FMEA and Bowtie Analysis in Energy Cybersecurity: Implications for Taiwan ISO 27701 and PIMS

Winners Consulting Services Co., Ltd. highlights a 2025 study by Petri Helo and Mikko Suorsa in the *Journal of Contingencies and Crisis Management*. Based on real cybersecurity incidents at a European energy retail company from 2018 to 2023, the research identifies eight major cybersecurity risk categories. It combines FMEA (Failure Mode and Effects Analysis) with the Bowtie Incident Analysis methodology to provide a defense framework directly applicable to the EU NIS 2 Directive. For Taiwanese enterprises reliant on critical infrastructure, this methodology is not only relevant to the energy sector but also serves as a crucial blueprint for implementing ISO 27701 and conducting Data Protection Impact Assessments (DPIAs).

About the Authors and This Study

The first author, Petri Helo, is affiliated with the University of Vaasa in Finland. His primary research areas include industrial systems management, manufacturing digitalization, and supply chain resilience. With an h-index of 8 and 240 citations, he has a stable academic influence in industrial systems security management. Co-author Mikko Suorsa has deep practical experience in the European energy industry's cybersecurity. Their collaboration is distinguished by integrating real corporate incident data (a five-year longitudinal study from 2018 to 2023) into an academic framework, avoiding the common disconnect between purely theoretical research and industry practice.

The timing of this study is also noteworthy: 2025 marks the full implementation of the EU NIS 2 Directive (Network and Information Security Directive 2), which imposes stricter incident reporting obligations and top management accountability on EU member state enterprises. The choice of an energy retail company as a case study is significant because the energy sector is explicitly listed as an "Essential Entity" under NIS 2, facing the most stringent cybersecurity obligations. This provides a highly valuable reference for Taiwanese companies, especially as local authorities continue to strengthen critical infrastructure protection requirements.

The Eight Risk Categories, FMEA, and the Bowtie Model: Core Insights of the Dual Methodology

The most practical value of this study lies in its simultaneous use of FMEA (Failure Modes and Effects Analysis) and Bowtie Incident Analysis to systematically evaluate eight cybersecurity risk categories. This dual-track approach not only provides quantitative risk ratings but also visualizes attack paths, significantly improving the efficiency of risk communication with senior management.

Core Finding 1: Comprehensive Risk Categories and FMEA-Quantified Priorities

The study identifies eight risk categories from five years of real incident data (2018-2023): data breaches, system intrusions, supply chain attacks, insider threats, DDoS attacks, social engineering (e.g., phishing), ransomware, and IT/OT system integration risks. Each category was assessed using FMEA to calculate a Risk Priority Number (RPN) by multiplying scores for Severity, Occurrence, and Detectability. The study found that supply chain attacks and IT/OT integration risks had the highest RPN values, reflecting the unique vulnerabilities of energy retail companies that rely on third-party vendors and industrial control systems. This finding aligns closely with recent CISA alerts about pro-Russian hackers targeting critical infrastructure, indicating that these are systemic risks, not isolated incidents.

Core Finding 2: Bowtie Model Visualizes Attack Paths to Enhance Top Management Accountability

Another key contribution of the study is the application of Bowtie Incident Analysis to each major risk scenario. By presenting a complete diagram of "Threat Source → Preventive Controls → Top Event → Mitigating Controls → Consequences," it makes the cause-and-effect of a security incident immediately clear. This method is particularly suitable for risk communication with boards or senior executives. The study explicitly notes that the EU NIS 2 Directive holds top management personally responsible for cybersecurity decisions, making risk visualization tools that are "easy for executives to understand" a compliance necessity, not an option. Using a ransomware attack on an energy retail system as an example, the study demonstrates how the Bowtie model can simultaneously display technical controls (like endpoint detection) and management controls (like employee awareness training), offering an integrated defense perspective. Furthermore, a recent report from ENISA (European Union Agency for Cybersecurity) shows a significant increase in DDoS and data breach incidents in the EU public sector, further validating the contemporary relevance of this methodology.

Implications for Taiwan's Privacy Information Management (PIMS) Practices: From EU NIS 2 to Taiwan's PDPA Upgrade Pressure

The most direct implication of this research for Taiwanese companies is that it provides a "real-incident-based risk assessment methodology" that can be directly mapped to the multiple compliance requirements of ISO 27701, GDPR, and Taiwan's Personal Data Protection Act (PDPA). Taiwan's PDPA, enacted in 2012 and amended in 2023 to strengthen data breach notification obligations, is gradually aligning with the spirit of the EU's GDPR. However, most Taiwanese companies still approach data protection from a "document compliance" perspective, lacking a mature mechanism for driving decisions based on quantitative risk ratings.

This study's FMEA methodology fills this gap. By systematically identifying failure modes in personal data processing flows (e.g., third-party vendor access to personal data without proper access controls), companies can establish a quantifiable and auditable risk priority list within the framework of Article 6 (special categories of personal data) and Article 27 (security maintenance obligations) of Taiwan's PDPA. More importantly, ISO 27701 (Privacy Information Management System) requires organizations to conduct a cybersecurity risk assessment. The FMEA and Bowtie model combination presented in this study offers a concrete implementation path that meets the requirements of ISO 27701 Clause 6.5 (Privacy risk assessment).

