EUDirective 2022/2555
NIS2 — Network and Information Security Directive
83 cybersecurity requirements for BESS operators and their supply chain, organized by obligation category. Each requirement is tagged with the stakeholder primarily responsible for delivering it.
Entity classification
Essential entity
≥250 employees OR >€50M turnover — ex ante supervision, fines up to €10M
Important entity
≥50 employees OR >€10M turnover — ex post supervision, fines up to €7M
Asset OwnerEPCO&MManufacturerDeveloperAll
Scope and entity classification
6 requirementsEnergy is classified as a sector of high criticality under Annex I. Entities providing electricity storage are explicitly in scope. Classification as essential or important determines the supervision regime and penalty ceiling.
| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Electricity storage in scope | Annex I, Sector 1 (Energy) — electricity undertakings performing storage | All | Art. 2, Annex I |
| Essential entity threshold | Large enterprise: ≥250 employees OR >€50M turnover and >€43M balance sheet | Asset Owner | Art. 3(1) |
| Important entity threshold | Medium enterprise: ≥50 employees OR >€10M turnover and >€10M balance sheet | Asset Owner | Art. 3(2) |
| Member state designation | Member states may designate additional entities regardless of size | All | Art. 2(2)(b) |
| Single market operator | If entity provides services in multiple member states, each applies separately | Asset Owner | Art. 26(1) |
| Registration obligation | Essential and important entities must register with national competent authority | Asset Owner | Art. 3(4) |
Governance and management liability
6 requirementsManagement bodies must approve cybersecurity risk management measures and oversee implementation. They are personally liable. This is not delegable to the IT department.
| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Management body approval | Must approve cybersecurity risk management measures adopted under Art. 21 | Asset Owner | Art. 20(1) |
| Management body oversight | Must oversee implementation of Art. 21 measures | Asset Owner | Art. 20(1) |
| Personal liability | Management bodies can be held liable for infringements of Art. 21 | Asset Owner | Art. 20(1) |
| Cybersecurity training — management | Members of management bodies must undertake training | Asset Owner | Art. 20(2) |
| Cybersecurity training — employees | Must offer similar training to employees on a regular basis | Asset Owner | Art. 20(2) |
| Risk identification skills | Training must enable identification of risks and assessment of cybersecurity impact | Asset Owner | Art. 20(2) |
Article 21 — Risk management measures
16 requirements10 mandatory cybersecurity risk management measures. These are minimum requirements — entities must implement measures proportionate to the risk, the size of the entity, the likelihood and severity of incidents, and the societal and economic impact.
| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| (a) Risk analysis and information system security policies | Documented policies covering risk assessment methodology, asset inventory, and security baselines | Asset Owner | Art. 21(2)(a) |
| (b) Incident handling | Procedures for prevention, detection, response, and recovery from cybersecurity incidents | Asset Owner | Art. 21(2)(b) |
| (c) Business continuity and crisis management | Backup management, disaster recovery, crisis management procedures | Asset Owner | Art. 21(2)(c) |
| (d) Supply chain security | Security requirements for direct suppliers and service providers, including contractual arrangements | Asset Owner | Art. 21(2)(d) |
| (d) Supply chain — EPC contracts | Cybersecurity requirements must flow down into EPC contract specifications | EPC | Art. 21(2)(d) |
| (d) Supply chain — O&M contracts | Remote access, patch management, and incident notification requirements in O&M SLAs | O&M | Art. 21(2)(d) |
| (d) Supply chain — equipment procurement | Manufacturer security posture, firmware update commitments, vulnerability disclosure policies | Manufacturer | Art. 21(2)(d) |
| (e) Network and information system acquisition, development, maintenance | Including vulnerability handling and disclosure | Asset Owner | Art. 21(2)(e) |
| (f) Policies and procedures for effectiveness assessment | Regular testing and auditing of cybersecurity risk management measures | Asset Owner | Art. 21(2)(f) |
| (g) Basic cyber hygiene practices and training | Awareness programs, password policies, access management, secure configurations | All | Art. 21(2)(g) |
| (h) Cryptography and encryption policies | Policies and procedures regarding the use of cryptography and, where appropriate, encryption | All | Art. 21(2)(h) |
| (i) Human resources security, access control, asset management | Identity management, authentication, access rights — including for OT systems | Asset Owner | Art. 21(2)(i) |
| (j) Multi-factor authentication or continuous authentication | MFA, secured voice/video/text, secured emergency communication systems | All | Art. 21(2)(j) |
| Proportionality principle | Measures must be proportionate to risk exposure, entity size, incident likelihood, and societal impact | All | Art. 21(1) |
| State of the art | Measures must take into account relevant European and international standards | All | Art. 21(1) |
| All-hazards approach | Must protect against both cyber and physical threats to network and information systems | Asset Owner | Art. 21(2) |
Incident reporting
9 requirementsSignificant incidents must be reported in a strict timeline: early warning within 24 hours, incident notification within 72 hours, and a final report within one month. Failure to report is a separate violation.
| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Significant incident definition | Caused or capable of causing severe operational disruption or financial loss, or affected or capable of affecting other persons by causing considerable damage | Asset Owner | Art. 23(3) |
| Early warning — 24 hours | Without undue delay, within 24 hours of becoming aware. Must indicate if suspected unlawful/malicious or cross-border impact | Asset Owner | Art. 23(4)(a) |
| Incident notification — 72 hours | Update with initial assessment: severity, impact, and where available, indicators of compromise | Asset Owner | Art. 23(4)(b) |
| Intermediate report | Upon request of the CSIRT or competent authority | Asset Owner | Art. 23(4)(c) |
| Final report — 1 month | Detailed description: root cause, mitigation measures applied and ongoing, cross-border impact if applicable | Asset Owner | Art. 23(4)(d) |
| Extended final — 1 month after handling | If incident still ongoing at 1-month mark, interim report then; final report within 1 month of handling | Asset Owner | Art. 23(4)(d) |
| Report to CSIRT | Reports go to the national CSIRT (Computer Security Incident Response Team) | Asset Owner | Art. 23(1) |
| Inform recipients of services | Must inform recipients of services potentially affected by a significant cyber threat | Asset Owner | Art. 23(1) |
| Remediation measures to recipients | Must disclose to service recipients any measures they can take in response to the threat | Asset Owner | Art. 23(2) |
Supply chain security for BESS
9 requirementsNIS2 makes the asset owner responsible for the cybersecurity of their supply chain. In practice, this means cybersecurity clauses must flow into EPC contracts, O&M SLAs, and equipment procurement specifications.
| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Direct supplier assessment | Assess cybersecurity risk of direct suppliers and service providers | Asset Owner | Art. 21(2)(d) |
| Contractual security requirements | Include cybersecurity requirements in contractual arrangements with direct suppliers | Asset Owner | Art. 21(2)(d) |
| EPC cybersecurity handover | EPC must deliver cybersecurity documentation: network architecture, access credentials, hardening records | EPC | Art. 21(2)(d) |
| PCS/BMS firmware security | Manufacturer must provide firmware update policy, vulnerability disclosure process, SBOM | Manufacturer | Art. 21(2)(d) |
| SCADA/EMS security | Control system providers must document security architecture and remote access procedures | Manufacturer | Art. 21(2)(d) |
| Remote access controls — O&M | O&M provider remote OT access must use MFA, audit logging, and session recording | O&M | Art. 21(2)(d),(j) |
| Patch management — O&M | O&M provider must maintain patching schedule and document exceptions | O&M | Art. 21(2)(e) |
| Incident notification — supply chain | Suppliers and service providers must notify the entity of incidents affecting supplied services | All | Art. 21(2)(d) |
| Coordinated risk assessments | EU-level coordinated security risk assessments of critical supply chains | All | Art. 22 |
OT security — IEC 62443 alignment
8 requirementsNIS2 does not prescribe a specific standard, but IEC 62443 is the de facto framework for industrial OT security in the energy sector. Aligning with IEC 62443 is the most practical path to demonstrating compliance with Article 21.
| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| OT network segmentation | Separate IT and OT networks. Zone and conduit model per IEC 62443-3-3 | Asset Owner | Art. 21(2)(a),(e) |
| Security levels per zone | Define target security levels (SL-T) for each zone based on risk assessment | Asset Owner | Art. 21(2)(a) |
| Component security — SL capability | PCS, BMS, EMS components must meet required security level capability (SL-C) | Manufacturer | Art. 21(2)(e) |
| Secure development lifecycle | Manufacturers should follow IEC 62443-4-1 for product development | Manufacturer | Art. 21(2)(e) |
| System integrator responsibility | EPC/SI must achieve target SL through integration: hardening, access control, monitoring | EPC | Art. 21(2)(e) |
| Periodic security assessment | Regular vulnerability scanning and penetration testing of OT systems | Asset Owner | Art. 21(2)(f) |
| Change management — OT | Documented change management process for all OT system modifications | O&M | Art. 21(2)(e) |
| Backup and recovery — OT | OT system configurations, firmware images, and control logic must be backed up and tested | Asset Owner | Art. 21(2)(c) |
National implementation — Nordics
8 requirements| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Sweden — Cybersäkerhetslagen | National transposition law. Competent authority: MSB (Swedish Civil Contingencies Agency) | All | National |
| Sweden — registration | Entities must register with the competent authority. Energy sector supervised by Energimyndigheten | Asset Owner | National |
| Denmark — national transposition | Transposed into Danish law. Competent authority: CFCS (Centre for Cyber Security) | All | National |
| Denmark — energy sector | Energy sector supervised by Energistyrelsen (Danish Energy Agency) | Asset Owner | National |
| Finland — national transposition | Transposed into Finnish law. Competent authority: Traficom (Transport and Communications Agency) | All | National |
| Finland — energy sector | Energy sector supervised by Energiavirasto (Energy Authority) | Asset Owner | National |
| Transposition deadline | 17 October 2024 — all member states must have transposed NIS2 into national law | All | Art. 41(1) |
| Application date | 18 October 2024 — measures apply from this date | All | Art. 41(2) |
Supervision and enforcement
9 requirements| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Essential entities — ex ante supervision | Proactive supervision: audits, security scans, on-site inspections at any time | Asset Owner | Art. 32(2) |
| Important entities — ex post supervision | Reactive supervision: triggered by evidence of non-compliance or incident | Asset Owner | Art. 33(2) |
| On-site inspections | Competent authorities may conduct on-site inspections and off-site supervision | Asset Owner | Art. 32(2)(a) |
| Security audits | Regular and targeted security audits by independent body or competent authority | Asset Owner | Art. 32(2)(b) |
| Security scans | Ad hoc security scans based on objective, non-discriminatory risk assessment criteria | Asset Owner | Art. 32(2)(c) |
| Information requests | Competent authority may request evidence of cybersecurity policies implementation | Asset Owner | Art. 32(2)(d) |
| Compliance orders | Authority may issue binding instructions and require remediation within a deadline | Asset Owner | Art. 32(4) |
| Suspend certification | Authority may request suspension of entity certification or authorization | Asset Owner | Art. 32(5)(b) |
| Suspend management | For essential entities: authority may request temporary ban of management body member | Asset Owner | Art. 32(5)(d) |
Penalties
6 requirements| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Essential entities — maximum fine | €10,000,000 or 2% of total worldwide annual turnover, whichever is higher | Asset Owner | Art. 34(4) |
| Important entities — maximum fine | €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher | Asset Owner | Art. 34(5) |
| Periodic penalty payments | Competent authority may impose periodic penalties to compel compliance | Asset Owner | Art. 34(6) |
| Penalties must be effective | Proportionate and dissuasive, taking into account circumstances of each case | All | Art. 34(1) |
| Factors considered | Gravity, duration, previous infringements, damage caused, degree of intent or negligence | All | Art. 34(3) |
| Personal liability of management | Natural persons in management bodies can be held personally liable | Asset Owner | Art. 20(1), Art. 32(6) |
Key dates and deadlines
6 requirements| Requirement | Detail | Role responsibility | Ref |
|---|---|---|---|
| Directive adopted | 14 December 2022 | All | Directive 2022/2555 |
| Transposition deadline | 17 October 2024 | All | Art. 41(1) |
| Application date | 18 October 2024 — obligations apply from this date | All | Art. 41(2) |
| Entity registration | Ongoing — register with national competent authority | Asset Owner | Art. 3(4) |
| Implementing acts — incident reporting | By 17 October 2024 — further specifying significant incidents | All | Art. 23(11) |
| Review of the Directive | By 17 October 2027 — Commission reviews functioning of the Directive | All | Art. 40 |
Requirements based on Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2 Directive), published 14 December 2022.