Next Article in Journal
Applications of Hydrogenous Species for Initiation of Carbon Monoxide/Air Premixed Flame
Previous Article in Journal
Dynamic Load Management in Modern Grid Systems Using an Intelligent SDN-Based Framework
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Energies
Volume 18
Issue 12
10.3390/en18123002
energies-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits

by
Bo Nørregaard Jørgensen
1,
Saraswathy Shamini Gunasekaran
2 and
Zheng Grace Ma
1,*
1
SDU Center for Energy Informatics, University of Southern Denmark, 5230 Odense, Denmark
2
Institute of Informatics and Computing in Energy, Universiti Tenaga Nasional, Kajang 43000, Malaysia
*
Author to whom correspondence should be addressed.
Energies 2025, 18(12), 3002; https://doi.org/10.3390/en18123002
Submission received: 31 March 2025 / Revised: 28 May 2025 / Accepted: 4 June 2025 / Published: 6 June 2025
Browse Figure
Versions Notes

Abstract

:
This scoping review examines the evolving landscape of European Union (EU) legislation, as it pertains to the implementation of artificial intelligence (AI) in smart grid systems. By outlining the current regulatory landscape, including the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, the EU Data Act, the EU Data Governance Act, the ePrivacy framework, the Network and Information Systems (NIS2) Directive, the EU Cyber Resilience Act, the EU Network Code on Cybersecurity for the electricity sector, and the EU Cybersecurity Act, it highlights both constraints and opportunities for stakeholders, including energy utilities, technology providers, and end-users. The analysis delves into regulatory barriers such as data protection requirements, algorithmic transparency mandates, and liability concerns that can limit the scope and scale of AI deployment. Technological challenges are also addressed, ranging from the integration of distributed energy resources and real-time data processing to cybersecurity and standardization issues. Despite these challenges, this review emphasizes how compliance with EU laws may ultimately boost consumer trust, promote ethical AI usage, and streamline the roll-out of robust, scalable smart grid solutions. The paper further explores stakeholder benefits, including enhanced grid stability, cost reductions through automation, and improved sustainability targets aligned with the EU’s broader energy and climate strategies. By synthesizing these findings, the review offers insights into policy gaps, technological enablers, and collaborative frameworks critical for accelerating AI-driven innovation in the energy sector, helping stakeholders navigate a complex regulatory environment while reaping its potential rewards.

1. Introduction

Smart grids represent the next evolution of electrical power systems, combining advanced information and communication technologies with the traditional grid to enable two-way flows of electricity and data. Artificial intelligence (AI) is a key enabler in smart grids, offering capabilities such as predictive analytics for demand and supply, autonomous grid control, and optimized integration of renewable energy sources [1,2]. These innovations promise significant benefits in grid efficiency, reliability, and sustainability. However, the deployment of AI-driven solutions in smart grids also raises complex questions around data governance, cybersecurity, and compliance with regulatory frameworks. Particularly in the European Union (EU), where a robust body of laws governs digital technologies and critical infrastructure [3].
The EU’s regulatory landscape, including the General Data Protection Regulation (GDPR) [4], the recently adopted EU Artificial Intelligence Act [5], the ePrivacy framework [6], the Network and Information Systems (NIS) Directive (now NIS2) [7], the EU Cyber Resilience Act (CRA) [8], the EU Network Code on Cybersecurity for the electricity sector (NCCS) [9], and the EU Cybersecurity Act [10], has a direct impact on the pace and manner of AI adoption in the energy sector [11,12]. On the one hand, these laws aim to protect consumers and ensure trustworthy AI; on the other, they may introduce compliance challenges and uncertainties that act as barriers to innovation. For example, the CRA will set cybersecurity requirements for products with digital elements, the NCCS addresses sector-specific cybersecurity rules for electricity, and the EU Cybersecurity Act provides a framework for certification, collectively shaping how AI solutions must be designed and operated in critical infrastructure contexts [13]. Understanding the interplay between EU regulations and AI-enabled smart grids is therefore critical for stakeholders aiming to harness AI for a more intelligent and secure energy system [14].
This scoping review examines the impact of EU laws on AI adoption in smart grids, with a focus on three research questions derived from current policy and research debates: (1) regulatory barriers—how legal EU regulatory requirements might constrain or shape AI deployment in smart grid applications; (2) technological challenges—practical hurdles in implementing AI solutions (including data processing, cybersecurity, interoperability, and scalability issues) that often intersect with regulatory demands; and (3) stakeholder benefits—the advantages that utilities, consumers, and society stand to gain (such as improved grid stability, cost optimization, enhanced consumer trust, and supportive policy outcomes) when AI is effectively and compliantly integrated into smart grids. We pay special attention to geographical context, highlighting EU-wide trends as well as insights from individual member states where relevant (e.g., differing national approaches to smart meter rollouts or AI governance).
Following the Preferred Reporting Items for Systematic Reviews and Meta-Analyses extension for Scoping Reviews PRISMA-ScR guidelines, we conducted a broad survey of the literature to map the current state of knowledge on this topic. The goal is to synthesize findings from diverse sources, including technical studies, policy analyses, and case examples, to identify how EU regulatory frameworks influence AI innovation in the energy grid domain, what challenges persist and how stakeholders can address them. By outlining the regulatory and technological landscape along with the observed or expected benefits, this review aims to inform practitioners such as grid operators, technology providers and policymakers. It supports strategies that ensure compliance and security while fostering innovation toward smarter, greener, and more resilient power grids.
While this review focuses specifically on smart grids in the EU context, a comparative analysis of regulatory approaches in the United States and China for the energy sector more broadly has been addressed in a previous work by the authors [15]. That study highlights how the EU’s rules-driven and rights-based regulatory model differs from the US’s market-driven, sector-specific approach and China’s state-driven, centralized strategy. These global contrasts provide an important reference point for understanding the distinctive features of the EU’s AI governance framework in energy and underscore the diversity of regulatory trajectories shaping innovation internationally.
The remainder of the paper is organized as follows. Section 2 details the methodology, outlining the scoping review framework, search strategy, eligibility criteria, and data extraction process following PRISMA-ScR guidelines. Section 3 presents the results, categorizing findings into three core themes: regulatory barriers, technological challenges, and stakeholder benefits. Within regulatory barriers, we examine GDPR constraints on energy data, the implications of the AI Act for smart grid AI systems, cybersecurity obligations under the NIS2 Directive, and liability concerns. The technological challenges section discusses data management at scale, cybersecurity risks for AI-driven grid operations, interoperability limitations, scalability issues, and the need for explainable AI. The stakeholder benefits section highlights advantages such as improved grid stability, cost optimization, consumer engagement, and policy alignment with EU sustainability goals. Section 4 provides a discussion of key insights, policy implications, and recommendations for balancing AI innovation with regulatory compliance, emphasizing the need for standards, cross-sector collaboration, and knowledge-sharing mechanisms. Section 5 concludes the paper by summarizing findings, outlining future research directions, and highlighting the broader significance of AI adoption in smart grids within the evolving EU legal landscape.

2. Methodology

We adopted a scoping review approach to systematically map the literature on AI adoption in smart grids under EU regulatory conditions, guided by the PRISMA-ScR reporting standards for scoping studies [16]. The scoping review method was chosen due to the broad and interdisciplinary nature of the research question as well as the need to capture various types of evidence such as academic studies, technical reports, and legal analyses on the intersection of AI, smart grids, and EU laws.
Search strategy: We performed a comprehensive literature search in three major databases Web of Science, Scopus, and IEEE Xplore to identify relevant studies. The search covered publications from approximately the last decade beginning in 2010 to early 2025, a period that captures modern smart grid initiatives and the emergence of key EU regulations such as GDPR, adopted in 2016 and in force since 2018, and the proposed AI Act, introduced in 2021 and adopted in 2024.
We used a set of keywords targeting three concept areas: smart grids, AI, and EU regulatory or legislative terms. An updated search string was (EU OR EUROPE OR European) AND (“smart grid*” OR “electricity grid*” OR “power grid*”) AND (“Artificial Intelligence” OR AI OR Privacy OR “General Data Protection Regulation” OR GDPR OR Cybersecurity OR “NIS2 Directive” OR “Cyber Resilience” OR “Network Code on Cybersecurity”). Similar queries were adapted for Web of Science and IEEE Xplore. We also performed manual searches on Google Scholar and reviewed references of key papers to find additional relevant literature, including policy white papers or standards documents not indexed in the primary databases.
Selection criteria: We included sources discussing smart grids and AI in the context of European or EU laws and regulations. These included peer-reviewed journal articles, conference papers, review papers, EU technical reports, and relevant legal or policy documents. We considered technical studies on AI applications in power systems with regulatory implications and policy studies on legislation relevant to smart grids or the energy sector. Each study had to address at least one key theme such as regulatory barriers, technological challenges, or stakeholder impacts in an EU context. We excluded studies on smart grids and AI that lacked EU-specific regulatory relevance, including those based entirely in other regions unless they offered a comparative perspective, and studies that focused only on technical algorithms without deployment context. Non-English articles were excluded unless a translation was available, as the EU legal and technical literature in this field is primarily in English. After removing duplicates, two reviewers screened titles and abstracts for relevance, followed by full-text screening based on these criteria.
Data extraction and synthesis: Academic sources were analyzed for conceptual or empirical contributions, while policy documents were examined for regulatory content; the synthesis identifies their respective roles to avoid conflating scholarly debate with legal mandates. For each included publication, we extracted key information using a structured form: bibliographic details, geographical focus in terms of EU-wide or specific member states, the EU laws or regulations mentioned, the context of AI application such as smart metering, grid management or demand response, the identified barriers or challenges, and the identified benefits or outcomes. We performed a thematic analysis, grouping findings into the three predefined themes of regulatory barriers, technological challenges, and stakeholder benefits. Within each theme, sub-themes emerged. For example, under regulatory barriers, specific laws such as the GDPR or the AI Act appeared. Under technological challenges, issues such as interoperability or cybersecurity were common. These themes structure the results section. Given the scoping nature of the review, we did not conduct a formal appraisal of study quality. We noted the type of evidence, such as conceptual analysis or empirical case study, to give readers a sense of the evidence base.
Review process: The search and screening process is summarized in Figure 1, following the PRISMA-ScR flow diagram convention. We identified a large number of records through database searches and additional sources. After removing duplicates, we screened abstracts and excluded those that were off-topic. We obtained the full text of the remaining articles to assess eligibility against the inclusion criteria. In some cases, full texts were unobtainable or in languages not covered, which were documented and excluded. Ultimately, a corpus of relevant studies was included for qualitative synthesis. We also performed a backward and forward citation check on these studies to ensure that key references were not missed.
The PRISMA-ScR flow diagram in Figure 1 summarizes the study selection process. A large number of records were identified from the databases and other sources, which were then narrowed down through duplicate removal, title/abstract screening, and full-text eligibility checks, resulting in the final set of included publications for review.

3. Results

After screening and selection, we included a diverse range of publications comprising technical research on smart grids, legal analyses, and interdisciplinary studies. The findings are organized under three main thematic categories aligned with the research questions. Within each category, we synthesize insights from the literature, highlight areas of consensus and divergence, and provide illustrative examples from specific EU member states where relevant.

