Who Is Responsible for NIS2 Compliance in BESS?

NIS2 is appearing in RFQs across European utility-scale BESS. Developers include it in tenders to equipment manufacturers and EPCs. It flows from there into subcontractor scopes and service agreements. It is being specified across every stakeholder involved in the delivery of a BESS plant — and who is actually responsible for what is often unclear. Misalignment leads to delays, unpriced scope, and compliance gaps that surface late in the project.
NIS2 — Directive (EU) 2022/2555 — is the EU’s updated cybersecurity law for essential and important entities across the energy sector. The distinction between who holds the compliance obligation and who determines whether the plant actually meets it is where misalignment typically occurs.
The Obligation Sits with the Asset Owner
The asset owner — in practice, the SPV operating the BESS plant — holds the NIS2 compliance obligation. The SPV registers with the national competent authority, implements the ten cybersecurity risk-management measures required under Article 21, and reports incidents through the mandatory 24-hour, 72-hour, and one-month incident reporting timeline. Management bodies are personally liable. Penalties reach EUR 10 million or 2 percent of global turnover for essential entities.
Outsourcing operations does not transfer the obligation. The asset owner remains accountable regardless of which service providers or subcontractors handle cybersecurity day-to-day.
The directive requires the asset owner to assess the cybersecurity practices of every direct supplier and service provider (Article 21(2)(d)) — including EPCs, service providers, and RTM providers. This turns NIS2 from “someone else’s obligation” into a contractual and commercial reality for every party with access to the plant’s OT systems.
The Party Performing OT Integration Determines Compliance
Whether the delivery model is EPC or split-contract, the party that designs and configures the OT environment plays a critical role in the plant’s cybersecurity posture. Unlike an equipment manufacturer that delivers a product with limited ongoing access, this party builds the entire control and communication architecture. Decisions made during design and commissioning determine:
- Network architecture and segmentation. Whether the plant has properly segmented zones with firewalls between them, or a flat network where compromising one system gives access to everything.
- Access control. Who can reach which systems, at what privilege level, through what authentication.
- Default credential handling. Whether factory-default passwords on BMS controllers, PCS units, SCADA terminals, and network equipment are changed before handover — or left in place.
- Remote access architecture. How service providers and Route to Market (RTM) providers connect to the plant remotely, and what controls govern those connections.
- Communication protocols. Whether SCADA communication uses encrypted protocols or unencrypted legacy protocols like Modbus TCP.
A BESS plant is as secure as the party performing OT integration makes it during commissioning. If cybersecurity requirements are not in the EPC or integration scope, they are not in the plant.
IEC 62443 Is the Implementation Framework
NIS2 defines what an entity must achieve. It does not specify how. For OT environments such as BESS plants, the de facto implementation framework is IEC 62443 — a family of standards for cybersecurity in Industrial Automation and Control Systems (IACS), referenced by ENISA as a framework for demonstrating NIS2 compliance.
The core concept is zones and conduits. A zone is a grouping of assets that share the same security requirements — BMS safety functions, SCADA, EMS, remote access infrastructure. A conduit is the communication path between zones. Each zone is assigned a Security Level based on the threat it must withstand. These zones, security levels, and conduit protections are defined during design and commissioning — which is why that phase of the project has such a direct impact on NIS2 compliance.
The Handover Gap
At COD, the asset owner takes over a plant and inherits its cybersecurity posture. If the OT integration party has not built NIS2-readiness into the design and commissioning scope, the asset owner inherits a compliance gap — and retrofitting cybersecurity on an operating plant is significantly more expensive and disruptive than building it in during integration.
NIS2 is not a one-time compliance exercise. The directive requires ongoing risk reassessment, continuous monitoring, periodic audits, and supply chain reviews as contracts renew. The cybersecurity decisions made during design and integration are the foundation that the asset owner builds on for the life of the plant.