Securing the Node: A Cybersecurity Architecture for NIS2-Compliant Community-Scale Distributed Energy Infrastructure and The Regulatory Gaps that Prevent its Deployment

This working paper argues that the CPO-aggregator community node architecture designed in the fourth paper of this series, commercially bankable, grid-integration positive, and technically deployable under existing engineering standards, cannot achieve NIS2 compliance. Not because the architecture is insecure. Because NIS2 implementing guidance has not defined what compliance means for a combined charging point operator and licensed BESS aggregator operating shared physical infrastructure under a three-investor SPV structure. Six specific implementation gaps make compliance technically impossible, commercially unviable, or legally indeterminate for this entity type. Each gap is solvable through a named implementing act, network code amendment, or regulatory guidance document under existing EU legislative authority, without new primary legislation. Using the Netherlands as the EU reference market and the community node architecture of Paper 4 as the design object, the paper specifies the complete cybersecurity architecture for the node using the Purdue Reference Model as the organising framework, quantifies the MadIoT systemic grid threat at four deployment scales against TenneT's published FCR market data, identifies five novel dual-use security properties of the drip-charging mechanism, maps six NIS2 regulatory gaps to their responsible actors and legislative vehicles, confirms the universal presence of all six gaps across six EU markets, and proposes a three-track implementation roadmap for regulatory action, technical deployment, and stakeholder engagement. The paper makes six original contributions. First, it identifies physical topology as the primary security design decision for distributed community energy infrastructure. The community node's single BESS grid-forming inverter, the node's sole interface with the MV grid, simultaneously concentrates the security boundary at one controllable hardware point and limits the maximum grid impact of any attack to the inverter's rated capacity of 500 kW, regardless of what occurs on the local bus. A compromised community node cannot impose more than 500 kW of demand on the MV grid. A compromised fleet of unmanaged individual chargers has no equivalent physical ceiling. This is the first explicit formulation of physical topology as a cybersecurity design principle for distributed community energy infrastructure in the published literature. Second, it proposes a physics-based FCR dispatch validation framework applying four independent checks, power capacity, rate-of-change, real-time grid frequency cross-reference, and statistical dispatch pattern, to all FCR signals before execution at the OT layer. This framework provides a security validation layer that operates on the physics of the grid rather than on the authenticity of the signal, preventing legitimate-looking but malicious commands from executing even when the signing keys have been compromised. The framework and its four-check structure are original, with no prior equivalent in published literature. Third, it identifies five cybersecurity properties inherent in the drip-charging mechanism that have not previously been recognised in the academic or policy literature: anomaly detection sensitivity amplification through a stable low-noise operational baseline; continuous inverter integrity verification through a persistent characteristic working-point signature; energy depletion attack resistance through a precisely known state-of-charge trajectory; MadIoT attack attenuation through the BESS buffer absorbing local demand spikes before the grid interface is engaged; and forensic self-evidence through a regular transaction rhythm whose gaps are automatically detectable as tampering. These properties are not designed-in security features; they are inherent consequences of stable, predictable continuous operation. The dual-use character of drip charging, simultaneously a grid integration tool and a security monitoring foundation, is identified as a design principle with implications for grid code and DSO connection agreement design beyond the community node architecture. Fourth, it presents the first deployment-scale quantification of the MadIoT threat against community EV charging infrastructure, using TenneT's published FCR market data as the benchmark. The threshold finding: 100 community nodes, achievable within a single major Dutch city within a seven-to-ten-year deployment horizon, produce a simultaneous grid-facing demand of 50 MW, equivalent to approximately 45% of TenneT's total FCR obligation of 111 MW. At 10,000 nodes, one-third of the eventual Dutch deployment requirement at 40 to 50% fleet penetration, the trajectory TenneT's own 2030 demand projections already assume, simultaneous compromise produces 5 GW of demand, exceeding the Continental European FCR design contingency of 3,000 MW by 67%. This deployment scale falls within the EV demand growth trajectory that the ENTSO-E TYNDP 2026 National Trends+ central scenario incorporates as a structural driver of system needs, making the cybersecurity stress scenario this paper proposes a stress test on ENTSO-E's own primary planning baseline rather than an addition to a peripheral alternative pathway. Fifth, it identifies six specific NIS2 regulatory gaps that prevent compliant deployment, each presented with a precise problem definition, the specific NIS2 article implicated, a named responsible actor, a named legislative vehicle, and a documented precedent. The six gaps are: the absence of a NIS2 compliance pathway for the CPO-aggregator entity type and the unspecified managed charging protocol baseline; the technical incompatibility between NIS2 Article 21(2)(h) encryption obligations and IEC 61850 GOOSE protection communication's 4ms timing requirement; the absence of a vendor risk assessment methodology for distribution-connected grid-forming inverters; the inapplicability of standard IT penetration testing to live grid-connected BESS; the absence of any NIS2 framework for security obligations in multi-investor shared physical infrastructure; and the unresolved conflict between security validation architecture and grid emergency response obligations under FCR contracts. A six-market regulatory readiness assessment confirms all six gaps are present across the Netherlands, Germany, France, Belgium, Sweden, and Denmark, with two gaps, CPO-aggregator entity classification and multi-entity access control, absent without exception in every market assessed. Three instruments can resolve all six gaps without new primary legislation: the ACER Network Code on Demand Response for Gaps 1 and 5, ENISA NIS2 Article 21 implementing guidelines for Gaps 2, 3, and 4, and the ENTSO-E Emergency and Restoration Network Code combined with the ACER NC-DR security annex for Gap 6. Sixth, it proposes a complete multi-entity access control framework for three-investor shared physical infrastructure, defining five operational domains with scoped access rights, dual-person rules for critical components, bilateral SPV security agreements, and a single access ledger held by the CPO-SPV as lead NIS2 entity. This framework has no equivalent in any existing regulatory standard. IEC 62443-2-4's multi-party provisions address a structurally different problem, one asset owner with multiple service relationships, and provide no mechanism for allocating incident responsibility, access control obligations, or compliance accountability across co-equal co-investors sharing physically co-located OT infrastructure. The community node multi-entity access control framework is identified as an original contribution to the security architecture literature with no direct regulatory precedent. This is the fifth and concluding paper in the EU Grid Architecture Research Series. The first paper, The Urban Blind Spot: Aligning Electrification Ambition with Distribution Reality (Zenodo: https://doi.org/10.5281/zenodo.18999988), identified the structural reinforcement gap at the distribution layer of European electricity networks. The second paper, Sequencing Electrification Under Distribution Congestion (Zenodo: https://doi.org/10.5281/zenodo.19000382), proposed a modular capacity optimisation framework for distribution system operators managing accelerating electrification demand. The third paper, The Next Grid: Why Ukraine's Reconstruction Is the EU's Most Important Energy Policy Experiment (Zenodo: https://doi.org/10.5281/zenodo.19110430), demonstrated the commercial bankability of distributed architecture under extreme institutional conditions. The fourth paper, Charging Without Subsidy: How the CPO-Aggregator Framework Unlocks Community-Scale Distributed Energy Investment in Europe (Zenodo: https://doi.org/10.5281/zenodo.19219693), designed the three-investor community node architecture and demonstrated commercial viability without subsidy at current Dutch market prices. This fifth paper completes the series' analytical arc: the architecture is commercially bankable, grid-integration positive, and genuinely securable. What prevents its deployment at scale is not technology, not commercial viability, and not security capability. It is a regulatory framework that has not been extended to cover the entity type this architecture creates. The distance from the current regulatory position to a framework in which the architecture can be deployed compliantly is not a research question. It is a drafting question, and the drafting authority already exists.