3.1. Regulatory Barriers to AI Adoption in Smart Grids

3.1.1. Data Privacy and GDPR Compliance

A foremost regulatory consideration is the GDPR, which governs personal data processing in the EU. Smart grids, especially at the distribution level, generate vast amounts of data, such as high-frequency smart meter readings that can reveal household consumption patterns. Under the GDPR, such data qualify as personal data (when tied to an identifiable individual or household) and thus require rigorous protection and lawful processing bases [4,17,18]. Compliance with GDPR has been identified as a potential barrier or at least a significant overhead for AI systems in smart grids. For example, AI algorithms that forecast demand or detect anomalies may need access to granular consumption or prosumer generation data. Utilities must ensure that data is collected and processed with proper consent or other legal bases, implement privacy-by-design, and possibly perform Data Protection Impact Assessments (DPIAs) for novel AI deployments [19,20]. One critical issue is that outsourcing data analytics, e.g., to cloud AI providers, can raise questions of data control and cross-border transfers, which are tightly regulated by GDPR [21]. The responsibility for safeguarding consumer data often remains ambiguous when third-party AI analytics are involved, and privacy protections may be underprioritized during implementation unless explicitly mandated and enforced [21,22]. Several authors [3,18] stress that transparency with consumers about how their energy data are used is essential to maintain trust and comply with GDPR’s principles of lawful, fair, and transparent processing [23].
National implementations of GDPR principles have led to varied rollout strategies across member states, as illustrated by contrasting cases in Germany and Sweden.
European countries differ markedly in how well they integrate data protection (GDPR) compliance into smart grid systems. Northern and Western Europe generally have more advanced frameworks for privacy in energy data, whereas Eastern and Southern Europe face notable infrastructural and institutional challenges in this domain.
Countries like Germany and Sweden have established strong data governance strategies that facilitate GDPR compliance in smart grids. Germany has taken a cautious stance on smart meter data privacy from early on. In 2010, the German Data Protection Commissioners passed a resolution demanding a legal framework specifically for smart meter data collection and use, insisting on strict purpose limitations and transparency [24]. This emphasis on data protection contributed to Germany’s delayed smart meter rollout, as the national policy mandated privacy and security by design but initially lacked technical standards, causing slow adoption compared to other countries [24,25]. As of 2023 Germany’s smart meters were only ~1% deployed due to earlier legal hurdles, but new national data infrastructure (the AS4-based exchange) is being introduced by 2024 to modernize and streamline data access [26]. These efforts reflect well-defined strategies placing privacy-by-design at the core of smart grid digitalization. On the other hand, Sweden was among the first to fully roll out smart meters nationwide and achieve near-full rollout by 2014 [26], indicating a more rapid embrace of smart metering technology [24].
Contrary to Western Europe, many Central and Eastern European (CEE) countries lag behind in deploying smart, privacy-compliant energy grids [27]. Smart metering infrastructure, a backbone for AI-driven, data-intensive smart grid management, remains underdeveloped in much of Eastern Europe [27]. The Western EU averages above 90% smart meter penetration, whereas several CEE countries are mostly below 20% [27]. For example, as of 2023, Romania had only ~16% smart meter coverage and Bulgaria had no mandated rollout at all; although ~34% of its meters have some remote-read capability, they do not meet EU smart meter standards and no unified national plan exists [27].
In general, Eastern European DSOs still lack the technical maturity to implement GDPR’s “privacy by design” at scale, often because they rely on legacy metering systems that cannot support fine-grained, secure data processing [28].
In Southern Europe, the picture is mixed. Italy stands out for its significant progress in smart grid data management and privacy compliance. Thanks to an early and aggressive smart meter program, Italy has reached about 98% smart meter coverage [26]. It pioneered a national energy data hub, the Sistema Informativo Integrato (managed by Acquirente Unico), which serves as a centralized platform for sharing electricity consumption data among DSOs, retailers, and consumers under standardized privacy protections access [26]. This hub (along with utility-led initiatives like e-distribuzione’s data platform) exemplifies privacy-conscious design, ensuring that energy usage data are handled transparently and in line with GDPR requirements. Italy’s experience shows that investment in digital infrastructure and clear governance can bolster compliance even in a decentralized energy system. However, while Italy’s national policies and primary DSO have elevated GDPR standards, compliance levels vary regionally; smaller municipal utilities in less-developed regions may struggle to meet the same data protection and cybersecurity benchmarks.
Similar patterns appear in other Southern European countries; for example, Spain has near 100% smart meters with a national data portal (Datadis) [26], whereas Greece until recently had under 10% rollout and suffered delays in its national smart meter tender [29]. Such unevenness in infrastructure and institutional effectiveness means GDPR compliance in the energy sector is not uniformly achieved, even within a given country.
These examples show that GDPR and national privacy requirements affect not only how AI is implemented but also whether enabling infrastructure such as smart meters is deployed at scale. GDPR compliance is now a baseline condition for any AI used in the EU’s energy sector. Solutions like anonymization or pseudonymization of data, edge computing to process data locally, and federated learning to train AI models across distributed datasets without centralizing personal data are being explored to balance data-driven innovation with privacy protection [12,30]. Despite concerns, it is worth noting that privacy regulation can also be an enabler in the long run; by establishing clear rules, they can increase consumer confidence. Indeed, a recent German survey found that 76.4% of households have significant privacy concerns about smart meter data, yet providing clear information on data handling can mitigate aversion to smart grid programs [31]. In other words, strong privacy frameworks, if well-implemented, may build consumer trust, which is crucial for the acceptance of AI-driven services.

3.1.2. EU Artificial Intelligence Act (AI Act)

The EU’s AI Act, finalized in 2024, introduces a risk-based regulatory framework for AI systems. Many AI applications in critical sectors are classified as high-risk (i.e., systems used in critical infrastructure, with potential to cause significant harm if malfunctioning) and must meet strict requirements including risk assessments, high-quality datasets, logging, transparency, and human oversight [5,11,32,33,34]. Energy has explicitly been listed: Annex III of the AI Act designates AI systems intended to be used as safety components (i.e., AI systems essential to the safe operation of energy infrastructure) in the management of critical infrastructure (including electricity) [35]. Smart grid AI applications such as real-time grid control, distributed energy resource management, and energy trading algorithms likely fall under this category [32,36,37]. The regulatory barrier is twofold. First, compliance with the AI Act requires significant effort and cost. Companies must implement risk management systems, ensure transparency such as explainability of AI decisions affecting the grid, and complete conformity assessments or documentation that can be resource-intensive. One analysis estimates that the annual compliance cost per high-risk AI system for an energy company could be on the order of tens of thousands of euros [36,38]. For instance, Heymann et al. (2023) found that to offset the highest compliance costs of the AI Act in electricity markets, an AI system would need to improve profit margins by around 10%, a non-trivial benchmark [36]. This raises concerns that smaller utilities or innovators might delay or abandon AI solutions due to the added burden, potentially slowing adoption. Secondly, the AI Act as adopted does not provide sector-specific guidance for how its requirements apply to energy systems [35,38,39]. Researchers note ambiguity in definitions, e.g., what exactly counts as an AI “safety component” in a smart grid context? Volkova et al. (2024) argue that the Act’s general wording leaves room for interpretation, which could lead to inconsistent application or uncertainty for grid operators [34]. They underline the current shortcomings of the AI Act for critical infrastructure, suggesting that additional sectoral guidelines or delegated acts are needed to clarify how smart grid AI can comply without stifling innovation [35]. In response to such concerns, the European Commission and industry task forces are expected to develop implementing acts or standards specific to high-risk AI in energy [11,40].
Until then, the AI Act reflects a cautious approach. It is likely to slow the deployment of unproven AI systems (systems not yet validated through regulatory review or lacking sufficient field deployment evidence) by imposing upfront checks but aims to prevent incidents that could reduce societal trust in AI. Stakeholders generally recognize the need for responsible AI in grids, aligned with principles of human oversight and safety, as emphasized in [33,36], whose principles the Act aims to uphold. The compliance burden of the AI Act may disproportionately affect startups or smaller utilities lacking legal and technical capacity, potentially driving innovation offshore to jurisdictions with less stringent requirements. This raises the risk of regulatory arbitrage and underscores the need for support mechanisms such as compliance toolkits or regulatory sandboxes tailored to energy-sector AI developers. Hence, the challenge lies in balancing these protective measures with the agility required for technological progress in the fast-evolving energy domain.

3.1.3. Data Sharing and Governance

In addition to data protection and AI-specific legislation, the European Union has enacted two foundational instruments to address the fragmentation and underutilization of industrial and public-sector data across the internal market: the Data Governance Act (DGA) and the Data Act. These instruments aim to create a coherent framework for data availability, access, and reuse, which holds particular relevance for AI deployment in smart grids. The DGA, applicable since September 2023, establishes a governance model to facilitate trusted data sharing through neutral data intermediaries, encourage data altruism, and support the formation of common European data spaces, including one for the energy sector [41,42,43]. It introduces safeguards for voluntary data sharing, while promoting interoperability and harmonized practices across Member States [44].
Complementing this, the Data Act, adopted in 2024 and entering into application in September 2025, introduces mandatory obligations for data holders to make data generated by connected devices and related services accessible to users and, upon their request, to third-party service providers [45]. This includes data generated from energy IoT devices, such as smart meters or grid-connected appliances, and applies irrespective of whether the data are personal or non-personal. Notably, the Data Act establishes a framework for business-to-government data access for public interest purposes and provides for the introduction of common standards and interoperability requirements where market-driven standardization fails [46]. Together, these regulations represent a paradigmatic shift from a policy regime focused on data protection alone to one that equally prioritizes data accessibility and reusability under lawful and secure conditions.
The implications of these instruments for AI adoption in smart grids are substantial. AI systems in this context are highly dependent on access to granular, high-quality, and context-rich datasets. Historically, such data have remained siloed across DSOs, TSOs, device manufacturers, and service providers, inhibiting the scalability and generalizability of AI applications. The DGA and Data Act provide the legal foundation to dismantle these silos. Under the Data Act, for instance, a consumer may request that their smart meter data be shared directly with a third-party energy management service via standardized interfaces [45]. This facilitates greater participation of AI developers and service innovators in the energy market, democratizing access to data previously monopolized by incumbents.
Moreover, the DGA’s promotion of energy data spaces serves to institutionalize mechanisms for cross-sectoral and cross-organizational data exchange. These shared spaces, underpinned by common rules and technical specifications, are designed to allow actors such as DSOs and TSOs to federate their data resources for mutual benefit without relinquishing control over their data assets [42]. This is especially pertinent for the training of AI models that require heterogeneous data from multiple geographical and operational contexts. The European Commission has acknowledged this potential, explicitly linking data sharing initiatives to the advancement of AI in strategic sectors, including energy [43]. Horizon Europe has funded several projects to prototype federated and interoperable data infrastructures tailored for energy AI applications.
Nevertheless, the implementation of the DGA and Data Act introduces significant operational, legal, and organizational challenges. From an operational standpoint, compliance with the new rights and duties—such as setting up secure APIs, logging mechanisms, and data request portals—will impose costs, particularly on small and medium-sized DSOs or municipal utilities lacking digital maturity. Legal uncertainty also persists regarding the interaction between these horizontal data laws and existing sector-specific regulations, such as those found in the Electricity Directive or in national regulatory frameworks. The precise delineation of data access rights, especially concerning data generated in regulated markets, remains unsettled [45].
This ambiguity is compounded by concerns over data sovereignty. While the regulations aim to encourage data sharing, they concurrently emphasize keeping critical infrastructure data within European jurisdiction. This could restrict the ability of grid operators to outsource AI analytics to global cloud providers, unless these providers meet stringent localization and compliance requirements. At a systems level, the heterogeneity of data formats, legacy infrastructure, and varying levels of digitalization across Member States means that technical interoperability remains a substantial barrier. As the solar energy industry has noted, the lack of harmonized interfaces and standards risks entrenching national fragmentation and limiting the EU-wide scalability of AI solutions [47].
From a regulatory and technical perspective, privacy and cybersecurity requirements remain binding, irrespective of the increased availability of data. AI developers and grid operators must ensure that all data processing adheres to GDPR principles, even when such processing is mandated or enabled by the Data Act. This regulatory layering necessitates a multi-faceted compliance approach. Privacy-preserving machine learning techniques, such as federated learning and secure multi-party computation, are gaining traction as viable strategies to reconcile the demands of data accessibility with privacy and data sovereignty concerns.
Despite these constraints, the DGA and Data Act offer significant opportunities to reconfigure the smart grid data ecosystem in ways that are more conducive to AI innovation. The Commission is actively preparing implementing acts under the Data Act to specify the technical modalities of data sharing, including common formats and model contractual clauses [46]. In parallel, the DGA supports the establishment of data altruism organizations and sectoral governance bodies to coordinate the energy data space [41]. These developments are expected to facilitate the growth of federated data architectures where data remain under decentralized control but can be accessed or queried under standardized, secure protocols.
DSOs and TSOs, in this evolving landscape, assume new roles as data stewards and curators, responsible not only for grid stability but also for enabling lawful and efficient data flows. AI developers are increasingly required to engage with standardization initiatives and compliance processes, shifting their role from tool providers to co-governors of digital infrastructure. Regulatory bodies, both at the EU and national levels, are adopting facilitative postures, exploring instruments such as regulatory sandboxes to test the real-world impact of these new data rights and obligations before full enforcement [46].

3.1.4. ePrivacy Regulation and Communications Data

In parallel to GDPR (which covers general personal data), the EU has long had an ePrivacy Directive regulating privacy in electronic communications. Many smart grid functions rely on communication networks (for instance, smart meters sending consumption data via telecom networks, IoT sensors communicating outages, etc.). The ePrivacy Regulation was a proposed update intended to complement the GDPR by specifically protecting the privacy of electronic communications data (metadata, device data, etc.), potentially impacting how utilities and service providers handle smart meter telemetry or control signals. However, as of early 2025, the draft ePrivacy Regulation has faced political deadlock. Notably, the European Commission announced plans to withdraw the proposal due to lack of consensus [48,49], meaning the current ePrivacy Directive (2002/58/EC) remains in force alongside national laws. This regulatory limbo can be seen as a barrier insofar as it creates uncertainty: companies are unsure if more stringent rules on, say, smart meter data analytics or direct marketing to consumers will come into play. Under the current framework, if a distribution system operator or third-party energy service provider uses telecommunications to transmit user data or control signals, they must comply with confidentiality of communications and may need user consent to access terminal device data according to interpretations of ePrivacy rules. For instance, using smart meter data beyond billing, such as for AI-driven personalized energy advice, may require additional consent under ePrivacy-like provisions, even if GDPR obligations are fulfilled. The withdrawal of the new ePrivacy Regulation delays a unified update that could have clarified these rules for IoT and smart grids, leaving stakeholders to navigate a fragmented set of telecom privacy laws [22]. In summary, although GDPR receives the most attention, sector-specific privacy constraints under ePrivacy are also important. Uncertainty about its future has been identified as a factor that could slow the deployment of communication-dependent AI functionalities such as demand response signals or home energy management systems that may be classified as electronic communications. Future initiatives or national measures are expected to continue emphasizing respect for customer consent and privacy preferences in smart grid services, reinforcing the importance of privacy-by-design in AI solutions [18].

