BESS regulatory compliance, mapped to your role

Free tool built by an industry practitioner. Select your role and country — see which regulations apply, what you must do, and when.

1Your role in the BESS value chain

2Country of operation

Select your role and country above

We will show you exactly which regulations apply, what your obligations are, and the key deadlines.

What we cover

NIS2 — Cybersecurity

Active — penalties in force

The EU cybersecurity directive that classifies energy as a sector of high criticality. If you operate a BESS or provide energy storage services, you are in scope. Management bodies are personally liable.

-10 mandatory risk management measures (Article 21)
-Incident reporting: 24h early warning, 72h notification, 1-month final report
-Supply chain security — obligations cascade into EPC contracts and O&M SLAs
-IEC 62443 as the de facto compliance framework for BESS OT environments

EU Battery Regulation (2023/1542)

Coming soon

Staggered obligations for every industrial battery placed on the EU market. Determines who is the 'producer' in your value chain — and who carries carbon footprint, battery passport, and end-of-life responsibilities.

-Carbon footprint declaration for industrial batteries > 2 kWh
-Supply chain due diligence and EPR registration across EU member states
-Battery passport mandatory from Feb 2027 — no stationary BESS solution exists yet
-Non-compliant batteries banned from the EU market from Feb 2028

Cyber Resilience Act (CRA)

Coming soon

Product security regulation for equipment with digital elements placed on the EU market. Covers BMS, EMS, PCS firmware, SCADA, and monitoring platforms used in BESS.

-BESS controllers likely Class I (industrial automation) — third-party assessment required
-SBOM (Software Bill of Materials) mandatory for all products
-Vulnerability disclosure and patching for minimum 5-year product lifetime
-CE marking required for CRA conformity from Dec 2027

Different role, different obligations

The same regulation affects each stakeholder differently. NIS2 obligations sit with the asset owner — but cascade into EPC contracts and O&M SLAs. Battery Regulation producer responsibility depends on your procurement structure. We map it per role so you see exactly what applies to you.

Developer (with EPC)

Permitting, grid connection, EPC specification. System integration responsibility sits with the EPC.

Developer (Direct Procurement)

Permitting, grid connection, equipment procurement. Carries system integration responsibility across all vendors.

EPC Contractor

Plant delivery, system integration, cybersecurity handover documentation. Commercial accountability for the integrated system.

Equipment Manufacturer

CRA product obligations, CE marking, supply chain cybersecurity requirements from downstream customers.

Asset Owner

Primary NIS2 entity. Risk management, incident reporting, supply chain security, insurance compliance.

Service Provider / O&M

Supply chain obligations via SLA. Remote OT access, patch management, incident notification.

Route-to-Market Provider

Dispatch and operational control. May be the NIS2 entity if providing energy storage services to the grid.

Nordic markets first

Country-specific authorities, national transposition status, and registration deadlines for Sweden, Denmark, and Finland. Built on firsthand project experience in the Nordic BESS market. Germany, UK, and more European markets coming next.

Sweden

Denmark

Finland

Want the full deep-dive?

Training modules on NIS2 for BESS operators, EU Battery Regulation, and IEC 62443 for OT environments — available on learnBESS.

Explore training on learnBESS