Battery energy storage systems (BESS) in Europe and Germany must comply with strict cybersecurity regulations such as NIS2, KRITIS, and the BNetzA Sicherheitskatalog (SiKat).
Modern BESS are increasingly deployed in the primary control reserve markets in Germany and Europe. This role connects them directly to national grid control systems, enabling real-time frequency stabilisation within seconds.
This critical function makes them high-value targets for cyberattacks with severe consequences, for example:
As a basis, many of the above standards require cybersecurity managment frameworks such as ISO 27001/ISMS for organisational and process-level security.
These regulations place obligations both on asset owners and on project developers, with requirements differing depending on their role and responsibility.
From planning to operation, ettex ensures that BESS projects are secure, compliant, and ready for critical infrastructure demands. Our expertise covers the entire lifecycle — embedding cybersecurity early, building and validating it during realisation, and maintaining resilience in daily operations.
Planning – Regulatory mapping, secure OT & cybersecurity concepts, permit support, supplier requirements.
Realisation – Secure configuration, system integration, compliance testing, vendor coordination, documentation.
Operation – Security and OT operations & monitoring, compliance management, user management, patching & hardening, continuous improvement.
In the planning phase, ettex ensures that OT and cybersecurity requirements are embedded from the very beginning.
Project Management: Coordination of stakeholders, schedules, and deliverables across all security-related workstreams.
Regulatory & Standards Alignment: Mapping of NIS2, Cyber Resilience Act, KRITIS, and SiKat into concrete project requirements.
Cybersecurity & OT Concept Design: Secure network architecture, zoning, and role-based access concepts.
Permit & Approval Support: Integration of cybersecurity and physical security requirements into building permit documentation.
Supplier & Tender Specifications: Defining binding cybersecurity and OT requirements for contractors and system suppliers.
During realisation, ettex translates the defined requirements into secure technical implementation.
Project Management & Vendor Coordination: Steering implementation milestones, quality control, reporting, and oversight of external suppliers.
Secure Configuration & Pre-Commissioning: Pre-configuration of infrastructure such as firewall, switches, CCTV, VPN including and access management according to state-of-the-art practices.
On-Site Installation: Supervision and execution of installation and integration activities directly at the plant site.
OT System Integration & (Security) Testing: Integration of 3rd parties (e.g. energy trader/ RtM provider). Execution of structured test cases (commissioning, SAT, trial operation) to validate compliance and robustness.
Documentation & Handover: Creation of audit-proof documentation, system inventories and operations handbook.
In operation, ettex supports secure, compliant, and resilient day-to-day running of the BESS.
Operations (according to ITIL): Structured service processes for incident, problem, and change management.
OT Monitoring: Continuous supervision of the power plant OT-network, including SCADA, control systems, firewall, internet connectivity and VPNs to ensure availability and early anomaly detection.
Security Monitoring & Incident Response: Setup and integration of IDS/SIEM, logging, and reporting processes.
Compliance Management: Ongoing alignment with ISO/IEC 27001, KRITIS reporting obligations, and audit readiness including asset list and software versions.
Access & User Management: Lifecycle management of roles, accounts, and vendor access.
Lifecycle Support: Patch and vulnerability management, periodic penetration testing, and system hardening.
Continuous Improvement: Regular reviews of security controls, trial operations, and lessons learned integration.
ISO as a Service: Providing an outsourced Information Security Officer (ISO) role to manage audits, policies, and continuous improvement in line with ISO/IEC 27001.
Note: Some services will be availabe soon
ettex ensures that OT and cybersecurity requirements are embedded from the very beginning.
Project Management: Coordination of stakeholders, schedules, and deliverables across all security-related workstreams.
Regulatory & Standards Alignment: Mapping of NIS2, Cyber Resilience Act, KRITIS, and SiKat into concrete project requirements.
Cybersecurity & OT Concept Design: Secure network architecture, zoning, and role-based access concepts.
Permit & Approval Support: Integration of cybersecurity and physical security requirements into building permit documentation.
Supplier & Tender Specifications: Defining binding cybersecurity and OT requirements for contractors and system suppliers.
ettex translates the defined requirements into secure technical implementation.
Project Management & Vendor Coordination: Steering implementation milestones, quality control, reporting, and oversight of external suppliers.
Secure Configuration & Pre-Commissioning: Pre-configuration of infrastructure such as firewall, switches, CCTV, VPN and access management according to state-of-the-art practices.