3.1.5. Cybersecurity Directives (NIS, NIS2, CRA, NCCS, Cybersecurity Act)

Smart grids are part of critical national infrastructure, and their digital components such as sensors, controllers, and AI algorithms are subject to cybersecurity regulations. The EU’s Network and Information Systems Directive (NIS Directive, 2016) and its successor, NIS2 Directive, impose security obligations on operators of essential services, including electricity grid operators. In addition to these directives, the proposed EU Cyber Resilience Act (CRA) seeks to establish unified cybersecurity requirements for products with digital elements, ensuring that hardware and software used in critical infrastructures, including smart grids, adhere to baseline standards of cyber hygiene [8,40]. Meanwhile, the EU Network Code on Cybersecurity for the electricity sector (NCCS) provides sector-specific rules and technical guidance for ensuring a high level of cyber resilience across energy systems [50]. The EU Cybersecurity Act complements these efforts, as it introduced a European cybersecurity certification framework, potentially covering AI components used in smart grids [10].
Under NIS/NIS2, DSOs, TSOs (transmission operators), and other energy companies must implement risk management measures, report significant cyber incidents, and ensure supply chain security. The adoption of AI in grid operations potentially expands the attack surface of the electricity network [3,13,51], introducing new vectors such as data poisoning attacks on AI models, vulnerabilities in IoT-based control that need to be managed. Thus, compliance with NIS2 can be considered a barrier if AI systems are not built with robust cybersecurity. NIS2, whose member states must transpose by 2024, is more prescriptive and broader in scope than its predecessor [52]. It extends security requirements to a wider set of entities and includes supply chain and vendor management, meaning if a utility deploys AI software from a third party, it must ensure that the vendor also meets certain cybersecurity standards. For AI developers looking to serve the energy market, this raises the bar: they may need to undergo security audits or certifications. The literature points out that unclear allocation of cybersecurity responsibility can be an issue in smart grids [53,54]. For instance, who is accountable if an AI-driven voltage control system is compromised: the grid operator or the AI provider? Liability in such cases may fall under cybersecurity regulations and general tort law, but it is an evolving area. Overall, NIS2 acts less as a roadblock and more as a necessary checklist: AI solutions for smart grids must incorporate strong encryption, authentication, anomaly detection, and resilience measures to comply. Some authors propose aligning AI governance with cybersecurity governance. They suggest that certification schemes under the forthcoming EU Cybersecurity Act could be extended to include AI components used in critical sectors [7], [51,55,56]. In practice, regulatory enforcement of NIS2 will prompt stakeholders to invest in the cybersecurity of AI, which may delay deployment timelines to strengthen systems but will result in safer outcomes. The impetus is clear. High-profile cyberattacks, including those on Ukraine’s grid and ransomware incidents in Europe, have demonstrated the severity of the risks [13,52]. In response, regulators via NIS2 demand a “security-by-design” mindset, so any AI adoption plan must be entwined with a cyber risk mitigation plan. Similarly, the CRA and the NCCS signal further emphasis on integrated cybersecurity requirements, ensuring that both products and operational practices in the electricity sector meet elevated security standards.

3.1.6. Liability and Accountability Issues

A recurring regulatory concern is how liability is determined if an AI system in a smart grid causes harm, such as an algorithmic decision resulting in a power outage or equipment damage. Traditional legal frameworks based on product liability or negligence were not designed to address autonomous AI decisions. The EU has recognized this gap: Alongside the AI Act, it had proposed an AI Liability Directive to ease the burden of proof for victims in cases of AI-caused damage. However, as with ePrivacy, the AI Liability proposal has been put on hold for now [49]. In the absence of AI-specific liability law, operators must navigate existing rules. This uncertainty can be seen as a barrier: utilities may be hesitant to entrust critical operations to AI if it is unclear who bears the risk of failure. If a blackout results from a faulty AI prediction, the operator may face regulatory penalties for breaching reliability standards and civil claims from affected parties. The operator might then seek to recover losses from the AI vendor. However, proving that the AI was defective or that the vendor was negligent is difficult due to the complexity of the system; this issue is often referred to as the “black box problem” in AI and liability [11,38]. Scholars argue that the lack of clear liability frameworks slows innovation, as companies might limit AI use to advisory roles rather than fully autonomous control to keep a human in the loop as a legal safety. The literature notes efforts to increase accountability of AI. For instance, Volkova et al. propose formalizing the concept of AI accountability in smart grids, linking technical risk assessments to responsible parties at each phase [34]. This approach could inform future regulations or standards, ensuring that for every AI decision, it is known whether the operator, the software provider, or another entity is answerable if something goes wrong. On the regulatory front, the EU did propose to update the Product Liability Directive in 2023 to explicitly include software and AI, which, if passed, will mean that AI developers can be held liable for the defective outcomes of their products even when embedded in larger systems [11]. Until these rules are fully developed, stakeholders manage risks through contracts such as service-level agreements and liability clauses between utilities and AI vendors [34,38]. In summary, the perceived liability risk is a barrier that might slow down AI adoption or keep humans in the loop to an extent that limits AI’s potential. Clearer rules, either through legislation or case law precedents, will likely be needed to give stakeholders confidence. The withdrawal of the dedicated AI Liability Directive [49] delays legal clarity at the EU level, increasing the importance of interim measures such as rigorous testing, detailed documentation to support algorithmic transparency for post-incident analysis, and insurance solutions to cover AI-related incidents.

3.1.7. Burdens of Compliance Costs and Delays from Regulatory Obligations

The implementation of data protection and AI-specific regulations such as the GDPR and the proposed AI Act introduces substantial financial and temporal burdens for organizations, particularly small and medium-sized enterprises (SMEs), seeking to adopt AI and IoT solutions in Building Energy Management Systems (BEMS).
Compliance with the General Data Protection Regulation (GDPR) has resulted in considerable recurring expenses. Globally, 88% of companies report spending over USD 1 million annually to meet GDPR requirements, and 40% exceed USD 10 million per year [57]. A 2018 analysis found that the average yearly costs for GDPR compliance were around USD 1.3 million, including audits, hiring data protection officers (DPOs), and extensive documentation efforts [58]. While large enterprises can absorb these expenditures, SMEs often face significant strain [58]. A simulation study showed that doubling fixed compliance costs could transform a startup’s profit margin from +13% to −7%, illustrating the heightened vulnerability of smaller firms [59].
Data Protection Impact Assessments (DPIAs) are required for high-risk data processing, which is common in smart buildings that handle personal occupant data. DPIA costs vary significantly: Simple internal assessments may cost around EUR 900, whereas complex cases involving external consultants can reach EUR 30,000 [60]. Most in-house DPIAs typically cost several thousand euros. For small firms, a basic DPIA costing EUR 700 to EUR 2200 may represent up to 40% of their annual IT budget [60]. These costs must be incurred prior to deploying AI or IoT technologies that process personal data.
Delays are similarly common in GDPR compliance. DPIAs that are not initiated early can postpone or even suspend new data-processing activities [60]. Privacy officers report that late-stage DPIA planning often results in urgent corrective actions or deployment halts [60]. Such setbacks may translate to lost energy savings while smart building projects are on hold. In severe cases, regulatory uncertainties have obstructed research [58].
The proposed EU Artificial Intelligence Act introduces additional financial overheads for high-risk AI systems, a category likely applicable to advanced BEMS analytics. According to the European Commission’s impact assessment, compliance would increase the development cost of each high-risk AI system by approximately 17% [61]. For an AI solution with a base cost of EUR 170,000, this equates to an estimated one-time compliance cost of EUR 29,000, covering tasks such as data quality assurance, documentation, and human oversight [62]. Annual maintenance costs are projected at EUR 11,000 per system [62]. However, cost reductions through operational learning and process standardization could reduce unit compliance costs by 36% by 2025, bringing the average cost down to around EUR 18,600, or 11% of project costs.
Additional regulatory requirements include mandatory conformity assessments and security certifications. Under the AI Act, EU-type examination for high-risk AI systems is estimated to cost between EUR16,000 and EUR 23,000 per system, representing 10–14% of development costs [62]. Setting up a quality management system (QMS) for compliance introduces further costs, with initial implementation ranging between EUR 193,000 and EUR 330,000 and annual maintenance at EUR 71,000 [62]. Although a QMS can cover multiple systems, the upfront cost remains substantial. Similarly, under the EU Cybersecurity Act, high-assurance certifications are expensive. Fragmented national schemes have historically created duplicate certification requirements. For example, smart metering certifications in Germany have cost up to EUR 1 million, posing barriers for smaller companies [63]. The EU Cybersecurity Act seeks to reduce such inefficiencies through a unified EU-wide certification framework.
Regulatory compliance also results in significant delays to market entry. The AI Act mandates conformity assessments for high-risk systems, which introduce pre-launch delays. The EU’s impact assessment highlights a shortage of notified bodies authorized to certify such systems, suggesting that certification processes could become bottlenecks, delaying deployments by several weeks or months [62].
Regulatory implementation is often slowed by internal governance challenges. According to a 2022 IoT industry survey, 81% of solution providers identified siloed decision-making between IT and compliance teams as a key factor delaying IoT project rollouts [64]. Smart building deployments often require coordinated legal, cybersecurity, and operational assessments, lengthening timelines. SMEs, in particular, face extended lead times, as they frequently need to establish compliance infrastructure, including legal reviews and security protocols, not previously required in less regulated contexts.

3.1.8. Impact of EU Laws on AI Adoption in Smart Grids

The EU’s regulatory barriers present a double-edged sword for AI in smart grids. They introduce safeguards that protect personal data, ensure AI safety, enhance cybersecurity and clarify accountability, aiming to enable sustainable and trustworthy AI adoption [22]. However, in the short term, they may slow deployment, raise compliance costs, and create uncertainty. A recurring theme in the literature is the need for guidance and dialog. Regulators must offer clearer interpretations, such as how GDPR applies to specific smart grid use cases or how to comply with the AI Act with minimal bureaucracy. At the same time, the industry should engage in standard-setting by developing codes of conduct or technical standards that align with regulatory expectations. Coordination bodies like the EU Smart Grids Task Force have been advising on these issues, including how to achieve interoperability and cybersecurity in line with legislative requirements [43]. The Task Force’s work on standards and data interoperability contributed to Commission regulations, such as the 2023 Implementing Regulation on interoperability of smart metering data. This illustrates that regulatory barriers can be reduced when technical standards align with legal expectations. Looking ahead, continued international cooperation and anticipatory regulation will be essential to balance innovation with protection in the European smart grid landscape [3].
Table 1 below provides an overview of the primary EU laws regulating AI in the electricity sector, outlining each legislation’s scope, key requirements, and specific impacts on smart grid deployments. As discussed in the previous sections, these legal instruments range from data protection (GDPR) and risk-based AI governance (AI Act) to cybersecurity obligations (NIS2, CRA, NCCS) and ePrivacy considerations, collectively shaping how AI solutions must be designed, tested, and operated in critical infrastructure contexts.

3.2. Technological Challenges in Implementing AI for Smart Grids

Beyond the text of laws and regulations, there are intrinsic technological hurdles in deploying AI in power grids at scale. These challenges often intertwine with regulatory issues. For instance, a technical shortcoming in data management might lead to non-compliance with GDPR, or a cybersecurity gap might violate NIS2. Addressing these challenges is critical for AI adoption to be feasible and beneficial [65]. The scoping review identified several major technical themes, which can be found below.

3.2.1. Data Management and Processing at Scale

Smart grids generate large volumes of data. Millions of smart meters, network sensors, and IoT devices stream high-frequency data on electricity consumption, generation, voltage, and frequency. AI systems depend on such data, but managing their volume and speed is a complex task [66]. A common challenge cited is ensuring data quality, availability, and integration for AI algorithms [67,68,69]. Many utilities maintain legacy data silos such as separate systems for meter data, SCADA telemetry, and outage management, which must be integrated before AI can generate holistic insights. In addition, AI techniques like deep learning typically require large training datasets. In the energy context, assembling such datasets may be limited by privacy constraints, since not all data can be freely shared, and by high computational requirements [14]. Real-time AI applications like autonomous grid balancing demand low-latency data processing, sometimes at the grid edge. This has led to interest in edge computing and distributed AI within the grid. For example, instead of sending all customer data to a central cloud for analysis, raising bandwidth and privacy issues, algorithms can be deployed on local devices or substations to process data on-site and only send aggregated insights. Techniques such as federated learning have been proposed for smart grids [12], enabling AI models to be trained across decentralized datasets, such as those held by multiple utility companies, without exposing raw data. While promising, these techniques are still maturing and introduce complexity in coordination and consistency of AI models. Other key aspects are data accuracy and preprocessing. Energy data may include errors, missing values, or anomalies caused by faults or attacks, which can distort AI predictions. Robust preprocessing, such as filtering poor-quality data and inputting missing values, is essential. From a regulatory perspective, GDPR requires data minimization, challenging AI developers to deliver the same performance using fewer personal data or anonymized data, which may affect accuracy. Ongoing research in privacy-preserving AI for smart grids explores solutions such as synthetic data and encryption techniques to address these challenges [69]. Lastly, data ownership and sharing between stakeholders is a challenge: for instance, AI for regional grid optimization might need data from multiple utilities and customers. Policies like the EU’s Data Governance Act and forthcoming Data Act are encouraging data sharing in sectors like energy, but technical platforms and agreements must follow. In summary, managing big energy data in line with technical and legal requirements is a foundational challenge that must be solved for AI to deliver value.

3.2.2. Cybersecurity Threats and AI System Resilience

Smart grids’ increasing digitalization, amplified by AI and IoT, unfortunately, also increases exposure to cyber threats [52]. Cybersecurity is not only a regulatory requirement under NIS2 but also a technical challenge focused on securing AI systems themselves. One key issue is adversarial attacks on AI, where malicious actors feed manipulated data such as falsified sensor readings to trigger incorrect decisions like misrouting power or generating false alarms [13,56]. Developing AI systems that can detect or withstand such adversarial inputs remains an active area of research [56]. AI models may also contain vulnerabilities such as coding errors or inherent biases that can be exploited. Traditional cybersecurity measures like firewalls and intrusion detection systems must be adapted to address the specific characteristics of AI and the industrial control environment in grids. Additionally, much of the legacy equipment in grids lacks modern cyber protections, yet AI systems are required to interface with these components [50]. For instance, many secondary substations might run decades-old protocols; retrofitting them to securely feed data to AI systems is challenging. Interdependence is another factor: A cyber attack could simultaneously affect grid IT systems and the AI decision-making, compounding the impact. The literature highlights the need for strong AI governance to ensure safety. This includes implementing fail-safes so that if AI systems or communications are compromised, the grid can revert to secure operating modes such as islanding or manual control. The technological challenge lies in building resilience. AI should support cybersecurity by rapidly detecting anomalies and isolating faults, but it is equally important to secure the AI systems themselves [25,54]. Some proposed solutions include using blockchain for secure data exchange in smart grids, which can complement AI in validating data integrity [3]. There is also exploration of AI for intrusion detection in smart grid networks, essentially using machine learning to identify patterns of cyber-attacks in real time. While that is an AI application in itself, it needs training on large sets of network data and continuous updates as threats evolve. Overall, the challenge is dynamic: As the grid becomes “smarter”, so do the attackers. From a technical perspective, addressing this challenge requires a combination of hardened system design by applying standards such as IEC 62,443 for industrial system security and operational security practices including monitoring and threat sharing among utilities. Experts emphasize that cybersecurity is a prerequisite for AI deployment to prevent failures that could disrupt power and seriously undermine stakeholder confidence in AI solutions [13,52].