Furthermore, for Taiwanese companies facing dual compliance pressures regarding DORA NIS2 Compliance—especially those with European operations or EU customers—this study provides a vital reference framework. The top management accountability requirements of the EU NIS 2 Directive, along with the GDPR's mandate (Articles 37-39) to appoint a Data Protection Officer (DPO), both point to the same management trend: cybersecurity and data privacy must be elevated from technical execution tasks to a governance responsibility of senior management. Taiwanese companies that fail to proactively establish an ISO 27701-based PIMS will face increasingly high compliance barriers when entering the EU market. It is worth noting the study's limitations: the case is limited to a single European energy retail company and focuses on an NIS 2-applicable industry context. When adapting this framework, Taiwanese companies must still make local adjustments based on the specific obligations of Taiwan's PDPA (such as regulatory reporting deadlines).

Winners Consulting Services Helps Taiwanese Companies Build Data Protection Resilience with a Dual FMEA + PIMS Strategy

Winners Consulting Services Co., Ltd. assists Taiwanese companies in implementing the ISO 27701 standard, establishing personal data protection mechanisms compliant with GDPR and Taiwan's PDPA, conducting DPIAs, and integrating methodologies like FMEA and Bowtie Incident Analysis into their corporate risk management frameworks.

1. Establish a PIMS Risk Assessment Mechanism Based on FMEA: Using the eight risk categories from this study as a reference, we systematically identify failure modes in your company's data processing flows (especially third-party access and IT/OT interfaces), calculate RPNs, and ensure that risk assessment results are quantifiable and traceable, meeting the security obligations of ISO 27701 Clause 6.5 and Article 27 of Taiwan's PDPA.
2. Enhance Board-Level PIMS Risk Communication with the Bowtie Model: We create Bowtie visualization analyses for your company's highest-risk scenarios (e.g., ransomware attacks, supply chain data breaches), presenting both preventive and mitigating controls. This helps senior management understand and assume the governance responsibilities required by ISO 27701 and provides visual supporting documentation for DPIAs.
3. Conduct an ISO 27701 Certification Gap Analysis and Plan a 7- to 12-Month Certification Path: By analyzing the NIS 2 compliance requirements from this study, we compare your current data protection measures against ISO 27701, GDPR, and Taiwan's PDPA to identify gaps. We then develop a concrete plan for mechanism design, implementation, and validation, providing your company with credible compliance evidence when dealing with EU customers or regulators.

Frequently Asked Questions

How can the FMEA methodology be applied to data privacy risk assessments for Taiwanese companies?

The FMEA methodology can be directly applied to assess risks in personal data processing activities. For each activity, such as data collection or sharing with third parties, companies identify potential failure modes like inadequate access controls or unencrypted data transmission. They then score the Severity, Occurrence, and Detectability (on a 1-10 scale) and multiply them to get a Risk Priority Number (RPN). High-RPN items are prioritized for mitigation. This study shows that supply chain attacks and IT/OT integration have the highest RPNs, a risk structure similar to that faced by Taiwan's manufacturing and e-commerce sectors. This approach directly aligns with the privacy risk assessment requirements of ISO 27701 Clause 6.5 and helps fulfill the security obligations under Article 27 of Taiwan's PDPA.

What are the most common compliance challenges for Taiwanese companies when implementing ISO 27701?

The three most common challenges are documentation gaps, unclear roles, and weak supply chain management. First, many companies lack the specific documentation required by ISO 27701, such as a dedicated privacy policy, records of processing activities (as per GDPR Article 30), and a formal DPIA procedure, even if they have an ISO 27001 foundation. Second, the distinction between "data controller" and "data processor" roles and their respective obligations under ISO 27701 is often blurred, requiring careful mapping to Taiwan's PDPA requirements. Third, management of Data Processing Agreements (DPAs) with third-party vendors is frequently inadequate, which is a high-risk area identified by both GDPR Article 28 and this study's FMEA analysis.

What are the core requirements and implementation steps for ISO 27701 certification?

ISO 27701 is an extension to ISO 27001, so companies without ISO 27001 certification typically need 7-12 months for dual certification, while those with an existing ISMS can implement it in 4-6 months. The key steps involve: (1) conducting a gap analysis against ISO 27701 clauses 6-8 in months 1-3; (2) establishing a privacy policy framework, DPIA procedures, and supply chain data management mechanisms in months 4-6; (3) performing internal audits and management reviews in months 7-9; and (4) undergoing the certification audit in months 10-12. Throughout the process, it is crucial to ensure all documentation aligns with the written security plan obligations under Article 27 of Taiwan's PDPA.

How can the costs and expected benefits of establishing a PIMS be evaluated?

The total investment for a mid-sized company (100-500 employees) to implement ISO 27701 typically ranges from NT$800,000 to NT$2,000,000, depending on the existing ISO 27001 foundation. The benefits, however, often outweigh the costs. GDPR fines can reach up to 4% of global annual turnover, and inadequate security controls are a primary reason for penalties. For Taiwanese companies with EU operations, ISO 27701 certification significantly reduces audit risks. For domestic businesses, it lowers the risk of damage compensation claims under Article 29 of Taiwan's PDPA. Furthermore, it enhances customer trust and partner ratings, strengthening business competitiveness with a typical return on investment seen within 2-3 years.

Why choose Winners Consulting Services for assistance with Privacy Information Management (PIMS) issues?

Winners Consulting Services Co., Ltd. specializes in PIMS, ERM, and ISO 27701 certification consulting, offering integrated expertise across EU GDPR, Taiwan's PDPA, and ISO standards. Our team is adept at translating academic methodologies, like the FMEA and Bowtie analysis in this study, into practical, everyday risk management mechanisms. Our services feature a free initial diagnosis to quickly identify ISO 27701 gaps, customized document templates that meet dual GDPR and PDPA requirements, and a clear roadmap to achieve certification within 7-12 months. We have a proven track record of helping Taiwanese companies successfully achieve ISO 27701 certification and establish sustainable PIMS, and we welcome you to apply for a complimentary consultation.