NIS2 for BESS — Cybersecurity Compliance in Energy Storage

1. What is NIS2?

NIS2 (Directive (EU) 2022/2555) is the EU’s updated cybersecurity law for critical infrastructure. It replaced the original NIS Directive (2016/1148) on 18 October 2024, expanding the scope from a handful of sectors to 18, tightening the obligations, and introducing real penalties for non-compliance.

The directive’s full title is “measures for a high common level of cybersecurity across the Union” — and that tells you everything about its intent. NIS1 was a starting point. It gave Member States flexibility, which led to fragmented implementation — some countries took it seriously, others barely enforced it. NIS2 closes those gaps.

What changed from NIS1 to NIS2

• Broader scope. NIS1 covered roughly 7 sectors. NIS2 covers 18, including the full energy sector — electricity, oil, gas, hydrogen, and district heating/cooling.
• Size-based applicability. NIS1 left it to Member States to identify which entities were in scope. NIS2 uses a clear size threshold: any entity with 50+ employees or EUR 10 million+ annual turnover that operates in a covered sector is automatically in scope.
• Stricter incident reporting. NIS1 required reporting “without undue delay.” NIS2 mandates a three-stage timeline: 24 hours, 72 hours, and one month.
• Management liability. NIS2 makes management bodies personally accountable for cybersecurity compliance. This was not in NIS1.
• Harmonised enforcement. NIS2 sets minimum fine thresholds across all Member States: up to EUR 10 million or 2% of global turnover for essential entities.

How it works

NIS2 is a directive, not a regulation. That means it doesn’t apply directly — each EU Member State must transpose it into national law. The transposition deadline was 17 October 2024. As of early 2026, 20 of 27 Member States have completed transposition. The European Commission issued formal reasoned opinions to 19 Member States in May 2025 for late implementation.

The directive divides entities into two categories based on sector and size:

• Essential entities — large enterprises (250+ employees or EUR 50 million+ turnover) in Annex I sectors (high criticality). Subject to proactive supervision: on-site inspections, security audits, and security scans by national authorities.
• Important entities — medium enterprises (50+ employees or EUR 10 million+ turnover) in Annex I or II sectors. Subject to reactive (ex post) supervision — authorities investigate after an incident or evidence of non-compliance.

Both categories face the same cybersecurity obligations under Article 21. The difference is in how they are supervised and the maximum penalty.

---

2. Why BESS is in scope

Open the directive’s Annex I — “Sectors of High Criticality” — and look at Sector 1: Energy, subsector (a): Electricity. The entity types listed include:

• Electricity undertakings (supply function)
• Distribution system operators
• Transmission system operators
• Producers (generators)
• Nominated electricity market operators
• Market participants providing aggregation, demand response or energy storage services
• Operators of recharging points

That sixth bullet is the one that puts BESS squarely in scope. If you operate a battery energy storage system and provide energy storage services to the market — frequency regulation, arbitrage, capacity — you are a market participant providing energy storage services under Directive (EU) 2019/944. You fall under Annex I.

Essential or important?

Because energy storage is in Annex I (high criticality, not Annex II), the classification depends on size:

• Large enterprise (250+ employees or EUR 50M+ turnover) → essential entity. Proactive supervision. Fines up to EUR 10M or 2% of global turnover.
• Medium enterprise (50–249 employees or EUR 10–50M turnover) → important entity. Reactive supervision. Fines up to EUR 7M or 1.4% of global turnover.
• Below medium (<50 employees and <EUR 10M turnover) → generally out of scope, unless a Member State designates the entity based on its criticality (Article 2(2)).

There is one catch. Many BESS projects are owned by a special purpose vehicle (SPV) — a shell company with zero employees and minimal turnover. Does the SPV fall below the threshold? Not necessarily. The EU’s SME definition (Recommendation 2003/361/EC) includes linked and partner enterprises. If the SPV is controlled by a parent company that exceeds the thresholds, the parent’s headcount and turnover may be attributed to the SPV. This is still being tested in national implementations, but the conservative interpretation — and the one most national authorities are likely to take — is that the parent counts.

What about the UK and non-EU countries?

NIS2 is an EU directive. The UK left the EU before NIS2 was adopted and has its own framework (the NIS Regulations 2018, currently under review). Norway, Iceland, and Liechtenstein (EEA members) are expected to adopt NIS2 through the EEA Joint Committee. Switzerland is not covered.

If you operate BESS assets in the EU or provide services to EU-based entities, NIS2 applies regardless of where your headquarters is — the directive uses the concept of “main establishment” in the Member State where cybersecurity decisions are predominantly taken (Article 26).