3.2.3. Interoperability and Standardization

Interoperability is the ability of diverse devices and systems to communicate and work together, and it is critical in a complex environment like a smart grid [70]. A smart grid involves power infrastructure, IT networks, IoT sensors, home energy management systems, electric vehicles, and now AI algorithms tying these pieces together. One significant challenge is that different manufacturers and utilities may use different protocols and data formats. For an AI system to effectively gather data and issue control commands, it must interface seamlessly across these heterogeneous elements. Lack of interoperability can severely limit AI’s situational awareness and control span. For example, if a distribution utility’s AI optimizer cannot access data from independent microgrids or prosumer devices because of incompatible interfaces, its effectiveness is reduced. The EU has recognized this challenge and has been working on standardization mandates (like Mandate M/490 for smart grid standards) and reference architectures [50]. Standards such as CIM (Common Information Model) [71] for data exchange and IEC 61,850 [72] for substation automation are being promoted to ensure that systems speak the same language. The European Smart Grids Task Force, as mentioned, has issued reports on interoperability and even led to an implementing regulation on data interoperability in 2023 [43]. However, implementing standards uniformly is challenging; many legacy systems predate these standards and retrofitting them can be costly. From a technological standpoint, achieving interoperability often requires middleware platforms or adapters that translate between protocols, which adds complexity and creates potential points of failure. AI developers may need to build additional layers to access data from different systems, increasing integration challenges [68]. Another important aspect is the interoperability of AI models themselves. Different stakeholders may use different AI tools, such as one distribution system operator using a load forecasting model while another nearby operator uses a different one. Coordinating their outputs at a regional level can be difficult if the models rely on different input assumptions or data formats. The push for open data and open APIs in the energy sector aims to address this challenge. Technological solutions include adopting open-source platforms and following data exchange standards to reduce interoperability issues [55]. It is also worth noting that interoperability is not only a technical challenge but also an organizational one, as it requires agreements on standards. The reviewed literature often cites the importance of collaborative efforts: utilities, manufacturers, and software providers need to agree on common frameworks. Without such coordination, AI solutions might remain vendor-specific silos, limiting their adoption. One positive development is the emergence of reference architectures for smart grids, like the Smart Grid Architecture Mode (SGAM) [73], that provide a blueprint for integrating components. AI functions can be mapped onto these reference models to ensure that they plug in correctly. In summary, achieving full interoperability is work in progress; the challenge is being actively addressed via standardization initiatives, but inconsistencies remain a barrier, especially when deploying AI across system boundaries or across different EU countries with varying infrastructure maturity [50,70].

3.2.4. Scalability and Computational Constraints

Many AI applications in the energy sector begin as pilot projects or research prototypes, such as a machine learning model predicting solar farm output in a specific region or an optimization algorithm running on a microgrid controller. Scaling these solutions to the national grid level or across multiple regions presents significant challenges. Scalability issues arise in several ways. Computationally, an algorithm suitable for 100 devices may not operate in real time for one million devices due to increased algorithmic complexity. As the number of nodes increases, the state space of grid control problems expands rapidly, leading to potential performance bottlenecks for AI algorithms [68]. There may be a need for distributed computing that splits tasks among multiple processors or edge devices. The concept of federated or edge AI intersects with scalability. Instead of one central brain, many smaller brains coordinate. However, coordinating distributed AI systems to ensure they converge toward a global optimum without conflicting decisions is a complex challenge [55]. The literature discusses paradigms like distributed learning, multi-agent systems, and hierarchical control as strategies for scalable AI in smart grids [68,69]. Another scalability challenge is the adaptability of AI models: An AI trained on data from a particular grid or country may not directly transfer to another due to different consumption patterns, climate, or grid topology. Thus, scaling geographically often requires retraining or fine-tuning models, which is resource intensive [56]. Moreover, real-time requirements in grids are strict: certain control actions need decisions in milliseconds. Ensuring that AI can scale and meet real-time deadlines often requires simplifying the model or using more powerful hardware, both of which can be expensive or impractical in field devices. The literature notes that advances in high-performance computing and cloud-edge hybrid architectures are contributing to scalability. For example, fast-response AI can be embedded on local controllers for speed, while cloud-based AI manages slower, large-scale optimization tasks [66]. Still, orchestrating this multi-tier AI is non-trivial. Testing and validation at scale is also a challenge. An AI may perform well in a pilot but reveal unexpected interactions when scaled, known as emergent behaviors in complex systems. To address this, engineers require simulation environments such as digital twins of the grid to test AI at full scale before live deployment [7,56]. Creating accurate, detailed simulations of an entire national grid with AI agents is itself a technical challenge, but progress in digital twin technology is making this more feasible. Finally, scalability relates to maintenance. Since an AI system is not a one-off installation, it needs continuous data updates, model recalibration, and software maintenance. Ensuring that this is manageable across thousands of substations or millions of endpoints is daunting for IT departments of utilities, which historically managed simpler control systems. In essence, the scalability challenge involves moving from laboratory demonstrations to industrial-grade, continent-wide systems. This requires robust engineering, substantial computing resources, and often innovations in algorithms to manage complexity. Approaches include using simplified models or applying AI selectively where it adds the most value rather than across all system components.

3.2.5. Explainability and Human-in-the-Loop Considerations

Although not always listed as a “technical” challenge, many sources highlighted that the difficulty of ensuring AI decisions is explainable and aligns with operator knowledge. Grid operators are accustomed to deterministic control systems and well-understood electrical models. Introducing black-box AI methods such as deep learning can lead to skepticism or operational risk if operators do not trust or understand the AI’s decisions [37,38,51]. This has led to calls for explainable AI in critical infrastructure. Achieving explainability is technically challenging and may require additional algorithms to interpret the AI’s reasoning or the use of inherently interpretable models, which are often simpler but may be less accurate. The EU AI Act’s transparency requirements reinforce this need, effectively mandating that high-risk AI systems provide relevant information to users. In a smart grid context, an AI system that flags an anomaly should also indicate the factors that led to that conclusion so engineers can assess whether it is a true issue or a false alarm. The key challenge is balancing model complexity with interpretability. Some research explores the use of expert systems or rule-based AI for certain grid tasks instead of purely neural-network approaches, since rule-based outputs can be traced to logic that operators understand [68]. Hybrid approaches are also being explored, such as combining physics-based grid models with AI to create physics-informed AI that maintains transparency by grounding outputs in known electrical laws. Human-in-the-loop designs, where AI provides recommendations and humans make final decisions, are often used to ensure safety and build trust. However, keeping a human in the loop can reduce efficiency and is not scalable for decisions that require split-second responses, such as isolating a fault. This presents a challenge for developing AI systems that can justify their actions or operate within predefined human constraints, known as AI guardrails. Addressing this requires both software solutions and user interface design to ensure AI insights are presented to grid operators in a clear and actionable way [11]. The stakeholder training aspect is closely linked to the need for engineers to acquire new skills for working with AI tools. While not a “hardware” or “software” barrier per se, the need for capacity-building is noted in several reports as a challenge for adoption, ensuring the workforce can effectively integrate AI into operations [38].
In summary, the technological challenges can be seen as the flip side of the coin to the promised benefits of AI: each benefit comes with conditions that must be met. Large-scale forecasting and optimization require big data handling and interoperability; autonomous control requires top-notch cybersecurity and reliability; adaptive and complex AI models bring issues of explainability and scalability. The literature suggests that many of these challenges are being actively worked on through pilot projects, R&D, and standardization efforts [68]. The EU, via funding programs like Horizon Europe, has invested in projects targeting these technical barriers, e.g., projects on federated learning for energy, AI-enabled cybersecurity for critical grids, and cross-domain data hubs for energy data [12]. The existence of these challenges means that stakeholders must plan carefully: A utility considering an AI rollout needs not just a data scientist, but also cybersecurity experts, compliance experts, and engineers to integrate systems. This multidisciplinary requirement is itself a hurdle in organizations traditionally siloed. Nonetheless, overcoming these technological challenges is feasible with the right investments and collaborations. Importantly, many challenges are not unique to one utility, there is an opportunity for shared solutions. For instance, joint platforms for data sharing or consortia to develop open-source tools for explainable energy AI. As the subsequent section will explore, the payoff for overcoming these hurdles can be substantial in terms of grid performance and stakeholder value [65].

3.2.6. Technology Maturity and Adoption Readiness

To contextualize the observed technological challenges, it is useful to consider where AI-enabled smart grid technologies stand in broader adoption and maturity frameworks. The Technology Readiness Level (TRL) scale, widely used in EU innovation assessments, provides one approach [74]. Most AI applications in smart grids (e.g., real-time anomaly detection, predictive maintenance, or automated energy trading) can be classified around TRL 5–7, indicating demonstration in relevant or operational environments but not yet widespread deployment. Regulatory complexity, infrastructure fragmentation, and trust issues prevent them from reaching TRL 8–9 (full commercial deployment), underscoring the importance of regulatory clarity and standardization to advance maturity.
Complementing this, the Gartner Hype Cycle framework illustrates the socio-technological adoption trajectory of emerging technologies. Many AI applications in energy grids are arguably moving from the “Peak of Inflated Expectations” toward the “Trough of Disillusionment,” where early deployments encounter the realities of cybersecurity, explainability, interoperability, and compliance burdens. For example, while federated learning promises privacy-compliant AI training, it remains at an experimental stage, constrained by coordination complexity and standardization gaps [12]. Similarly, real-time AI-based control systems face hurdles in explainability and liability, slowing stakeholder confidence.
These frameworks reinforce the review’s findings: AI in smart grids is technologically feasible and promising but remains in a transitional phase—between promising pilots and scalable, reliable adoption. Overcoming this requires not only technical advances but also targeted regulatory guidance and multi-stakeholder coordination to resolve current bottlenecks. The Technology Adoption Lifecycle further suggests that the current uptake is largely limited to “early adopters” (e.g., well-funded DSOs or Horizon Europe demonstration projects), with mainstream adoption pending greater institutional and technical readiness. Policies such as regulatory sandboxes and European Digital Innovation Hubs (EDIHs) may help cross the “chasm” between early adoption and early majority.

3.3. Stakeholder Benefits and Policy Implications of AI in Smart Grids

Despite the barriers and challenges outlined, the consensus in the literature is that if AI can be effectively and responsibly integrated into smart grids, the benefits for various stakeholders are considerable. This section highlights those benefits, showing why there is a strong impetus to push through the aforementioned obstacles. It also touches on how stakeholder pressures and policy goals are shaping the AI-smart grid agenda across the EU, and how different countries are experiencing these benefits or lessons in practice [18,22,25].

3.3.1. Improved Grid Stability and Reliability

For grid operators (TSOs/DSOs), a primary benefit of AI is enhanced situational awareness and control, leading to a more stable and resilient grid. AI techniques such as machine learning can analyze vast amounts of grid data in real-time to predict and detect issues faster than traditional methods. For example, AI can forecast voltage or frequency deviations and trigger corrective actions, like dispatching reactive power or reconfiguring network topology to prevent instability [75]. AI-based stability analysis can also identify early warning signs of equipment failures or line overloads. One cited benefit is faster fault detection and restoration: AI-driven fault detection systems can pinpoint outages or anomalies in milliseconds and even suggest optimal re-routing of power, significantly reducing downtime [34]. Such a rapid response is something human operators or conventional rule-based systems struggle with. For the overall system, these improvements mean fewer blackouts and a higher quality of service, a benefit to and to consumers and society in terms of continuous power supply [56]. The resilience aspect is particularly highlighted in the context of extreme weather events and the growing complexity of distributed energy resources. AI can help manage microgrids in islanded mode during storms or orchestrate black-start processes more efficiently after a major outage. Europe’s policy push for resilience, by the new EU Directive on resilience of critical entities, aligns with leveraging advanced technologies like AI to harden grids [34,38]. In summary, when properly implemented, AI acts as an intelligent assistant to grid operators, processing information and even taking first-line actions to keep the lights on. This directly benefits the grid stakeholders: system operators see improved KPIs, regulators see a more reliable service delivered to the public, and end-users experience fewer interruptions [56].

