NIS2: What the New EU Cybersecurity Directive Means for PV and Storage Systems

NIS2 is an EU directive that defines binding minimum standards for cybersecurity. It aims to create a consistently high level of security across all member states and replaces the original NIS directive from 2016. It applies to medium sized and large companies in a total of 18 sectors including energy, water, transport, health care, public administration and various digital services.

NIS2 has been in force as an EU directive since January 2023 and must be transposed into national law by all member states. The deadline for this implementation was October 17, 2024. Each country implements the requirements through its own laws which may differ in detail but are all based on the same EU requirements.

No. Private owners of PV systems on residential buildings are not considered NIS2 entities. However, they benefit indirectly because manufacturers, energy suppliers and platform operators must meet higher security requirements such as secure cloud portals, encrypted communication and regular security updates.

As a rule, companies with at least 50 employees or more than 10 million euros in annual turnover or balance sheet total are classified as important entities if they operate in one of the NIS2 sectors. Essential entities start at 250 employees or significantly higher financial figures. In the energy sector, this can include for example municipal utilities, operators of large PV systems and storage systems or energy service providers.

Companies that fall directly under NIS2 must establish an information security management system for example according to ISO 27001 or in some cases IEC 62443. They must assess risks on a regular basis and implement technical and organizational security measures. They need processes for attack detection, clear responsibilities and defined reporting paths so that security incidents can be reported to the competent authorities within short deadlines. Senior management is explicitly responsible for ensuring that these requirements are implemented.

Smaller companies often fall below the formal thresholds and are therefore not directly in scope of NIS2. However, they can still be affected through the supply chain. NIS2 regulated customers will anchor security requirements in tenders and contracts. These may include evidence of cyber hygiene, patch management, access and backup concepts or certifications such as ISO 27001 or IEC 62443.

It is also possible that smaller installation companies provide services for larger companies that do fall under NIS2. In such cases, NIS2 requirements must be taken into account and implemented.

NIS2 looks not only at individual companies but at entire value chains. If you supply components or services to NIS2 entities, security requirements will be passed on to you. This includes clear processes for updates and backups, defined contacts for security incidents and, where required, contractual security service level agreements.

Certifications such as ISO 27001 or IEC 62443 are examples of information security that follows the state of the art. They help implement NIS2 requirements in a structured way and serve as clear evidence for customers, auditors and authorities. For installers and suppliers, such certifications can be a key criterion for being selected in sensitive projects and supply chains.

The extended Radio Equipment Directive introduces additional cybersecurity requirements for devices that use radio communication. From August 1, 2025, manufacturers of devices with wireless connectivity such as inverters with radio modules, smart meters or communication gateways must prove that their products protect networks, safeguard personal data and privacy and are protected against manipulation. Only compliant products may then be sold and installed in the EU. ETSI EN 303 645 has become an established certification basis in this context.

Installation companies must pay closer attention to which components they install and how they operate them. Key points are to plan and apply security updates consistently, avoid default passwords, choose secure portals and cloud platforms, define responsibilities in contracts and understand their own role in the NIS2 supply chain. Verifiable IT security can become a decisive advantage in tenders and for long term customer relationships.

End customers benefit from an overall higher level of security. Energy networks, platforms and cloud solutions must become more robust against attacks and manufacturers are required to use structured security management. For PV system operators this means better protection for data and system operation even if they themselves are not directly in scope of the directive.

NIS2 is EU law and applies directly only to companies with a registered office or site in an EU member state. Companies outside the EU that work for European customers or form part of their supply chain will often still need to meet similar security requirements, because NIS2 regulated customers pass these requirements on through contracts and project specifications.