NIS2 (Network and Information Security Directive 2)
EU legislation requiring operators of essential services — including energy storage facilities above certain thresholds — to implement robust cybersecurity measures and report significant incidents. Transposed into member state law from late 2024. Significantly expands the scope and obligations of the original NIS Directive.
In energy storage
BESS operators classified as essential or important entities under NIS2 must implement risk-based cybersecurity measures across their OT and IT systems and report significant incidents to the national CSIRT within 24 hours, followed by a full notification within 72 hours. Non-compliance penalties can reach €10 million or 2% of global turnover, making cybersecurity governance a board-level concern for BESS asset owners operating in the EU.
Also available in: Svenska