What the Cyber Resilience Act (CRA) means for Battery Energy Storage Systems (BESS) Manufacturers
Jun 03, 2026Digital & Product Solutions / Automotive / Cyber SecurityThe Deadline for the First Cybersecurity Regulation for BESS Is Approaching
Why Cybersecurity Matters for BESS
A Battery Energy Storage System is not just a battery. It is a software-driven, network-connected platform that controls the flow of megawatts in real time. Behind the cells sits a stack of digital systems: a Battery Management System (BMS) monitoring every cell's temperature and state of charge, an Energy Management System (EMS) deciding when to charge and discharge, an inverter controller interfacing with the grid, and a Supervisory Control and Data Acquisition (SCADA) or cloud platform that lets operators monitor and command the site remotely.
Each of these systems is a potential entry point for a cyberattack. And the consequences of a successful attack on a BESS are not limited to data loss or operational disruption. A compromised BMS that ignores thermal runaway warnings can lead to significant damage. A hijacked EMS that commands a large BESS to discharge at the wrong moment can destabilise grid frequency. A vulnerable inverter controller connected to the transmission network can be weaponised to inject disruptive power flows. The grid has traditionally been designed under the assumption that only a single major failure would occur at any given time. Historically, this approach was sufficient due to the low probability of simultaneous disruptions. However, the rise of cybersecurity threats has fundamentally changed the risk landscape.
The attack surface is real and growing. BESS deployments are scaling rapidly, driven by renewable energy targets, grid balancing needs, and falling battery costs. As capacity grows, so does the consequence of a breach. Regulators have taken notice.
A grid-connected BESS is not a passive infrastructure asset. It is a cyber-physical system and should be treated as one.
What is the CRA?
The Cyber Resilience Act (Regulation EU 2024/2847) entered into force on 10 December 2024. It is the EU's first mandatory horizontal cybersecurity law for products with digital elements, meaning any hardware or software product that connects, directly or indirectly, to a network or another device.
Its main obligations apply from 11 December 2027. But the first hard deadline arrives much sooner: from 11 September 2026, manufacturers must have an active vulnerability reporting process in place and be ready to notify ENISA, the EU's cybersecurity agency, within 24 hours of becoming aware of an actively exploited vulnerability in any product already on the market.
In parallel, the implementation of the NIS2 (Network and Information Security) Directive places increased responsibility on operators of essential and important sectors to ensure the cybersecurity and resilience of their own systems and supply chains. The CRA and NIS2 are therefore closely linked: under NIS2, operators are accountable for the security of the systems they deploy, while the CRA provides assurance that the products and digital components they procure meet harmonized cybersecurity requirements. Together, these regulations establish a stronger framework for ensuring secure and resilient products and systems across the European market.
Meeting and demonstrating compliance with the CRA requirements will become increasingly important, as manufacturers and operators must be able to prove that their products and systems meet the required cybersecurity standards throughout their lifecycle.
Not all BESS Components are Treated Equally
The CRA classifies each component of a BESS separately based on its core function. A single BESS site typically contains products across all four categories. Classification determines whether you self-assess, engage a notified body, or pursue full EU certification.
- Most safety-critical BESS components, such as BMS firmware, inverter controllers, OT firewalls, land in Class II. That means a notified body audit is mandatory regardless of which standards you apply. The evaluation examines your risk assessment, technical documentation, design records, and vulnerability handling process.
- For smart meter gateways, the path leads to EUCC certification at the highest Common Criteria assurance levels.
- For Class I products, the key is whether a harmonised standard has been applied. IEC 62443 and EN 18031 serve as the practical interim references while the EU finalises its 41 CRA-specific standards.
- In this context, established industrial cybersecurity standards such as IEC 62443 remain highly relevant. While compliance with IEC 62443 does not replace the CRA requirements, it provides a well-recognized framework for secure development, system hardening, network segmentation, and operational cybersecurity practices. As a result, applying IEC 62443 can significantly support manufacturers and operators in demonstrating compliance and maturity during CRA conformity assessments.