On-Site Installation: Supervision and execution of installation and integration activities directly at the plant site.
OT System Integration & (Security) Testing: Integration of 3rd parties (e.g. energy trader/ RtM provider). Execution of structured test cases (commissioning, SAT, trial operation) to validate compliance and robustness.
Documentation & Handover: Creation of audit-proof documentation, system inventories and operations handbook.
ettex supports secure, compliant, and resilient day-to-day running of the BESS.
Operations (according to ITIL): Structured service processes for incident, problem, and change management.
OT Monitoring: Continuous supervision of the power plant OT-network, including SCADA, control systems, firewall, internet connectivity and VPNs to ensure availability and early anomaly detection.
Security Monitoring & Incident Response: Setup and integration of IDS/SIEM, logging, and reporting processes.
Compliance Management: Ongoing alignment with ISO/IEC 27001, KRITIS reporting obligations, and audit readiness including asset list and software versions.
Access & User Management: Lifecycle management of roles, accounts, and vendor access.
Lifecycle Support: Patch and vulnerability management, periodic penetration testing, and system hardening.
Continuous Improvement: Regular reviews of security controls, trial operations, and lessons learned integration.
ISO as a Service: Providing an outsourced Information Security Officer (ISO) role to manage audits, policies, and continuous improvement in line with ISO/IEC 27001.
Note: More services will be available soon
Interested to understand cybersecurity in your project and how we can help you?
Battery Energy Storage Systems (BESS) are not only central to the energy transition but are also classified as critical infrastructure in many jurisdictions. This status brings strict cybersecurity, operational, and regulatory obligations. In the context of acquisitions, sales, or refinancing, these obligations can become deal-critical: Missing documentation, outdated security measures, or non-compliance with standards such as ISO/IEC 27001, NIS2, KRITIS, or the German SiKat can lead to significant risks and thus costs.
For investors and project developers, these risks can translate into reduced asset value, delayed approvals, or even legal liabilities. Common issues include insufficient role and access management, lack of monitoring systems, incomplete incident response procedures, or missing alignment with physical security requirements tied to building permits. Addressing these aspects early in the transaction process ensures transparency, protects operational stability, and safeguards long-term asset profitability.
ettex supports investors, developers, and operators during BESS transactions with focused cybersecurity and OT due diligence. We assess compliance with ISO/IEC 27001, NIS2, KRITIS, and SiKat to uncover hidden risks that may impact asset value or transaction success. Our experts translate findings into clear, actionable recommendations that protect deal integrity and ensure long-term resilience. This enables confident decision-making and safeguards both operational reliability and investment returns.
Reduced transaction risk and higher confidence in the long-term value of the asset.
Cybersecurity & OT Due Diligence
Review of architecture, controls, and documentation against ISO/IEC 27001, NIS2, KRITIS, and SiKat.
Gap Analysis & Risk Identification
Identification of vulnerabilities in network design, access and user management, monitoring, and incident response.
Operational Security Review
Assessment of patching, vulnerability management, escalation procedures, and alignment with state-of-the-art practices.
Regulatory & Permit Verification
Validation of building permits, physical protection measures, and KRITIS reporting obligations.
Value Preservation
Delivery of a remediation roadmap to secure compliance, reduce risk exposure, and protect long-term profitability.
Interested to understand OT and Cybersecurity impacts on your transaction and how how we can help you?
As of today, ettex has successfully delivered projects in Finland and Germany with Battery Energy Storage Systems (BESS) exceeding 50 MW output capacity. In these projects, we took responsibility for project management and partner coordination within the OT and cybersecurity, ensuring smooth collaboration across all stakeholders. Beyond organizational leadership, we directly implemented the cybersecurity measures, securing the systems against evolving threats and ensuring compliance with European standards. These experiences demonstrate our ability to manage complex, cross-border energy storage projects and provide end-to-end expertise from coordination to technical cybersecurity execution.
Our international experience ensures we can adapt to national frameworks while maintaining a consistent, high security baseline.
At ettex, we bring specialized OT and cybersecurity expertise to the BESS sector. We translate complex cybersecurity frameworks such as the EU NIS2 directive and is local adaptions as well as German KRITIS regulation into a practical system design with concrete requirements for both operators and system suppliers. We already developed a blueprint which may serve as a basis for fast implementation. This blueprint is aligned with ISO/IEC 27001 and state-of-the-art industrial cybersecurity practices, covering all critical areas — from secure network architecture and access control to incident reporting, audit readiness, and compliance testing.
