Published:
July 9, 2026
Last updated:
July 9, 2026

What an energy company’s CyberVadis score really says about its cybersecurity

A B2B energy tech company is a city. One that works alongside other cities. It trades with them, shares data with them and connects its infrastructure to theirs. DSOs send signals in. Consumer data flows through. Grid operators, utilities, neo energy retailers, hardware manufacturers and cloud services all have their role in the relationship.

And if you're connecting your infrastructure to another city, your first question should be: can you trust how it's governed?

A city is only worth partnering with if it is safe from within and secure at its borders.

The question is never whether the gates are locked. The question is whether the city can keep operating safely while life inside it mingles and moves. The question is whether the city can keep all of those relationships outside running. Openly. Efficiently. And with absolute clarity about who is allowed in and who is not.

That is the lens through which we think about cybersecurity at gridX. And it is the lens through which our 895/1000 Mature rating from CyberVadis should be read.

Not as a locked gate. But as evidence of a well-governed city. As evidence of a city that Europe's most demanding energy companies trust as a partner.

Why the analogy holds

Think about what makes a city safe. It is not just walls. It is about zoning laws and building codes. It is a fire department that trains before there’s a fire to be able to react swiftly and professionally. It is streets designed so that emergency services can reach any neighborhood. It is the inspectors who check that the bridges are sound, not because they expect them to collapse today but because the cost of not checking is unthinkable.

Cybersecurity, done seriously, works the same way.

gridX operates at the intersection of energy infrastructure, consumer data and real-time grid management. Our EMS platform is the connective tissue between utilities, grid operators, hardware manufacturers and the households and businesses they serve. A security failure is a disruption to critical infrastructure. It is a breach of personal data belonging to tens of thousands of end users. It is a loss of trust that the energy sector – already navigating one of its most complex transitions in history – cannot afford.

So gridX did not set out to pass an audit. We set out to build a city worth living in.

What CyberVadis actually tested

Our 895/1000 score was earned through CyberVadis – one of the most rigorous third-party cybersecurity benchmarking platforms used by major European enterprises to vet their supply chains. Every control had to be documented, demonstrated and independently validated.

Across 167 individual security controls, gridX was assessed on a wide range of focus areas – including Governance, Data Privacy, Risk Assessment, Human Resources Security and Third-Party Management.

Our overall score: 895 out of 1000. The CyberVadis benchmark average across all assessed companies: 670. That’s 225 points above the benchmark, which is a meaningful demonstration of our commitment to cybersecurity..

The ‘Mature’ rating at the top of the scale is the assessment’s way of saying: this is not a city built on good intentions. It’s a city with functioning well-thought-out infrastructure.

What an energy company’s CyberVadis score really says about its cybersecurity

gridX's cybersecurity score: Where we excel and why it matters

Governance and risk assessment: 1000/1000

Both areas were assessed on whether security is formally defined, communicated and acted on. Not just intended.

On Governance, gridX's Information Security policy is formally documented and accessible to every employee from any location. Roles and responsibilities for information security are clearly defined across the organization, and gridX has been independently certified through an Information Security assessment.

On Risk Assessment, gridX maintains a formal risk treatment plan – a defined action plan for mitigating identified risks, rather than an ad hoc response when issues arise.

A perfect score here does not mean nothing will ever go wrong. It means that when something does, there is a documented structure already in place to respond – not one being built at the moment.

Human resources security: 1000/1000

This area covers how security is embedded throughout the employee lifecycle, from hiring and onboarding to day-to-day responsibilities. It evaluates whether organizations have the right processes in place to build a strong security culture from the very beginning.

As Jonas Quilitz, Chief Product Officer at gridX, puts it "Technology secures the perimeter, but people are the real front line. Scoring 1000 out of 1000 on Human Resources Security and Awareness and Training shows that at gridX, security is a culture, not just a control."

That culture starts before an employee's first day. Every new hire – whether permanent, temporary or a contractor – signs a code of ethics or non-disclosure agreement (NDA), and all candidates undergo formal background checks before joining.

Awareness and training: 1000/1000

All employees receive security training tailored to their role, take part in ongoing social engineering awareness campaigns and are trained to recognize and report suspicious behaviour – reinforced through tools like SoSafe. Awareness here is not a one-off onboarding module. It is continuously reinforced and tested in practice.

Incident handling and response: 1000/1000

This combines two CyberVadis functions: Detect (spotting issues) and React (responding to them). gridX scored both perfectly.

On detection, gridX logs and monitors user activity, business applications and network infrastructure continuously, with logs protected against tampering. This is supported by regular penetration tests, vulnerability scans and a formal vulnerability management plan.

On response, gridX has a documented incident management process, including a path to activate a crisis management unit for major incidents, a dedicated Security Incident Response Team (SIRT) and a formal procedure to notify affected customers promptly.

