At Uniper, we are pro-actively transforming the world of energy whilst at the same time ensuring security of energy supply. As an internationally operating company, we work in very diverse teams with the greatest possible working time flexibility for our employees. Our corporate culture is characterized by equal opportunities, mutual appreciation, and respect. With us, you will be able to develop new business models, work on technological solutions for a modern, sustainable, and future-oriented energy supply as well as pro-actively help to shape changes. Interested? Then we will look forward to meeting you!

Your responsibilities

We are seeking a highly skilled Group Information Security Risk Manager to join our Group Information Security team. You will be responsible for risk management and ensuring regulatory compliance (including NIS2, DORA, Cyber Resilience Act, ISO/IEC 27001, and the NIST Cybersecurity Framework). As a central point of contact for information and cyber risks, you will advise and oversee the business lines and ensure that all information security risks are appropriately managed. This role reports directly to the CISO and requires at least 5+ years of experience in information security and risk management, ideally in critical infrastructure or the energy sector.

Key Responsibilities:

• Governance: Develop the information security risk framework (policies, guidelines, processes). Independently review the effectiveness of security controls and measures implemented by the first lines and initiate corrective actions where necessary.
• Risk Management: Identify, assess, and monitor information and cyber risks across the entire Uniper Group. Develop risk treatment plans and oversee the implementation of mitigation measures.
• Compliance: Ensure compliance with all relevant legal and regulatory requirements (e.g., NIS2 Directive, DORA, KRITIS etc.) as well as internal policies and industry standards (ISO/IEC 27001, NIST-CSF).
• Management Reporting: Prepare and present regular reports on the information security status and risk profile to top management and the Board of Management. Develop clear KPI/KRI dashboards to visualize trends and progress in risk and compliance. Escalate critical risks to the CISO and, if necessary, to the Board of Management.
• Technical Risk Management: Conduct and support technical risk analyses and security assessments (e.g., threat and vulnerability assessments, risk analyses for various services and systems). Evaluate new technologies, systems, and changes (change risk assessments) from an information security perspective.
• Third-Party Risk Management: Assess security risks related to service providers and partners. Ensure external partners meet security and compliance requirements through contract reviews, security evaluations, and ongoing monitoring of critical vendors.

Your profile

• University degree in (business) informatics, information security, engineering, or a comparable field. Additional certifications in information security/risk management (e.g., CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor) are desired.
• At least 5 years of relevant experience in information security, IT risk management, or IT compliance. Experience in a corporate environment or with critical infrastructure (KRITIS), preferably in the energy sector, is desirable.
• Regulatory Expertise: In-depth knowledge of relevant cybersecurity laws and regulations: e.g., EU NIS2 Directive, Digital Operational Resilience Act (DORA), Cyber Resilience Act (EU regulation for digital products), national IT Security Act/BSI Act, and common standards/frameworks (ISO/IEC 27001/27002, NIST-CSF, BSI IT-Grundschutz). Proven experience in implementing these requirements in a corporate setting.
• Information Security Expertise: Deep knowledge of information security methods and techniques: from risk analysis methodologies (e.g., ISO 27005) and vulnerability management to business continuity management (ISO 22301) and incident response. Familiarity with cloud security principles and basic understanding of OT security in industrial environments.
• GRC and Process Knowledge: Experience in using governance, risk & compliance (GRC) tools or ISMS platforms. Experience with risk analysis tools and ticketing systems is a plus.
• Fluent in both German and English (spoken and written). The role requires communication with German-speaking teams and authorities as well as reporting in an international corporate environment.
• Experience working with international teams or projects is an advantage. Cultural awareness and the ability to roll out global security standards across the group are important.