3.3.2. Economic Efficiency and Cost Optimization

AI in smart grids can unlock significant economic benefits, both in operational cost savings for utilities and in potential cost savings passed to consumers. One major area is optimized asset utilization, where AI can enable utilities to defer expensive infrastructure upgrades by squeezing more performance out of existing assets [13]. For instance, dynamic line rating systems use AI to predict the real-time capacity of power lines based on weather and load data, allowing more current to flow when conditions permit, as opposed to static conservative limits. This postpones the need for new lines. Similarly, AI can optimize generator dispatch and reserve management in a way that minimizes fuel or procurement costs, akin to what sophisticated energy trading algorithms do; however, the AI Act considers such trading algorithms as high-risk due to market impact [5,32,36]. A concrete benefit is in demand response and peak shaving: AI can forecast peak demand periods and coordinate demand response through price signals or direct load control to flatten the load curve [68,69]. Smoothing peaks means less reliance on costly peaking power plants and lower imbalance charges, costs that can be substantial. Additionally, with better AI predictions, field maintenance crews can be dispatched more optimally, and losses in the system can be reduced by fine-tuned voltage control [54]. Consumers may see benefits through dynamic pricing and enhanced energy services. If AI can help offer time-of-use rates or real-time pricing, consumers can adjust usage to save money, and overall societal welfare increases as generation is used more efficiently [23]. At the macro level, integrating high shares of renewable energy economically requires smart, AI-assisted management to handle intermittency at least cost. AI helps avoid curtailment of renewables by forecasting and adjusting other resources accordingly [2,66]. Fewer curtailments mean better returns on renewable investments and ultimately cheaper energy. Thus, from utility to household budgets, AI promises financial gains. However, it is important to mention that these benefits often depend on regulatory frameworks that incentivize efficiency. For example, market rules that reward peak reduction or frameworks that allow sharing of savings. The EU’s internal energy market reforms and focus on flexibility markets, through regulations like the Electricity Regulation 2019/943 [76], provide avenues for AI to monetize its efficiency gains, e.g., virtual power plants run by AI can participate in flexibility markets. Therefore, the economic benefits are tightly coupled with progressive energy policies and market designs that the EU and member states are adopting [54].

3.3.3. Enhanced Consumer Engagement and Trust

For consumers and prosumers, AI in smart grids can provide tangible and intangible benefits. Tangibly, as noted, better management can lead to lower costs or new services, such as personalized energy management insights, or automated energy savings in smart homes [25]. Energy companies have begun deploying AI chatbots and apps that give consumers recommendations on how to shift usage to cheaper hours or how to optimize their solar PV and battery usage; these are powered by machine learning on consumption data. Consumers with electric vehicles or smart appliances can benefit from AI that learns their behavior and optimally schedules charging or operation. For instance, an AI that charges an EV when renewable energy is abundant, and prices are low can be beneficial. Intangibly, consumer trust in the energy system can be bolstered if AI leads to a more transparent and customer-friendly experience [21]. Paradoxically, regulation plays a key role here. For example, GDPR enforcement pushes utilities to be clear about data usage, which can improve trust if managed correctly. A theme in the literature is that consumers are more likely to embrace smart technologies if they feel their data are safe and used for their benefit [18]. AI can assist in building trust by enabling greater transparency. For example, blockchain combined with AI can allow consumers to verify how their energy usage data are shared in the network [3]. Another benefit is the potential for improved service quality: fewer outages and faster restoration thanks to AI mean consumers experience higher reliability, which in turn enhances their trust in the grid’s modernization. There is also an equity dimension, as AI can help identify energy usage patterns to tailor programs for vulnerable customers. For example, detecting households that might benefit from energy efficiency upgrades or special tariffs. This ties into stakeholder benefits as well, since policymakers have goals around alleviating energy poverty, and AI analysis of consumption data could help target social programs more effectively, provided appropriate privacy safeguards are in place. It is worth noting that consumer-oriented benefits often require consumer participation (e.g., responding to price signals). AI can lower the effort for consumers by automating decisions for participation and essentially increasing convenience. This convenience is a benefit in itself, as busy consumers can rely on intelligent systems to manage energy in the background. Greater consumer engagement, enabled by user-friendly AI tools, also aligns with EU policy visions of active consumers in the energy transition [18].

3.3.4. Policy and Environmental Benefits

At a societal level, the deployment of AI in smart grids supports broader policy objectives. Chief among these is the energy transition to a low-carbon system. AI is seen as a facilitator for integrating higher shares of renewable energy by dealing with their variability and complexity [2,66]. By improving grid flexibility and enabling new mechanisms like peer-to-peer energy trading or virtual power plants, AI helps operationalize concepts that were theoretical a decade ago [54]. The benefit is a cleaner energy mix and progress toward EU climate targets. This environmental benefit is indirectly a benefit to all stakeholders, as it contributes to mitigating climate change and local pollution. From a policymaker’s perspective, having smarter grids with AI provides more levers to achieve things like the EU Green Deal commitments [77]. Additionally, AI can aid in policy implementation and monitoring. For example, AI algorithms can analyze data to see if energy efficiency or demand response targets set by regulators are being met, and even attribute causes if not. Another benefit on the policy side is improved system planning: AI can handle complex modeling for long-term planning, e.g., scenario analysis for grid expansion under various EV adoption rates or heat pump rollouts. This helps regulators and system operators make informed investment decisions, avoiding over- or under-building infrastructure [33]. It ultimately saves public and private investment by guiding it to where it is most needed. There are also benefits in terms of innovation and competitiveness. By navigating the regulatory challenges and successfully implementing AI, European utilities and tech companies can become leaders in smart grid technology, potentially exporting solutions abroad. This stakeholder benefit is often mentioned by EU officials, stating that strict regulations should not prevent Europe from leading in energy AI innovation but rather give it a competitive edge in trustworthy AI solutions [5,32,33]. In fact, demonstrating AI that respects privacy and security concerns could become a selling point internationally. Some member states have positioned themselves at the forefront.

3.3.5. Stakeholder-Specific Perspectives

Different stakeholders reap different benefits. Utilities and grid operators gain operational efficiency, reduced losses, and potentially new revenue streams, like selling flexibility or AI-driven services. Energy consumers/prosumers gain more control over their energy usage, potential cost savings, and improved service reliability. Regulators and policymakers gain tools to ensure grid stability and achieve policy targets, like renewables integration, consumer protection, and better data-driven oversight of the energy system. Technology providers and startups benefit from a growing market for AI solutions in energy, as effectively, regulatory pressure and the promise of benefits are creating demand for innovative products [55]. Society at large benefits from a more sustainable and resilient energy supply, which underpins economic and social well-being [18].
It is important to note that maximizing these benefits often requires navigating trade-offs. For example, to deliver cost savings and stability, a utility might want to process as much data as possible, but it has to balance privacy. The concept of “trustworthy AI” comes into play here, as only by ensuring AI is aligned with ethical and legal standards will the full suite of benefits be realized, because stakeholders, like consumers and public authorities, will otherwise withhold support [37]. The literature frequently emphasizes co-creation and stakeholder engagement as part of implementing AI. This involves bringing consumer advocacy groups, regulators, and technical experts together to design AI-driven programs that can ensure concerns are addressed early on, and thereby leading to smoother adoption and more pronounced benefits [23].
Member state diversity also impacts stakeholder engagement and benefit realization. While Nordic utilities benefit from established digital infrastructures and high consumer trust, Eastern EU countries face more limited digital penetration and higher skepticism towards AI-based systems. In countries such as Croatia or Slovakia, smaller DSOs struggle with AI adoption due to lower R&D capacity and limited access to regulatory sandboxes, often relying on EU pilot funding to trial innovations. Conversely, Italy and Spain show how targeted national policies can unlock benefits. Spain’s proactive smart metering rollout (e.g., through Endesa’s Telegestión program) demonstrates how strong regulatory backing and coordinated national strategies can overcome regional barriers and accelerate AI-enabled demand response, even in southern contexts. These variations call for a more tailored approach to EU policy support, ensuring that regulatory tools like the AI Act and GDPR are flexibly interpreted to accommodate national realities while upholding core principles.
The scoping review reveals that while numerous studies indicate high potential benefits, achieving them broadly across the EU will require continued policy support and possibly new policy measures [75]. For instance, to encourage utilities to invest in AI, regulators might need to adapt incentive regulation schemes, such that utilities are not penalized for cost savings that reduce their allowed revenues, a known issue in some regulatory models. Policymakers also need to ensure that regulations like the AI Act are implemented in a way that encourages innovation, possibly through regulatory sandboxes in the energy sector. A regulatory sandbox could allow a utility to trial an AI solution with temporarily relaxed rules and under supervision to evaluate real-world performance and benefits, as has been seen in the fintech sector [38]. A few energy regulators in the EU, such as those in the Netherlands and the UK, have introduced regulatory sandboxes to support smart energy innovations [78]. The EU may adopt this approach more broadly to accelerate learning. The stakeholder benefits identified in this review offer strong support for promoting such proactive facilitation. Moreover, the need for international cooperation speaks to aligning standards and sharing best practices across EU states [3]. Policy frameworks like the Energy Union and bodies like Agency for Cooperation of Energy Regulators (ACER) can disseminate lessons quickly, ensuring that all member states can catch up to those reaping early benefits [14].
In the larger perspective, the stakeholder benefits, ranging from grid stability and cost optimization to consumer empowerment and environmental gains, form the value proposition that drives the interest in AI for smart grids. They justify why overcoming the regulatory and technological hurdles is worthwhile. The EU’s challenge and opportunity are to create an environment where these benefits can be realized broadly, safely, and fairly. If successful, the result will be a smart grid that not only keeps the lights on, but does so in a way that aligns with Europe’s digital rights and sustainability values, ultimately benefiting all parties from producers to consumers and future generations [40].

4. Discussion

This scoping review has mapped out a complex landscape at the intersection of EU regulation, emerging AI technology, and the evolution of smart electrical grids. The findings highlight a dynamic tension between innovation and regulation: EU laws present certain hurdles to adopting AI in energy, yet those same laws and the values underpinning them are instrumental in guiding AI deployment towards positive outcomes for all stakeholders.

4.1. Conceptual Framework: Regulatory Impacts Across Stakeholders

To support a systemic understanding of how EU legal instruments shape the deployment of AI in smart grids, this section introduces a conceptual framework that maps the relationships between key regulatory instruments and core stakeholder groups. The framework distills findings from the previous sections into a matrix that captures both direct and indirect regulatory effects on grid operators, technology providers, consumers, and policymakers (Table 2). By explicitly linking each law to the actors it affects and the nature of those impacts, the framework enables a clearer view of regulatory complexity and responsibility distribution. This holistic perspective is critical for identifying alignment gaps, planning compliance strategies, and supporting coordinated innovation across the energy sector.

4.2. Key Insights and Implications

4.2.1. Balancing Innovation with Compliance

A clear theme is the need for balance. Overly stringent or unclear regulations, like an inflexible application of GDPR or the AI Act, could slow down beneficial innovations in grid management. Conversely, a laissez-faire approach would risk privacy breaches, security incidents, or loss of consumer trust, which in turn would jeopardize the long-term viability of AI solutions. The EU’s approach, as evidenced by the AI Act and updates to directives like NIS2, is to put guardrails around AI without banning its use in critical sectors [33]. The literature suggests that achieving the right balance may require iterative adjustments. For example, providing sector-specific guidance, potentially via an energy-specific Delegated Act under the AI Act as recommended by some researchers, would clarify requirements, or adjusting thresholds in GDPR enforcement to enable granular smart meter data analysis under strict controls [79]. Policymakers should monitor early implementations and be ready to refine regulations or issue clarifications. The scoping review found several calls for regulators to use regulatory sandboxes or experimental licenses to allow AI trials in a controlled manner [38,78]. This could generate evidence on how much regulation is needed or which rules could be safely relaxed in practice.
Looking ahead, regulatory frameworks may need to evolve to address disruptive developments such as quantum computing, which threatens current encryption standards, and edge AI, which challenges centralized data governance models under the GDPR. Anticipatory regulatory measures, including updates to cybersecurity standards and data protection impact assessment templates, could mitigate these risks post-2025 while supporting innovation.

4.2.2. Importance of Standards and Collaborative Frameworks

Both regulatory and technological challenges pointed toward standardization as part of the solution. Ensuring interoperability, cybersecurity, and even consistent enforcement of privacy rules across member states ultimately hinges on technical and process standards. The EU’s support for bodies like CEN-CENELEC-ETSI JTC 21 working groups [80] and the Smart Grids Task Force [81] is validated by our findings, these collaborations are essential to produce the standards that will ease AI integration [43,50,53]. One policy implication is that the EU should continue to fund and prioritize standardization mandates (similar to M/490 [82]) and even consider making certain standards mandatory once matured. For instance, requiring utilities to adopt standardized data models that facilitate secure AI deployment. Additionally, data-sharing frameworks, possibly building on the upcoming Common European energy data space will be crucial [22,83]. Our results show that many AI benefits come from aggregating data across silos; thus, policies that encourage or mandate data sharing with proper protection could greatly accelerate AI effectiveness.

4.2.3. Capacity Building and Knowledge Sharing

Implementing AI in smart grids is not only a technical upgrade but a socio-technical transformation. Utilities and regulators require new competencies. A key cross-cutting finding is that human factors such as skills, understanding and acceptance can pose barriers equal to technical challenges [25]. The EU and national governments might consider initiatives to train energy sector professionals in data science and AI, and conversely to educate data scientists about power systems. Similarly, regulatory agencies will need to build capacity to assess AI systems, by creating interdisciplinary teams of engineers and data experts. Some of the literature suggests creating guideline documents or handbooks for complying with AI-related regulations in specific sectors. For example, a guide on “AI Act compliance for energy sector AI,” which could be developed by a consortium of regulators, industry, and academia [35]. This would help demystify requirements and share best practices, like how to anonymize data effectively, or how to conduct algorithm impact assessments in energy. At the EU level, knowledge sharing mechanisms, through CEER for energy regulators, or ENISA for cybersecurity best practices, should include AI case studies from different countries to allow faster learning from successes and failures.

4.2.4. Ensuring Stakeholder Alignment and Trust

A recurring point is that consumer trust is pivotal. Any misstep, such as a data breach, a scandal of AI bias, or a major blackout blamed on an “AI gone wrong”, could effectively set back public acceptance. Therefore, stakeholders must align to prevent and mitigate such events. Regulators should enforce rules strictly in cases of negligence to show commitment to consumer protection, which in turn builds trust that AI is under oversight. Meanwhile, utilities should engage consumers proactively through, for instance, transparency reports on how AI is used in operations, perhaps even providing opt-outs or control to consumers for certain AI-driven services [21]. One interesting idea from the literature is “algorithmic transparency notices”: Akin to privacy notices required by GDPR, there could be communications to customers about automated decision systems affecting them. Though not mandated yet, implementing this voluntarily could improve acceptance. Policymakers might later incorporate such practices into consumer protection regulations.

