NIS2 for BESS — Cybersecurity Compliance in Energy Storage

NIS2 is the EU’s updated cybersecurity law for critical infrastructure. It places utility-scale battery energy storage within its scope through the electricity sector provisions of Annex I. This specialist guide covers what the directive requires, how it applies across the BESS value chain, how to meet the ten Article 21 risk-management obligations, and how IEC 62443 maps to the compliance requirements in practice.

---

What is NIS2?

NIS2 — Directive (EU) 2022/2555 — is the EU’s updated cybersecurity law for critical infrastructure. It replaced the original NIS Directive (EU) 2016/1148 on 18 October 2024, expanding the scope from seven sectors to eighteen, tightening the cybersecurity obligations, and introducing harmonised penalties for non-compliance.

The directive’s full title is “measures for a high common level of cybersecurity across the Union”. NIS1 allowed Member States significant discretion on implementation, which produced fragmented enforcement across the EU. NIS2 closes that gap by setting common minimum requirements and applying them uniformly to entities above defined size thresholds.

What changed from NIS1 to NIS2

• Broader scope. NIS1 covered roughly seven sectors. NIS2 covers eighteen, including the full energy sector — electricity, oil, gas, hydrogen, and district heating and cooling.
• Size-based applicability. NIS1 left it to Member States to identify which entities were in scope. NIS2 uses a clear size threshold: any entity with 50 or more employees or more than EUR 10 million in annual turnover operating in a covered sector is automatically in scope.
• Stricter incident reporting. NIS1 required reporting “without undue delay”. NIS2 mandates a three-stage timeline of 24 hours, 72 hours, and one month.
• Management liability. NIS2 makes management bodies personally accountable for cybersecurity compliance. No equivalent provision existed in NIS1.
• Harmonised enforcement. NIS2 sets minimum fine thresholds across all Member States — up to EUR 10 million or 2 per cent of global turnover for essential entities.

How the directive applies

NIS2 is a directive, not a regulation. It does not apply directly; each Member State must transpose it into national law. The transposition deadline was 17 October 2024. Article 21 obligations are harmonised at EU level, but registration, incident reporting channels, and audit requirements are defined in each Member State’s national transposition. Entities comply with the national law of the Member State where they are established (Article 26).

The directive divides entities into two categories based on sector and size:

• Essential entities — large enterprises (250 or more employees, or more than EUR 50 million in turnover) in Annex I sectors (high criticality). Subject to proactive supervision including on-site inspections, security audits, and security scans by national authorities.
• Important entities — medium enterprises (50 or more employees, or more than EUR 10 million in turnover) in Annex I or Annex II sectors. Subject to reactive (ex post) supervision — authorities investigate after an incident or evidence of non-compliance.

Both categories face the same cybersecurity obligations under Article 21. The difference is supervisory intensity and maximum penalty.

Key concept: NIS2 is a directive, not a regulation. It sets a common minimum that every Member State must transpose into national law, but the detailed rules — registration, reporting channels, audit schedules — vary by jurisdiction. Entities operating BESS assets in multiple Member States comply with each national transposition.