utilities push operational and customer data into cloud platforms, SaaS systems, and vendor portals, regulatory obligations follow that data across every jurisdiction you operate in. StratoKey reduces compliance scope by ensuring sensitive data never reaches those environments in plaintext.
Utilities operating in the EU Union face mandatory cybersecurity and data protection obligations under NIS2 and GDPR. Both apply to energy and water utilities operating at scale across member states. Variations exist across member states
NIS2 Directive (EU) 2022/2555
NIS2 designates energy and water utilities as essential entities under Annex I. That is the highest classification under the directive and carries the strictest obligations.
Specifically:
- Electricity operators, gas suppliers, district heating and cooling operators, hydrogen suppliers, and oil infrastructure are all named in Annex I.
- Drinking water and wastewater operators are also explicitly listed as separate essential entity categories.
- Being classified as essential means direct supervision by national competent authorities, mandatory audits, and penalties up to 10 million euros or 2% of global turnover.
Local Regulatory Reference
| Country | Local Transposition | Competent Authority | Cloud and Data Protection |
|---|---|---|---|
| France | NIS2 transposed under ANSSI supervision. Additional obligations for OIV and OSE under the Loi de Programmation Militaire | ANSSI | SecNumCloud sets security requirements for cloud providers handling sensitive data for critical infrastructure operators. |
| Germany | NIS2 transposed via NIS2UmSUCG, in force December 6, 2025. KRITIS operators automatically classified as particularly important entities. Mandatory BSI audits every three years. | BSI | BSI C5 sets baseline requirements for cloud providers. StratoKey tokenizes data before it reaches the cloud environment, ensuring sensitive data never exists in plaintext regardless of provider C5 status. |
| Netherlands | NIS2 transposed via updated Cbw. | RDI (digital infrastructure), ACM (energy) | NIS2 Article 21(2)(h) encryption and Article 21(2)(d) supply chain obligations apply directly to cloud and third-party environments. |
GDPR Regulation (EU) 2016/679
Applies to all personal data processed by utilities including customer billing records, smart meter data, and consumption profiles. Article 32(1)(a) requires pseudonymization and encryption of personal data as an appropriate technical measure for securing processing. Article 32(1)(b) requires ongoing confidentiality, integrity, availability, and resilience of processing systems.
Article 34(3)(a) provides that where encryption or equivalent measures have been applied rendering personal data unintelligible to unauthorized persons, controllers are exempt from the obligation to notify affected individuals following a breach.
StratoKey replaces personal data with encrypted values or tokens before it reaches cloud or third-party systems. If a breach occurs, the data has no exploitable value and notification obligations under Article 34 may not apply.
Utilities operating in the United States face cybersecurity obligations across electric, water, and pipeline sectors. As operational and customer data moves into SaaS platforms these obligations follow the data. Utilities should also be aware that customer personal data including billing records, consumption profiles, and smart meter data may be subject to state-level data privacy laws.
NERC CIP
North American Electric Reliability Corporation Critical Infrastructure Protection Standards
Mandatory for electric utilities operating on the Bulk Electric System. As utilities push operational data into SaaS and vendor platforms, CIP-005 requires electronic access controls for any interactive remote access to BES systems. CIP-013 requires supply chain risk management for third-party products and services connected to high and medium impact systems. StratoKey enforces data-level access controls for vendor sessions and tokenizes sensitive operational data before it reaches third-party environments.
NIST SP 800-82 Rev 3
Guide to Operational Technology Security, NIST
The federal reference guide for OT security across electric, water, and pipeline sectors. Not mandatory but widely referenced in audits and vendor contracts. As utilities integrate historian and SCADA-adjacent data with cloud analytics platforms, SP 800-82 references SP 800-53 controls including SC-28 (data at rest) and SC-8 (transmission confidentiality). StratoKey tokenizes sensitive operational data at the point it crosses into cloud or enterprise environments.
America's Water Infrastructure Act 2018 (AWIA)
Mandatory for water and wastewater utilities serving more than 3,300 people. Requires risk and resilience assessments covering cybersecurity threats to operational systems and customer data. As water utilities adopt cloud-based SCADA monitoring, billing, and asset management platforms, sensitive operational and customer data moves outside controlled environments. StratoKey reduces exposure by tokenizing customer and operational data before it enters SaaS platforms.
TSA Security Directives
Mandatory for pipeline operators. Require designation of a cybersecurity coordinator, incident reporting to CISA, network segmentation between IT and OT systems, access controls, and continuous monitoring. As pipeline operators adopt cloud-based monitoring and vendor platforms, sensitive operational data moves outside the controlled OT environment. StratoKey tokenizes pipeline operational data before it enters cloud or third-party systems, ensuring it has no exploitable value outside your environment.
Utilities operating in Canada face NERC CIP obligations for grid operations and, if Bill C-8 is enacted, mandatory cybersecurity program requirements across federally regulated sectors. Canadian utilities must also consider PIPEDA and provincial privacy laws such as Quebec's Law 25 when moving customer data into cloud and SaaS environments.