4.2.5. Maximizing Benefits Through Supportive Policy Measures

To truly reap the benefits AI offers, some enabling policies are beneficial. As these continue to open electricity markets to flexibility so that AI-optimized resources have value, incentivizing investments in digital grid infrastructure through regulatory allowances or EU funding, and promoting R&D [75]. The EU has already put forward large research calls on AI and energy; maintaining this momentum in Horizon Europe and beyond will help address the remaining technical gaps, like better explainability methods and more robust AI algorithms against attacks, among others [12]. Additionally, cross-sector integration is a frontier where AI can provide benefits by integrating electricity with heating or transport sectors. Policies that encourage cross-sector data and collaboration, such as those in the EU’s Smart Cities initiatives, will further amplify stakeholder benefits by creating more holistic energy ecosystems in which AI can optimize multiple flows simultaneously [40].

4.2.6. Economic Benefits of Compliance and Trust-Building

While regulatory compliance in AI-enabled smart grids entails initial financial outlays, evidence suggests that it also yields considerable long-term economic benefits through risk mitigation, trust-building, and operational efficiency.
Adhering to data protection and cybersecurity regulations can help prevent financially damaging events such as data breaches or cyberattacks on BEMS. In 2024, the global average cost of a data breach reached approximately USD 4.9 million, with SMEs (i.e., firms with fewer than 500 employees) experiencing average losses of USD 3.3 million per incident, well above the typical cost of compliance efforts [84]. For critical systems managing occupant data, such breaches can also inflict severe reputational damage and trigger regulatory fines, legal claims, and customer attrition. Proactive investments in GDPR compliance, privacy audits, secure IoT device certification, and AI model governance thus serve as preventative risk management measures that can offset these potential liabilities.
Regulatory compliance also functions as a trust signal that can accelerate the adoption of AI and IoT technologies in smart grids. McKinsey estimates that effectively addressing cybersecurity and privacy concerns through compliance frameworks and certifications could expand the global IoT market by an additional 20–40% by 2030, unlocking USD 125–250 billion in added supplier value beyond an expected baseline of USD 500 billion [64]. Within the EU, the European Commission has made similar assertions, projecting that the Data Act, designed to promote trustworthy and fair data-sharing practices, could increase EU GDP by EUR 270 billion by 2028 through the development of a trusted data economy [85]. For AI-based building systems, privacy and security certifications may enhance adoption among building owners and operators by reducing perceived legal and operational risks, especially in contexts involving tenant data or mission-critical services.
Compliance processes often prompt firms to rationalize internal practices, yielding efficiency improvements. GDPR alignment, for instance, requires organizations to map and optimize data flows, leading to reduced data redundancy and better governance. Similarly, obtaining cybersecurity certifications for IoT products not only improves security posture but may also reduce cyber insurance premiums by lowering perceived risk. These certifications can serve as commercial differentiators, especially for vendors targeting public-sector contracts or privacy-conscious clients. Firms that are demonstrably GDPR-compliant or certified under EU cybersecurity frameworks can leverage these credentials in marketing and procurement contexts, potentially securing premium pricing or preferential access to regulated markets.

4.3. Global Comparison: AI Governance Models in the Energy Sector

To contextualize the European regulatory landscape, it is useful to compare it with the AI governance models adopted in other major jurisdictions. Building on previous work by the authors [15], Table 3 synthesizes the key characteristics of the EU, US, and Chinese approaches to regulating AI in the energy sector. This comparative lens helps clarify how the EU’s emphasis on preventive, risk-based legislation positions is differently relative to the more reactive or strategic models of governance observed elsewhere. Such comparisons are crucial for stakeholders involved in multinational AI deployments, cross-border regulatory alignment, and global standardization efforts.
The contrasting AI governance models in the EU, the United States, and China highlight the challenges of international harmonization. For multinational stakeholders, including grid operators, technology vendors, and regulator, these differences affect risk planning, compliance strategy, and market access. As AI systems are increasingly deployed across borders, alignment around core principles such as human oversight, cybersecurity assurance, and data accountability becomes critical. The EU’s approach, while comprehensive, may influence global standards via the “Brussels Effect”, but achieving mutual recognition and interoperability will require sustained regulatory dialog and shared frameworks.

4.4. Limitations

This scoping review presents a comprehensive synthesis of the interplay between EU regulatory instruments and AI adoption in smart grid systems; however, several limitations must be acknowledged. First, the review exclusively considered English-language sources, which may have excluded relevant national policy documents or academic studies published in other EU languages, particularly those reflecting regulatory practices in Central and Eastern Europe. Second, while gray literature, such as industry whitepapers and policy reports, was included to capture real-world regulatory interpretations, these sources may reflect institutional or commercial biases not subject to peer-review standards. Third, due to the broad, exploratory nature of the scoping review, no formal critical appraisal of the methodological quality of included studies was conducted. Lastly, the review did not undertake a quantitative meta-analysis of impacts, costs, or stakeholder outcomes, which limits the ability to generalize findings statistically. These limitations are consistent with the PRISMA-ScR methodology and do not detract from the validity of the thematic synthesis, but they underscore the need for future empirical and longitudinal studies to deepen the evidence base.
Furthermore, due to the evolving regulatory environment, some insights rely on anticipated impacts rather than long-term observed outcomes, introducing an aspect of forward-looking analysis in the literature. Future research will need to empirically evaluate how, say, compliance costs actually pan out, or how consumers respond in practice to AI-driven programs under these regulations [34]. As such, one recommendation for the academic community is to conduct longitudinal studies of AI pilot projects and their regulatory compliance journeys. Another area is quantifying the trade-offs: More work is needed on cost–benefit analysis that explicitly factors in compliance costs and risk reductions from regulations to guide optimal policy calibration [36].

5. Conclusions

The adoption of artificial intelligence in smart grids stands at the crossroads of Europe’s digital innovation and regulatory rigor. This scoping review reveals that EU laws, including GDPR, the upcoming EU AI Act, the ePrivacy framework, NIS/NIS2 directives, and liability regulations, significantly influence how AI can be deployed in the electricity sector. These frameworks set essential safeguards for privacy, security, and ethics, which are prerequisites for sustainable AI integration, although they introduce compliance challenges that require technical solutions. On the other hand, AI offers transformative potential for the power grid: enhanced stability and resilience, operational efficiencies and cost savings, empowered consumers, and better integration of renewable energy all align with the EU’s energy security and climate goals [54].
Our review found that regulatory barriers and technological challenges are closely interlinked. Many technical solutions, such as privacy-preserving data analytics, interoperable systems, and explainable AI algorithms, are being driven by the need to comply with or satisfy regulatory demands [69]. In turn, overcoming these challenges enables stakeholders to unlock the multi-faceted benefits of smart grid AI. We also observed that stakeholder collaboration is key. Regulators, grid operators, technology providers, and consumers each have roles to play in ensuring that AI is introduced in a way that is both innovative and responsible. Pioneering projects across EU member states demonstrate that, with careful design and governance, AI-driven smart grids can deliver reliable power more efficiently, integrate renewables at higher levels, and offer new services to consumers. All this is achieved while upholding the data protection and safety standards that Europe has set [6].
As this review also demonstrates, regulatory divergence across jurisdictions introduces both uncertainty and opportunity. For European stakeholders, understanding how the EU’s rules-driven model compares to the more flexible US approach and the centralized strategy in China is essential for anticipating compliance risks, shaping innovation strategies, and contributing to global governance debates. Energy sector stakeholders operating internationally will need to navigate these differences with care, advocating for clearer global standards and investing in compliance mechanisms that are interoperable across regulatory regimes.
In conclusion, the impact of EU laws on AI adoption in smart grids is neither purely restrictive nor permissive; instead, it is shaping a trajectory whereby AI development is steered toward trustworthiness and accountability. Rather than impeding progress, the EU’s legal frameworks, if coupled with clear guidance and continued stakeholder engagement, can create a stable foundation on which innovation flourishes [8]. The path forward will require continuous refinement of technologies and policies. This includes addressing gaps such as clarifying liability and reducing regulatory ambiguity, investing in technical research and development to meet compliance without compromising performance, and sharing best practices across the Union. The evidence in this review indicates that the European approach, often described as a human-centric or value-centric digital strategy, is taking shape in the energy sector as a coordinated effort to balance risk and reward [5].
For researchers and practitioners, this means future work should focus on developing compliant and resilient AI techniques and documenting their real-world performance and impacts. For policymakers, it means remaining adaptive by learning from implementation experiences and adjusting the regulatory environment to foster innovation, such as through sandbox experiments or updated guidance, when needed [38].
If these steps are taken, Europe is well-positioned to lead in the intelligent management of power systems, delivering on the promise of smart grids for a sustainable and secure energy future. The ultimate measure of success will be a smart grid that not only leverages cutting-edge AI but does so in a manner that upholds the European values of privacy, security, and benefit-sharing with consumers. In achieving that, the EU will have turned potential barriers into enablers of a smarter, greener electricity network that benefits all stakeholders.

Author Contributions

Conceptualization, B.N.J.; methodology, Z.G.M.; validation, S.S.G., Z.G.M. and B.N.J.; formal analysis, S.S.G., Z.G.M. and B.N.J.; investigation, S.S.G., Z.G.M. and B.N.J.; resources, B.N.J.; data curation, S.S.G. and Z.G.M.; writing—original draft preparation, B.N.J.; writing—review and editing, S.S.G., Z.G.M. and B.N.J.; visualization, B.N.J.; supervision, B.N.J.; project administration, B.N.J.; funding acquisition, B.N.J. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
ACERAgency for the Cooperation of Energy Regulators
AIArtificial Intelligence
AI ActEuropean Union Artificial Intelligence Act
BEMSBuilding Energy Management Systems
CCPACalifornia Consumer Privacy Act
CENEuropean Committee for Standardization
CENELECEuropean Committee for Electrotechnical Standardization
CEERCouncil of European Energy Regulators
CIMCommon Information Model
CRACyber Resilience Act
DPIAData Protection Impact Assessment
DSODistribution System Operator
ENISAEuropean Union Agency for Cybersecurity
ETSIEuropean Telecommunications Standards Institute
EUEuropean Union
EVElectric Vehicle
GDPRGeneral Data Protection Regulation
IoTInternet of Things
NCCSEU Network Code on Cybersecurity for the electricity sector
NERC CIPNorth American Electric Reliability Corporation Critical Infrastructure Protection
NISNetwork and Information Systems Directive
NISTNational Institute of Standards and Technology
NIS2(Recast) Network and Information Systems Directive
PRISMA-ScRPreferred Reporting Items for Systematic Reviews and Meta-Analyses extension for Scoping Reviews
RMFRisk Management Framework
R&DResearch and Development
SCADASupervisory Control and Data Acquisition
SGAMSmart Grid Architecture Model
SMESmall and Medium-Sized Enterprises
TRLTechnology Readiness Level
TSOTransmission System Operator
XAIExplainable Artificial Intelligence