How IEC 62443 Standards can Support in Both CRA and NIS2
IEC 62443 is the leading international standard series for Operational Technology (OT) and Industrial Automation and Control Systems (IACS). Originally developed for programmable logic controllers (PLCs) and traditional industrial control environments, it has evolved into a comprehensive cybersecurity framework for modern OT ecosystems. This makes it highly applicable to Battery Energy Storage Systems (BESS), where IT and OT increasingly converge.
A key strength of IEC 62443 is that it establishes a common cybersecurity language across the entire industrial value chain. It clearly defines roles and responsibilities for asset owners/operators, system integrators, maintenance providers, and product suppliers/manufacturers. This shared structure improves consistency in how cybersecurity requirements are specified, implemented, and verified across complex multi-vendor environments such as energy storage systems.
Because of this structured, lifecycle-oriented approach, IEC 62443 aligns strongly with the objectives of both the Cyber Resilience Act (CRA) (IEC 62443-4-1, IEC 62443-4-2, IEC 62443-3-3, and IEC 62443-2-4) and the NIS2 Directive (IEC 62443-2-1 and IEC 62443-2-4). Under NIS2, operators of essential and important entities are responsible for ensuring the security and resilience of their systems, including supply chain risk management. IEC 62443 supports this by providing well-defined processes for risk assessment, secure system design, segmentation, access control, and operational security management.
IEC 62443 Standard with Certification Scheme
For manufacturers, IEC 62443-4-1 is particularly important because it defines requirements for a Secure Development Lifecycle (SDL). This includes secure design principles, threat modeling, security testing, vulnerability management, patch handling, and security documentation. These topics strongly align with CRA obligations, especially the requirement to integrate cybersecurity throughout the entire product lifecycle. Implementing IEC 62443-4-1 can therefore help manufacturers demonstrate that cybersecurity has been systematically embedded into the development and maintenance process of BESS components such as BMS controllers, inverter firmware, EMS platforms, and communication gateways.
IEC 62443-4-2 complements this by defining technical security requirements for industrial components. It includes requirements for identification and authentication, role-based access control, secure communication, system integrity, audit logging, data confidentiality, and protection against malicious code. These controls directly support CRA expectations for secure-by-design products and resilient digital systems.
At the system level, IEC 62443-3-2 and IEC 62443-3-3 provide guidance for risk assessments and system security architecture. These standards introduce concepts such as security zones and conduits, allowing BESS operators and integrators to segment networks and isolate critical functions. In practice, this means separating critical OT assets such as battery controllers and SCADA systems from less trusted IT or remote access environments. Such segmentation significantly reduces the risk of lateral movement during a cyberattack and improves the overall resilience of the installation.
Although compliance with IEC 62443 does not automatically guarantee compliance with the CRA, the standard provides a mature and internationally recognized framework that closely aligns with many CRA requirements. Organizations that implement IEC 62443 can significantly reduce the effort required for CRA conformity assessments by demonstrating established cybersecurity governance, secure engineering practices, documented risk management, and lifecycle security processes. As cybersecurity regulation continues to evolve within the European energy sector, IEC 62443 is expected to remain one of the key supporting standards for demonstrating cybersecurity maturity and regulatory readiness.
How to Prepare for Cyber Resilience Act Requirements?
Failing to comply with the EU Cyber Resilience Act requirements can come at a high cost. Non-compliance may lead to fines up to €15 million or up to 2.5% of global annual turnover – which could be even higher. Beyond financial penalties, delays in alignment with the regulation can negatively impact market access but also damage brand trust.
DEKRA can Support Your Product Cybersecurity Journey:
- CRA Trainings: built on hands-on technical expertise, our training programs help your team understand the regulation and develop a clear, actionable CRA readiness strategy.
- CRA Evaluation Services: get well-structured evaluation services aligned with draft and harmonized standards, as well as other recognized frameworks mapped to the essential requirements of the regulation.
- CRA Third-Party Assessment & Certification: at DEKRA, we will leverage our experience as a Notified Body to support our clients throughout the conformity assessment and certification process.
Not sure which class your BESS component falls into or what your conformity assessment involves? Get in touch with our experts.
References: Regulation (EU) 2024/2847 | Implementing Regulation (EU) 2025/2392 | NIS2 Directive (EU) 2022/2555