Our teams pre-configure BESS systems at ettex so they are rapidly deployable on site, while a proven set of test cases validates cybersecurity compliance during commissioning. This ensures that every system not only runs reliably but also meets the strictest European regulatory and security standards and thus is certifiable.
Contact us for your tailored security solution. Whether you’re building, buying, or operating – we make your system secure by design and ensure management cybersecurity processes are in place.
As a result from our work you are well prepared for the evolving European cybersecurity landscape.
In Europe, Battery Energy Storage Systems (BESS) are subject to several cybersecurity regulations. The NIS2 directive sets security and reporting obligations for operators of essential and important entities, while the Cyber Resilience Act sets mandatory cybersecurity requirements for all products with digital elements placed on the European market. In Germany, BESS can also fall under the KRITIS regulation, where operators exceeding defined thresholds (e.g., storage capacity or grid relevance) are classified as critical infrastructure and face stricter cybersecurity obligations. Together, these frameworks ensure that both regular operators and critical infrastructure providers implement strong protective and reporting measures and follow a cybersecurity by design approach.
| Framework | Type of Threshold | Condition / Threshold | Relevance for BESS |
|---|---|---|---|
| EU NIS2 directive | Medium-sized enterprise | ≥ 50 employees or > €10m annual turnover (balance sheet ≤ €43m) | Medium BESS operators in the energy sector qualify as Important Entities. |
| Large enterprise | ≥ 250 employees or > €50m annual turnover (balance sheet > €43m) | Large BESS operators qualify as Essential Entities. | |
| Sector relevance (exceptions to size cap) | Even below size thresholds, entities may be designated as essential if their service is critical to energy security. | Smaller BESS operators can still fall under NIS2 if their storage service is deemed essential for grid stability or energy supply. | |
| Germany – KRITIS (BSI-KritisV) | Net nominal generation capacity | ≥ 104 MW net nominal capacity | Very large BESS systems that deliver energy at this scale are classified as critical infrastructure. |
| Primary frequency control (prequalified) | ≥ 36 MW prequalified for primary frequency control | Most utility-scale BESS meet this condition and therefore fall under KRITIS. | |
| Black-start capability | Designated black-start facilities may be classified as critical regardless of other thresholds | Certain BESS designed for black-start support could fall under this rule. | |
| Audit & compliance | Once classified as KRITIS | Operators must implement stricter cybersecurity measures and pass regular external audits. |
Note: The NIS2 directive is/must be transposed to national law of the respective EU member state. Thus, variations from the EU NIS2 directive may apply.
Cybersecurity should be addressed from the very start of a BESS project — already during planning and building permit applications, where requirements for physical and site security play a central role. By integrating both cyber and physical security early, critical aspects like access control, surveillance, and network protection are embedded into the design. This proactive approach ensures regulatory approval, smooth commissioning, and long-term resilience against threats.
Battery Energy Storage Systems are increasingly connected to the grid and enterprise IT systems. This exposes them to cyber threats such as ransomware, denial-of-service attacks, and supply chain compromises. The convergence of OT and IT in BESS requires specific protective measures including network segmentation, strict access control, and continuous monitoring.
SCADA systems control critical BESS functions such as power control and grid interaction. To secure them, operators should implement secure remote access solutions, intrusion detection systems (IDS), encrypted communications and the use of DMZ. Regular updates and vulnerability scanning are essential to maintain security over time.
OT (Operational Technology) cybersecurity protects the physical systems that control energy storage operations, such as batteries, inverters, and grid interfaces. IT (Information Technology) cybersecurity, on the other hand, secures the digital infrastructure—networks, software, and data—that supports business and communication functions. In energy storage, both must work together: OT ensures safe and reliable operations, while IT safeguards sensitive data and connectivity from cyber threats.
To defend against ransomware, operators should implement multi-layered protection:, dor example: managed firewalls, offline backups, multi-factor authentication and network segmentation. Business Continuity Managment inclusive Incident response plans must be developed tested regularly. All vendor-supplied systems should undergo a security review before integration.
Penetration testing identifies vulnerabilities that could be exploited by attackers. For OT/SCADA in BESS, it ensures compliance with frameworks such as SiKat, NIS2, and ISO 27001 while confirming that implemented controls are effective. Tests should be coordinated to avoid operational disruption.