References

  1. Necula, S.C. Assessing the Potential of Artificial Intelligence in Advancing Clean Energy Technologies in Europe: A Systematic Review. Energies 2023, 16, 7633. [Google Scholar] [CrossRef]
  2. Antoniadis, I.I.; Chatzidimitriou, K.C.; Symeonidis, A.L. Security and Privacy for Smart Meters: A Data-Driven Mapping Study. In Proceedings of the 2019 IEEE PES Innovative Smart Grid Technologies Europe (ISGT-Europe), Bucharest, Romania, 29 September–2 October 2019. [Google Scholar]
  3. Kasl, F.; Blechová, A. The Road Towards a Legal Framework for Cybersecurity Applicable to the European Smart Grid for Electricity. 2024. Available online: https://www.muni.cz/en/research/publications/2392880 (accessed on 30 March 2025).
  4. EU. Regulation (EU) 2016/679—General Data Protection Regulation (GDPR); EU: Brussels, Belgium, 2016. [Google Scholar]
  5. Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts; COM/2021/206 Final; EU: Brussels, Belgium, 2021.
  6. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector; EU: Brussels, Belgium, 2002.
  7. Coppolino, L.; Nardone, R.; Petruolo, A.; Romano, L. Building Cyber-Resilient Smart Grids with Digital Twins and Data Spaces. Appl. Sci. 2023, 13, 13060. [Google Scholar] [CrossRef]
  8. Cyber Resilience Act (Proposal for a Regulation on Horizontal Cybersecurity Requirements for Products with Digital Elements); EU: Brussels, Belgium, 2022; Available online: https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng (accessed on 30 March 2025).
  9. New Network Code on Cybersecurity for the EU Electricity Sector; EU: Brussels, Belgium, 2024.
  10. Regulation (EU) 2019/881—Cybersecurity Act; EU: Brussels, Belgium, 2019.
  11. Ebers, M.; Hoch, V.R.S.; Rosenkranz, F.; Ruschemeier, H.; Steinrötter, B. The European Commission’s Proposal for an Artificial Intelligence Act—A Critical Assessment by Members of the Robotics and AI Law Society (RAILS). J 2021, 4, 589–603. [Google Scholar] [CrossRef]
  12. Woisetschläger, H.; Erben, A.; Marino, B.; Wang, S.; Lane, N.D.; Mayer, R.; Jacobsen, H.-A. Federated Learning Priorities Under the European Union Artificial Intelligence Act. arXiv 2024, arXiv:2402.05968. [Google Scholar]
  13. Butun, I.; Lekidis, A.; Santos, D. Security and Privacy in Smart Grids: Challenges, Current Solutions and Future Opportunities. In Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP 2020), Valletta, Malta, 25–27 February 2020; pp. 733–741. Available online: https://www.scitepress.org/Papers/2020/91873/91873.pdf (accessed on 30 March 2025).
  14. Ur-Rehman, O.; Zivic, N.; Ruland, C. Security issues in smart metering systems. In Proceedings of the 2015 IEEE International Conference on Smart Energy Grid Engineering (SEGE), Oshawa, ON, Canada, 17–19 August 2015. [Google Scholar]
  15. Jørgensen, B.N.; Ma, Z.G. Regulating AI in the Energy Sector: A Scoping Review of EU Laws, Challenges, and Global Perspectives. Energies 2025, 18, 2359. [Google Scholar] [CrossRef]
  16. Prisma. PRISMA Extension for Scoping Reviews (PRISMA-ScR). 2024. Available online: https://www.prisma-statement.org/scoping (accessed on 30 March 2025).
  17. Lee, D.; Hess, D.J. Data privacy and residential smart meters: Comparative analysis and harmonization potential. Util. Policy 2021, 70, 101188. [Google Scholar] [CrossRef]
  18. Moore, S.; Lightcap, R.W.; Butler, W.H. An Investigative Review: Smart Grid and Consumer Privacy Concerns. Int. J. Appl. Technol. Leadersh. 2024, 3, 1–19. [Google Scholar]
  19. Pallas, F. Data protection and smart grid communication—The European perspective. In Proceedings of the 2012 IEEE PES Innovative Smart Grid Technologies (ISGT), Washington, DC, USA, 16–20 January 2012. [Google Scholar]
  20. Piatkowska, E.; Bajraktari, A.; Chhajed, D.; Smith, P. Tool support for data protection impact assessment in the smart grid. Elektrotechnik Informationstech. 2017, 134, 26–29. [Google Scholar] [CrossRef]
  21. King, N.J.; Jessen, P.W. Smart metering systems and data sharing: Why getting a smart meter should also mean getting strong information privacy controls to manage data sharing. Int. J. Law Inf. Technol. 2014, 22, 215–253. [Google Scholar] [CrossRef]
  22. Kloza, D.; Dijk, N.v.; Hert, P.D. Assessing the European Approach to Privacy and Data Protection in Smart Grids. Lessons for Emerging Technologies. In Smart Grid Security Innovative Solutions for a Modernized Grid; Elsevier: Amsterdam, The Netherlands, 2015. [Google Scholar]
  23. Kalogridis, G.; Dave, S. PeHEMS: Privacy enabled HEMS and load balancing prototype. In Proceedings of the 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm), Tainan, Taiwan, 5–8 November 2012. [Google Scholar]
  24. Bartsch, M. German Smart Metering and European Privacy Needs. In Proceedings of the International ETG-Congress 2013; Symposium 1: Security in Critical Infrastructures Today, Berlin, Germany, 5–6 November 2013. [Google Scholar]
  25. Alabdulkarim, L.; Lukszo, Z. Impact of privacy concerns on consumers’ acceptance of smart metering in the Netherlands. In Proceedings of the 2011 International Conference on Networking, Sensing and Control, Delft, The Netherlands, 11–13 April 2011. [Google Scholar]
  26. Openvolt. The State of Smart Meter Data Access Across Europe: Challenges, Opportunities, and Country-by-Country Insights. 2024. Available online: https://www.openvolt.com/blog/post/the-state-of-smart-meter-data-access-across-europe (accessed on 30 March 2025).
  27. European Commission. Benchmarking Smart Metering Deployment in the EU-28; Directorate-General for Energy; European Commission: Brussels, Belgium, 2020. [Google Scholar]
  28. Anczewska, M.; Karjalainen, J.; Orhan, S.; Ugryn, K.; Czyżak, P.; Cremona, E.; Seman, A.M.; Mrozek, K.; Troczyński, M.; Dimitrov, K.; et al. Future-Proofing Central Eastern European Grids for Tomorrow’s Energy System—Climate Action Network (CAN) Europe. 2024. Available online: https://caneurope.org/central-eastern-europe-grids/ (accessed on 30 March 2025).
  29. Aposporis, H. Central, Eastern Europe Severely Lagging in Smart Meters Rollout; Balkan Green Energy News: Beograd, Serbia, 2023. [Google Scholar]
  30. Gabel, A.; Schiering, I. Privacy patterns for pseudonymity. In IFIP Advances in Information and Communication Technology; Springer: Cham, Switzerland, 2019; pp. 155–172. [Google Scholar]
  31. von Loessl, V. Smart meter-related data privacy concerns and dynamic electricity tariffs: Evidence from a stated choice experiment. Energy Policy 2023, 180, 113645. [Google Scholar] [CrossRef]
  32. Musch, S.; Borrelli, M.; Kerrigan, C. The EU AI Act: A Comprehensive Regulatory Framework for Ethical AI Development; Elsevier: Amsterdam, The Netherlands, 2023. [Google Scholar] [CrossRef]
  33. Veale, M.; Borgesius, F.J.Z. Demystifying the Draft EU Artificial Intelligence Act—Analysing the good, the bad, and the unclear elements of the proposed approach. Comput. Law Rev. Int. 2021, 22, 97–112. [Google Scholar] [CrossRef]
  34. Volkova, A.; Hatamian, M.; Anapyanova, A.; de Meer, H. Being Accountable is Smart: Navigating the Technical and Regulatory Landscape of AI-based Services for Power Grid. In Proceedings of the 2024 International Conference on Information Technology for Social Good, Bremen, Germany, 4–6 September 2024; Association for Computing Machinery: Bremen, Germany, 2024; pp. 118–126. [Google Scholar]
  35. Sillberg, C.V.; De Cerqueira, J.S.; Sillberg, P.; Kemell, K.-K.; Abrahamsson, P. The EU AI Act is a Good Start But Falls Short; Springer Nature: Cham, Switzerland, 2025. [Google Scholar]
  36. Heymann, F.; Parginos, K.; Bessa, R.J.; Galus, M. Operating AI systems in the electricity sector under European’s AI Act—Insights on compliance costs, profitability frontiers and extraterritorial effects. Energy Rep. 2023, 10, 4538–4555. [Google Scholar] [CrossRef]
  37. Novelli, C.; Casolari, F.; Rotolo, A.; Taddeo, M.; Floridi, L. Taking AI risks seriously: A new assessment model for the AI Act. AI Soc. 2024, 39, 2493–2497. [Google Scholar] [CrossRef]
  38. Alfieri, C.; Caroccia, F.; Inverardi, P. AI Act and Individual Rights: A Juridical and Technical Perspective. In Proceedings of the Workshop on Imagining the AI Landscape After the AI Act (IAIL 2022) CO-Located with 1st International Conference on Hybrid Human-Artificial Intelligence (HHAI 2022), Amsterdam, The Netherlands, 13 June 2022. [Google Scholar]
  39. Vereno, D.; Polanec, K.; Neureiter, C. Compliance by Design for Cyber-Physical Energy Systems: The Role of Model-Based Systems Engineering in Complying with the EU AI Act. In Proceedings of the Workshop on Model-based System Engineering and Artificial Intelligence, Roma, Italy, 21–23 February 2024. [Google Scholar]
  40. Pelekis, S.; Karakolis, E.; Lampropoulos, G.; Mouzakitis, S.; Markaki, O.; Ntanos, C.; Askounis, D. Trustworthy Artificial Intelligence in the Energy Sector: Landscape Analysis and Evaluation Framework. In Proceedings of the 2024 IEEE International Conference on Engineering, Technology, and Innovation (ICE/ITMC)g, Funchal, Portugal, 24–28 June 2024. [Google Scholar]
  41. European Commission. European Data Governance Act; European Commission: Brussels, Belgium, 2022. [Google Scholar]
  42. European Network of Transmission System Operators for Electricity. Data Spaces in the Energy Sector: Enabling the Green Energy Transition. 2024. Available online: https://www.entsoe.eu/2024/11/06/data-spaces-in-the-energy-sector-enabling-the-green-energy-transition/ (accessed on 30 March 2025).
  43. European Commission. EU Policy Supporting the Digital and Green Transformation of the Energy System; European Commission: Brussels, Belgium, 2025. [Google Scholar]
  44. Solidarity at the Intersection of Data Governance and Energy Policy. Maastricht J. Eur. Comp. Law 2025, 32, 123–145. [CrossRef]
  45. Nicolai, S.; Münchmeyer, M. The Data Act and Electricity Consumer Participation in Demand Response and Flexibility Services; Elsevier: Amsterdam, The Netherlands, 2024. [Google Scholar]
  46. Lang, M.; Hendrikx, R. Energy Outlook 2025: Energy Digitalisation. 2025. Available online: https://www.lexology.com/library/detail.aspx?g=073689fa-b0b9-4c44-9e86-39857cb43ec5 (accessed on 30 March 2025).
  47. SolarPower Europe. Grid Flexibility Will Only Materialise with a Legally Binding Harmonisation of Data Requirements Across the EU. 2024. Available online: https://www.solarpowereurope.org/advocacy/policy-letters/grid-flexibility-will-only-materialise-with-a-legally-binding-harmonisation-of-data-requirements-across-the-eu (accessed on 30 March 2025).
  48. European Parliament; Council of the European Union. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector. Off. J. Eur. Union 2002, L201, 37–47. [Google Scholar]
  49. Hunton Andrews Kurth LLP. European Commission Withdraws ePrivacy Regulation and AI Liability Directive Proposals; European Commission: Brussels, Belgium, 2025. [Google Scholar]
  50. Pavleska, T.; Aranha, H.; Masi, M.; Sellitto, G.P. Drafting a cybersecurity framework profile for smart grids in EU: A goal-based methodology. In Communications in Computer and Information Science; Springer: Cham, Switzerland, 2020; pp. 143–155. [Google Scholar]
  51. Laux, J. Institutionalised distrust and human oversight of artificial intelligence: Towards a democratic design of AI governance under the European Union AI Act. AI Soc. 2024, 39, 2853–2866. [Google Scholar] [CrossRef]
  52. Urquhart, L.; McAuley, D. Avoiding the internet of insecure industrial things. Comput. Law Secur. Rev. 2018, 34, 450–466. [Google Scholar] [CrossRef]
  53. Matviienko, H.; Kucherkova, S.; Yanovska, V.; Hurochkina, V.; Ternovsky, V.; Kesy, M. Governmental Management and Regulatory Measures for Advancing AI in the Ukrainian Energy Sector as a Basis for Rapid and Sustainable Development of the Ukrainian Economy. In Proceedings of the 2023 13th International Conference on Advanced Computer Information Technologies (ACIT), Wrocław, Poland, 21–23 September 2023. [Google Scholar]
  54. Gaggero, G.B.; Piserà, D.; Girdinio, P.; Silvestro, F.; Marchese, M. Novel Cybersecurity Issues in Smart Energy Communities. In Proceedings of the 2023 1st International Conference on Advanced Innovations in Smart Cities (ICAISC), Jeddah, Saudi Arabia, 23–25 January 2023. [Google Scholar]
  55. Noll, J.; Garitano, I.; Fayyad, S.; Åsberg, E.; Abie, H. Measurable security, privacy and dependability in smart grids. J. Cyber Secur. Mobil. 2014, 3, 371–398. [Google Scholar] [CrossRef]
  56. Coppolino, L.; Nardone, R.; Petruolo, A.; Romano, L.; Souvent, A. Exploiting Digital Twin technology for Cybersecurity Monitoring in Smart Grids. In ARES’23: Proceedings of the 18th International Conference on Availability, Reliability and Security, Benevento, Italy, 29 August–1 September 2023; Association for Computing Machinery: New York, NY, USA, 2023. [Google Scholar]
  57. PricewaterhouseCoopers. Privacy Reset: From Compliance to Trust-Building. 2021. Available online: https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/privacy-reset.html (accessed on 30 March 2025).
  58. Huddleston, J. The Price of Privacy: The Impact of Strict Data Regulations on Innovation and More. 2021. Available online: https://www.americanactionforum.org/insight/the-price-of-privacy-the-impact-of-strict-data-regulations-on-innovation-and-more/ (accessed on 30 March 2025).
  59. Wu, W.; Liu, S. Compliance Costs of AI Technology Commercialization: A Field Deployment Perspective. arXiv 2023, arXiv:2301.13454. [Google Scholar]
  60. Vandercruysse, L.; Buts, C.; Dooms, M. Economic Costs of the DPIA; SPECTRE Project. 2019. Available online: https://spectreproject.be/output/downloads-1/deliverable-d3-1-economic-costs-of-the-dpia.pdf (accessed on 30 March 2025).
  61. Renda, A. Clarifying the Costs for the EU’s AI Act. 2021. Available online: https://www.ceps.eu/clarifying-the-costs-for-the-eus-ai-act/ (accessed on 3 February 2025).
  62. Renda, A.; Arroyo, J.; Fanni, R.; Laurer, M.; Sipiczki, A.; Yeung, T.; Maridis, G.; Fernandes, M.; Endrodi, G.; Milio, S.; et al. Study to Support an Impact Assessment of Regulatory Requirements for Artificial Intelligence in Europe; European Commission: Brussels, Belgium, 2021. [Google Scholar]
  63. European Commission. Impact Assessment Accompanying the Proposal for a Regulation on ENISA and on Information and Communication Technology Cybersecurity Certification; European Commission: Brussels, Belgium, 2017. [Google Scholar]
  64. Caso, J.; Cole, Z.; Patel, M.; Zhu, W. Cybersecurity for the IoT: How Trust Can Unlock Value. 2023. Available online: https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/cybersecurity-for-the-iot-how-trust-can-unlock-value (accessed on 30 March 2025).