As gridX’s Head of Security Alei Salem says, “Everybody has a plan until they face a cyberattack. Having an incident response plan that you do not validate guarantees that when (unexpected) adversity hits, you will panic and even freeze. It is imperative to test your plans regularly, until it becomes an instinct; when an incident occurs, you can keep your composure, go through your procedure, and recover in the most efficient and effective manner.”

Together, these scores mean issues are identified in real time and met with a structured, accountable response.

Network management and mobile security: 957/1000

gridX secures every connection point, not just the office network. The network is segregated into security zones, secured at both perimeter and application layers and protected with strong encryption for communications and authentication. On mobile, all personal devices undergo a security check before connecting, access is restricted to approved devices only, and a Mobile Device Management (MDM) solution centrally manages and can revoke access if a device is lost or stolen.

Data privacy: 892/1000

General Data Protection Regulation (GDPR) alignment here is practice, not just policy. gridX has appointed a person responsible for personal data protection, maintains a full inventory of personal data processing and gives individuals a formal way to access, correct, delete, or transfer their data. Retention periods and deletion procedures are defined, and a notification process is in place to inform individuals, controllers and regulators in the event of a data breach.

For European utilities operating under growing regulatory scrutiny, a technology partner's privacy posture is not a secondary concern. It is a direct input to their own compliance obligations.

Security in projects and application development: 903/1000

Security at gridX is written into how the product is built, not added afterward. A formal secure development methodology is in place and developers are trained to apply it. Test and production environments are kept separate, source code access is restricted and controlled and every release goes through a code review and security testing before deployment.

Third-party security management: 790/1000

No company secures itself in isolation. gridX requires signed NDAs with third parties when needed and holds cloud providers to a documented standard: evidence of a business continuity plan, a documented incident response process and official information security certifications. Cloud providers are also assessed periodically based on the type of solution they provide. A score of 790 reflects a mature approach in an area where many companies our size are still building.

AI governance: 808/1000

As AI becomes embedded in how energy systems are managed, gridX has identified and documented the legal and regulatory requirements involving AI use, maintains an up-to-date inventory of AI systems and tools in use and has formalized security measures around AI usage. Employees are also trained in AI risk management. For a company at our stage, this level of AI governance is uncommon – and a meaningful signal for clients navigating their own AI obligations.

What does gridX’s cybersecurity score mean for the energy companies we work with

There is a version of cybersecurity that is purely about defensibility. Do enough to pass, then move on. That is not what an 895 represents.

It represents a company that has decided security is part of what it means to be a serious player in critical infrastructure. It represents a supply chain partner that major European energy companies can rely on.

As gridX’s CEO Anne B. Bicking puts it: “The energy transition will only succeed if the technology underpinning it can be trusted. This ‘Mature’ CyberVadis score tells our clients, our partners and the broader market that gridX is serious about fostering and constantly maintaining that trust. Only with such dedication to stability and reliability can we successfully scale with our customers well into the future.”

The energy transition is not built by a single city working alone. It is a network of cities – utility boundaries, national grids, consumer interfaces – all connected, all trading with each other, all only as trustworthy as the weakest gate among them.

We intend to be one of the safest cities to work with.

Frequently asked questions (FAQs)

Why does a cybersecurity score matter when evaluating an energy software partner?

Because your infrastructure is only as secure as the weakest point in your supply chain. When you integrate an EMS platform into your operations, you are not just buying software – you are connecting your systems, your data and your clients' data to another organization's security posture. A verified, third-party score like our 895/1000 CyberVadis rating gives you something concrete to evaluate rather than taking our word for it.

How does gridX's CyberVadis score affect our own regulatory compliance as a utility or energy retailer?

Directly. Under NIS2, operators of essential services are responsible not just for their own security but for the security practices of the technology partners in their supply chain. Working with a partner who has been independently assessed and rated Mature means one less gap in your compliance picture and documentation you can point to if a regulator asks.

Is the CyberVadis assessment a one-time certificate or an ongoing process?

It is ongoing. CyberVadis assessments are periodically updated, and the results reflect where a company stands at the time of evaluation – not where it stood years ago. Our May 2026 assessment is current, and we are already working through the improvement areas identified in the report. Security posture is indeed something you maintain.

What happens if there is a security incident affecting gridX's platform?

Our React score of 1000/1000 reflects a fully structured incident response process – defined roles, documented procedures and clear communication protocols. In the event of an incident, we know exactly who does what and when. Our Detect score of 1000/1000 means we are also built to identify issues in real time, rather than discovering them after the fact. We are happy to walk prospective partners through our incident response plan in detail.

Can we see the full CyberVadis report before signing a contract?

Yes. We are happy to share the full Executive Report as part of any serious procurement or due diligence process. If you would like to discuss what the results mean in the context of your specific security requirements, our team is available for a dedicated conversation.

Get the report!
Interoperability & cybersecurity in the energy industry
There can be no energy transition without interoperability and no interoperability without cybersecurity.