NERC CIP
North American Electric Reliability Corporation Critical Infrastructure Protection Standards
Applies to Canadian electric utilities connected to the North American Bulk Electric System. CIP-005 mandates electronic access controls for remote access. CIP-013 requires supply chain risk management for third-party products and services. StratoKey enforces data-level access controls for vendor sessions and tokenizes and encrypts sensitive operational data before it reaches external systems.
The Proposed: Bill C-8 / Critical Cyber Systems Protection Act ( CCSPA)
An Act Respecting Cyber Security, Parliament of Canada
Currently before Parliament. Not yet enacted. If passed, designated operators in energy and pipeline sectors must establish a cybersecurity program within 90 days, manage supply chain risks, and maintain cybersecurity records on Canadian soil. StratoKey tokenizes sensitive data before it leaves controlled environments, supporting data residency obligations regardless of where downstream cloud platforms are hosted.
PIPEDA
Personal Information Protection and Electronic Documents Act
Governs how personal data including customer billing records, smart meter data, and consumption profiles is collected, used, and disclosed by federally regulated utilities. As customer data moves into cloud billing systems and SaaS platforms, PIPEDA safeguarding obligations follow that data. StratoKey secures personal data before it enters cloud or third-party environments, reducing breach impact and supporting PIPEDA accountability obligations.
Utilities operating in Australia face obligations under the SOCI Act and, for energy operators specifically, the Australian Energy Sector Cyber Security Framework. Australian utilities must also consider the Privacy Act 1988 and the Australian Privacy Principles (APPs) when moving customer data including billing records, smart meter data, and consumption profiles into cloud and SaaS environments. The Office of the Australian Information Commissioner (OAIC) enforces these obligations.
Security of Critical Infrastructure Act 2018 (SOCI Act)
Security of Critical Infrastructure Act 2018
Designated critical assets in electricity, gas, and water sectors are subject to positive security obligations and enhanced cyber security obligations under the 2022 amendments. As utilities push operational and customer data into cloud platforms and vendor portals, those data flows fall within the scope of positive security obligations. StratoKey tokenizes and encrypts sensitive data before it enters cloud or third-party environments, reducing the data footprint across the supply chain.
Australian Energy Sector Cyber Security Framework (AESCSF)
Australian Energy Market Operator — AEMO
The operational cybersecurity framework for Australian energy sector participants. Control domains cover access management, data protection, and information asset management. As utilities integrate historian data, grid telemetry, and customer records with cloud analytics and SaaS platforms, AESCSF data protection controls apply. StratoKey's Identity Gateway enforces least-privilege access controls aligned to AESCSF requirements. Tokenization and encryption protects sensitive operational data at the point it enters cloud and vendor environments.
Privacy Act 1988 and Australian Privacy Principles
Office of the Australian Information Commissioner
Applies to utilities with annual turnover above $3 million. Governs how customer billing records, smart meter data, and consumption profiles are collected, used, and disclosed. As utilities move customer data into cloud billing systems and SaaS platforms, the Australian Privacy Principles require that data remains protected regardless of where it is processed. StratoKey secures personal data before it enters cloud or third-party environments, reducing breach impact and supporting Notifiable Data Breaches obligations.
Utilities operating in the United Kingdom face obligations under the UK NIS Regulations 2018 and UK GDPR. The UK is not bound by NIS2 following Brexit. The Cyber Security and Resilience Bill, published in late 2025, proposes to strengthen and expand the NIS Regulations but has not yet been enacted. Customer personal data is governed by UK GDPR and the Data Protection Act 2018, enforced by the ICO.
UK NIS Regulations 2018
The Network and Information Systems Regulations 2018
Enforced by Ofgem (energy) and Ofwat (water) as competent authorities, with NCSC providing technical guidance through the Cyber Assessment Framework (CAF).
CAF Objective B3 covers identity and access control. CAF Objective B6 covers data security including protection of data at rest and in transit. StratoKey's Identity Gateway supports least-privilege access and controls aligned to CAF B3. Tokenization and Encryption protects sensitive operational and customer data in storage and transit, supporting CAF B6.
UK GDPR / Data Protection Act 2018
UK GDPR | Data Protection Act 2018
The UK GDPR and Data Protection Act 2018 form the UK's data protection framework, enforced by the ICO. The UK GDPR sets the core obligations. The DPA 2018 supplements it with UK-specific provisions. Together they apply to all personal data processed by utilities including customer billing records, smart meter data, and consumption profiles. Article 32(1)(a) requires pseudonymization and encryption of personal data. Article 32(1)(b) requires ongoing confidentiality, integrity, availability, and resilience of processing systems. Article 34(3)(a) provides that where encryption renders personal data unintelligible to unauthorized persons, controllers may be exempt from notifying affected individuals following a breach. StratoKey tokenizes personal data before it enters cloud or third-party systems. If a breach occurs, tokenized data has no exploitable value and notification obligations under Article 34 may not apply.
StratoKey Works With Utilities to Help Meet Data Privacy and Industry Compliance Regulations
SaaS platforms and cloud integrations are where sensitive data is most exposed. StratoKey tokenizes and encrypts before transmission to SaaS, so the data that reaches those environments has no exploitable value. Get in touch with StratoKey to keep customer data secure and meet a wider range of regulatory requirements.
Get in Touch to Learn More About Securing Sensitive Data With StratoKey
Please provide your details so we can get in touch about your inquiry.


