Rapidly increasing digitization has positively contributed to economic and social development and helped increasing environmental protection. However, it also made socio-technical systems and ecosystems more vulnerable to cyber-threats. Critical infrastructure (CI) in the energy sector is particularly vulnerable to such threats. Remoteness, seasonal darkness, and severe climate that is becoming less predictable due to global climate change–the kind of conditions present in the Arctic European High North (EHN), for example–amplify the impacts of a potential cyber-attack. Although these exceptionally critical infrastructure conditions (ECIC), as we term them, pose inordinate and immense governance challenges, the existing national and international legal frameworks treat them in a fragmented manner. In this paper, we argue for rethinking the existing governance structures and propose an approach that connects cybersecurity and environmental governance. We outline the contours of a coherent and cohesive risk-based, pluralistic, and polycentric legal framework that we see as a critical part of the new ECIC governance regime. We draw upon the concept of sustainable development and the precautionary and polluter-pays principles of environmental law to propose three guiding principles for this framework.