Regulatory frameworks for AI-enabled flexibility

Utilities are used to working in a heavily regulated environment and have long standing relationships with their regulatory bodies. As they adopt AI-enabled digital flexibility solutions such as virtual power plants (VPPs), utilities now have to comply with a completely different set of regulations—and one that is constantly evolving. 

Of course, all regulations are local and the regulations a utility has to comply with are particular to their operating geography. Applicable regulations are many and varied. Still, there are a number of relevant regulatory trends happening across a number of geographies. Here are some major ones.

Data privacy — not to be overlooked 

Abuses of personal data in social media, advertising and other online areas created a wave of consumer sentiment calling for increased data privacy regulations. Regulators around the world have responded by implementing more stringent data privacy regulations. These regulations generally cover the potentially very sensitive personal data collected by IoT devices.   

VPPs that aggregate consumer distributed energy resources (DERs) inherently handle potentially sensitive personal data. For instance, behavioral demand response applications working with smart thermostats must account for customers’ comfort settings, which often reflect occupancy patterns and personal preferences.

Perhaps the most well-known data privacy regulation is the EU’s General Data Protection Regulation (GDPR). It has inspired data privacy regulations around the world. The GDPR, which took effect in 2018, imposes strict requirements on organizations that collect and process personal data. Since VPPs handle such data, their operators must comply with these regulations or face severe penalties. 

One GDPR requirement is that organizations must implement appropriate technical and organizational measures to protect the personal data they process. Data protection authorities in EU countries have been active in enforcing the GDPR. For example, the Irish Data Protection Commission fined Meta (Facebook) €265m for a breach of personal data uploaded to a hacker forum. 

 AI — a rapidly expanding area for regulators

With the release of large language model-based AI systems such as ChatGPT, AI has finally caught the attention of both the public and corporations. This attention is not always positive—concerns about the accuracy, transparency, privacy, safety and bias of AI have run rampant. Regulators have moved with unusual speed to come up with regulations to address these issues.

As AI-enabled systems, VPPs and other flexibility applications are subject to these regulations. In fact, as systems controlling a piece of critical infrastructure, it’s not hard to predict that VPPs will be under particular regulatory scrutiny. 

One recent high-profile AI regulation is the EU Artificial Intelligence Act (AI Act), which came into effect on August 1, 2024. Amongst its provisions is one that classifies AI systems into risk categories. Since a VPP affects the electrical grid and could affect people’s health and safety, it would most certainly be classified as a “high risk” system. 

As such, VPPs will be subject to a number of requirements including bias safeguards, output interpretability, proper testing protocols, and continuous human monitoring. A notable requirement is appropriate data governance mechanisms to ensure the accuracy of the system. Violations of the data governance and transparency requirements could result in fines of up to 4% of a companies total worldwide annual revenue up to €20m. 

Cybersecurity — regulators react to cyberthreats to the grid

Regulators have been concerned about cyberthreats to grids for some time but the spike of recent threats to the grid plus the emergence of sophisticated nation-state backed cybercriminals has driven these concerns to a much higher level. 

The EU NIS2 Directive (adopted October 17, 2024) covers utilities. A revamp of the earlier NIS Directive, NIS2 strengthens obligations around cybersecurity risk management. The many items covered include increased requirements for the cybersecurity of the supply chain for critical technologies, effective use of cryptography, and the adoption of “state of the art” cybersecurity measures. Non-compliance with NIS2 for “essential entities” such as utilities can result in fines up to €10m or 2% of annual revenue as well as sanctions on top management. 

In the U.S., one major cybersecurity regulation governing utilities is NERC (North American Electric Reliability Corporation) Critical Infrastructure Protection (CIP). While NERC CIP is focused on traditional bulk electric systems, it does provide a guide to expectations for VPP cybersecurity. For example, NERC CIP requires documented programs for “information protection. Violations of NERC CIP can reach up to $1m per day and so far this year the largest penalty levied is $2.3m. 

On the consumer side, a number of recent regulations cover cybersecurity for consumer IoT devices such as DERs. There is the EU Cyber Resilience Act (adopted on October 10, 2024) as well as the UK Product Security and Telecommunications Infrastructure (Product Security) regime (in effect April 29, 2024). While it is currently voluntary, the U.S. has a cyber trust labeling program for consumer IoT (released July 18, 2023). Although these regulations are applicable to IoT device manufacturers, utilities might want to take them into consideration when enlisting consumer DERs in VPPs.

Digital flexibility applications are a very important tool for decarbonizing the grid as well as increasing resilience and reducing costs. As a part of the critical energy infrastructure underlying our society, regulators should ensure that the proper policies are in place to facilitate their safe operation. As utilities continue to adopt these applications, even if they operate in geographies where a full regulatory regime is not yet in place, they should consider “future proofing” their applications by adopting compliance measures upfront rather than waiting to bolt them on afterwards.

Intertrust’s XPNTM (Explicit Private Networking) secure communications service includes a number of features that can help utilities comply with privacy and cybersecurity regulations. The next blog in this series will look at issues for the energy industry around standardization and interoperability and how XPN plays a role.