  65. Antonov, A.; Haring, T.; Korotko, T.; Rosin, A.; Kerikmae, T.; Biechl, H. Pitfalls of Machine Learning Methods in Smart Grids: A Legal Perspective. In Proceedings of the 2021 International Symposium on Computer Science and Intelligent Controls (ISCSIC), Rome, Italy, 12–14 November 2021. [Google Scholar]
  66. Martinez, J.; Ruiz, A.; Puelles, J.; Arechalde, I.; Miadzvetskaya, Y. Smart grid challenges through the lens of the European general data protection regulation. In Advances in Information Systems Development. ISD 2019; Lecture Notes in Information Systems and Organisation; Springer: Cham, Switzerland, 2019. [Google Scholar]
  67. Balamurugan, M.; Narayanan, K.; Raghu, N.; Arjun Kumar, G.B.; Trupti, V.N. Role of artificial intelligence in smart grid—a mini review. Front. Artif. Intell. 2025, 8, 1551661. [Google Scholar] [CrossRef]
  68. Srinivasan, S.; Kumarasamy, S.; Andreadakis, Z.E.; Lind, P.G. Artificial Intelligence and Mathematical Models of Power Grids Driven by Renewable Energy Sources: A Survey. Energies 2023, 16, 5383. [Google Scholar] [CrossRef]
  69. Abdulaal, M.J.; Mahmoud, M.M.E.A.; Bello, S.A.; Khalid, J.; Aljohani, A.J.; Milyani, A.H.; Abusorrah, A.M.; Ibrahem, M.I. Privacy-Preserving Detection of Power Theft in Smart Grid Change and Transmit (CAT) Advanced Metering Infrastructure. IEEE Access 2023, 11, 68569–68587. [Google Scholar] [CrossRef]
  70. Soares, A.A.Z.; Lopes, Y.; Passos, D.; Fernandes, N.C.; Muchaluat-Saade, D.C. 3AS: Authentication, Authorization, and Accountability for SDN-Based Smart Grids. IEEE Access 2021, 9, 88621–88640. [Google Scholar] [CrossRef]
  71. Standard. Common Information Model (CIM) for Grid Models Exchange. 2014. Available online: https://www.entsoe.eu/digital/common-information-model/ (accessed on 30 March 2025).
  72. IEC 61850–Home; IEC Standard. International Electrotechnical Commission: Geneva, Switzerland, 2025.
  73. Panda, D.K.; Das, S. Smart grid architecture model for control, optimization and data analytics of future power networks with more renewable energy. J. Clean. Prod. 2021, 301, 126877. [Google Scholar] [CrossRef]
  74. Strazza, C.; Olivieri, N.; De Rose, A.; Stevens, T.; Directorate-General for Research and Innovation (European Commission). Technology Readiness Level—Guidance Principles for Renewable Energy Technologies—Final Report; Publications Office: Luxembourg, 2017. [Google Scholar]
  75. Moreira, N.A.; Freitas, P.M.; Novais, P. The AI Act Meets General Purpose AI: The Good, The Bad and The Uncertain; Springer Nature: Cham, Switzerland, 2023. [Google Scholar]
  76. European Parliament; Council of the European Union. Regulation (EU) 2019/943 of the European Parliament and of the Council of 5 June 2019 on the internal market for electricity (recast) (Text with EEA relevance). Available online: https://eur-lex.europa.eu/eli/reg/2019/943/oj/eng (accessed on 30 March 2025).
  77. Lavrijssen, S.; Apráez, B.E.; Caten, T.T. The Legal Complexities of Processing and Protecting Personal Data in the Electricity Sector. Energies 2022, 15, 1088. [Google Scholar] [CrossRef]
  78. Beckstedde, E.; Correa Ramírez, M.; Cossent, R.; Vanschoenwinkel, J.; Meeus, L. Regulatory sandboxes: Do they speed up innovation in energy? Energy Policy 2023, 180, 113656. [Google Scholar] [CrossRef]
  79. Green Software Fundation. The EU AI Act: Insights from the Green AI Committee. 2024. Available online: https://greensoftware.foundation/articles/the-eu-ai-act-insights-from-the-green-ai-committee (accessed on 30 March 2025).
  80. CEN-CENELEC Joint Technical Committee. Working Groups & Projects|CEN-CENELEC JTC 21. 2025. Available online: https://jtc21.eu/working-groups/ (accessed on 30 March 2025).
  81. European Commission. Smart Grids Task Force (SGTF). 2025. Available online: https://energy.ec.europa.eu/system/files/2016-04/Agenda%2520table%2520SGTF-EG3%2520%2520Smart%2520Homes_%252026%2520April%25202016_final_0.pdf (accessed on 30 March 2025).
  82. CEN-CENELEC-ETSI Smart Grid Coordination Group. Overview of SG-CG Methodologies. 2014. Available online: https://www.cencenelec.eu/media/CEN-CENELEC/AreasOfWork/CEN-CENELEC_Topics/Smart%20Grids%20and%20Meters/Smart%20Grids/2_sgcg_methodology_overview.pdf (accessed on 30 March 2025).
  83. Energy Transition Expertise Centre. Common European Energy Data Space; European Commission: Brussels, Belgium, 2023. [Google Scholar]
  84. Bonnie, E.; Fitzgerald, A. 110+ of the Latest Data Breach Statistics [Updated 2025]. 2025. Available online: https://secureframe.com/blog/data-breach-statistics (accessed on 30 March 2025).
  85. European Commission. European Data Strategy; European Commission: Brussels, Belgium, 2020. [Google Scholar]
Energies 18 03002 g001
Figure 1. PRISMA-ScR flow diagram for source identification and selection.
Figure 1. PRISMA-ScR flow diagram for source identification and selection.
Energies 18 03002 g001
Table 1. Overview of the EU laws regulating AI in the electricity sector.
Table 1. Overview of the EU laws regulating AI in the electricity sector.
LegislationScope and ObjectiveKey Requirements/Provisions Relevant to AI in Smart GridsImpact on AI Use in Smart Grids
General Data Protection Regulation (GDPR)Regulates the processing of personal data and ensures data protection across all EU member states.Lawful basis for data collection and processing (e.g., consent or legitimate interest).
Data minimization, privacy by design, and privacy impact assessments (DPIAs).
Strict rules on transfers of personal data outside the EU.		Requires anonymization/pseudonymization or secure processing of detailed consumption data.
Necessitates compliance overhead and potential adjustments to AI models needing granular user data.
Can foster trust if handled transparently.
EU Artificial Intelligence Act (AI Act)Establishes a risk-based regulatory framework for AI, classifying applications as low- or high-risk with corresponding obligations.High-risk AI (critical infrastructure) must meet strict requirements: risk assessments, logging, human oversight, explainability, and conformity assessments.
Sector-agnostic, but covers energy as critical infrastructure.		Imposes compliance costs and documentation burdens on grid operators and AI vendors.
Encourages “trustworthy by design” AI (e.g., explainability) in grid management.
May slow deployment of unproven or opaque AI solutions.
Data Governance Act (DGA)Establishes a framework for trustworthy data sharing through data intermediation services, data altruism, and governance of common European data spaces.Facilitates voluntary data sharing between organizations through certified intermediaries.
Enables “data altruism” for public interest AI training.
Promotes the creation of federated European data spaces, including for energy.		Supports cross-stakeholder data sharing for AI training and smart grid optimization.
Enables trusted infrastructure for federated learning and collaborative AI development.
Encourages data standardization and ethical reuse.
Data ActEstablishes mandatory obligations for data access, sharing, and portability for data generated by connected devices and digital services.Grants users rights to access and share IoT-generated data (e.g., from smart meters).
Mandates interoperability and prohibits unfair contractual terms limiting data sharing.
Enables business-to-government data access for public interest needs.		Facilitates access to energy data by AI developers and service providers.
Enhances availability of training datasets for AI under lawful, standardized protocols.
Requires compliance effort to implement APIs and secure interfaces; may accelerate innovation if harmonized.
ePrivacy FrameworkProtects confidentiality and privacy in electronic communications, complementing GDPR.Requires consent for accessing terminal equipment data (e.g., smart meter data transmitted via telecom networks).
Covers metadata, direct marketing rules, and confidentiality of communications.		Creates uncertainty (due to ongoing regulatory updates/withdrawals of proposed ePrivacy Regulation).
May restrict AI-driven services (like targeted energy advice) that rely on communication data without explicit user consent.
Network and Information Systems (NIS2) DirectiveAims to achieve a high common level of cybersecurity for operators of essential services, including electricity.Mandates security risk management, incident reporting, supply chain security for DSOs/TSOs.
Broader scope than the original NIS Directive, with more prescriptive requirements and penalties.
Applies to critical infrastructure.		Requires grid operators using AI to implement robust cybersecurity measures (e.g., securing AI training data, anomaly detection).
Can add compliance costs but fosters a security-by-design approach to AI deployments.
EU Cyber Resilience Act (CRA)Proposes baseline cybersecurity requirements for products with digital elements, aiming to reduce vulnerabilities in hardware/software.Addresses design, development, and entire lifecycle of digital products (including software used in smart grids).
Enforces ongoing security maintenance (patching, updates) and transparency about product vulnerabilities.		AI software or devices deployed in smart grids must comply with CRA if considered “products with digital elements.”
Encourages more secure AI solutions, potentially increasing development/testing effort.
EU Network Code on Cybersecurity for the Electricity Sector (NCCS)Establishes sector-specific cybersecurity rules and technical standards for electricity TSOs, DSOs, and related actors.Sets common cybersecurity requirements tailored to power system operations.
Defines processes for incident prevention, detection, and response across European electricity infrastructure.		Enhances uniform cyber-protection of AI-based grid applications (e.g., predictive maintenance, autonomous control).
Adds sector-specific compliance checks that may refine how AI solutions are architected and tested.
EU Cybersecurity ActEstablishes a certification framework for ICT products and services.Enables voluntary cybersecurity certification of AI systems and software.
Provides assurance levels and guidelines for conformity.		May become de facto requirement for AI vendors.
Boosts AI trustworthiness and market access.
Complements NIS2 and CRA compliance.
AI Liability Directive (Withdrawn Proposal)Sought to harmonize rules on non-contractual liability for AI-related harm.Would have eased the burden of proof for victims.
Proposed reversing burden in high-risk AI incidents.		Would have clarified legal risks of AI-induced outages or failures.
Its withdrawal maintains legal uncertainty, possibly deterring adoption.
Revised Product Liability Directive (2023 proposal)Updates product liability rules to include software and AI.Expands definition of “product” to include standalone software.
Clarifies liability of AI vendors for damage caused by software defects.		Extends manufacturer liability for AI failures.
Promotes safer software design.
Encourages clearer contractual risk-sharing in smart grid AI deployments.
Table 2. Conceptual Framework: Impact of Key EU Regulatory Instruments on AI-Enabled Smart Grid Stakeholders.
Table 2. Conceptual Framework: Impact of Key EU Regulatory Instruments on AI-Enabled Smart Grid Stakeholders.
EU Regulation/LawGrid Operators (DSOs/TSOs)Technology Providers (AI/IoT Vendors)Consumers/ProsumersRegulators and
Policymakers
GDPR (General Data Protection Regulation)Must ensure lawful basis for processing consumption data; conduct DPIAs for new AI services; manage data minimization and pseudonymizationDesign AI/IoT systems with privacy-by-design and secure data handling; must support anonymization and access controlGain rights over personal energy data; can withdraw consent; increased transparency expectationsMonitor and enforce compliance; issue national guidelines; ensure data protection consistency across energy sector
AI ActMust classify AI applications by risk; comply with requirements for high-risk systems (e.g., grid control); maintain human oversight and documentationBear compliance burden for high-risk AI (e.g., training data quality, explainability); need conformity assessments and CE markingGain protection from opaque or harmful AI decisions; increased accountability and transparency of energy servicesResponsible for enforcement and guidance; define energy-specific implementing acts and regulatory sandboxes
NIS2 DirectiveObligated to implement cybersecurity risk management, incident reporting, and third-party risk controls for digital operationsRequired to align software and hardware with grid security standards; face increased scrutiny if serving critical infrastructureIndirectly benefit from greater grid resilience and reduced service disruptionDevelop national transpositions; supervise implementation across electricity sector
Cyber Resilience Act (CRA)Ensure all digital products integrated into the grid meet baseline security standards; maintain software updatesMust certify IoT/AI components; disclose vulnerabilities; follow secure lifecycle practicesBenefit from more secure smart home/EV products; reduced cybersecurity riskOversee conformity and enforcement; coordinate standards development for certified products
Data Governance Act (DGA)Participate in voluntary data-sharing ecosystems (e.g., federated data spaces); act as data stewardsGain access to curated public/private datasets via trusted intermediaries; encouraged to use standardized protocolsCan contribute to data altruism schemes; greater visibility on data useFacilitate data sharing frameworks; certify intermediaries and establish governance bodies
Data ActMust provide access to IoT-generated data via standard APIs; manage B2G data sharing dutiesCan request access to energy data from devices/systems; must comply with interoperability and fairness clausesEmpowered to control and share data with third parties (e.g., energy apps); increased service innovationEnforce data portability and reuse provisions; specify technical standards and contractual norms
ePrivacy FrameworkMust obtain user consent for accessing communication metadata (e.g., smart meter signals); navigate telecom privacyDesign systems that respect terminal device access rules; manage consent mechanismsGain additional privacy protections for communication data; can control smart meter telemetry useInterpret outdated directive while awaiting reform; address fragmented national rules
Liability and Product Safety FrameworkAccountable for grid impacts of AI-based decisions unless risks are contractually transferredMay be held liable for defective AI software; required to provide documentation for traceabilityReceive protections through revised product liability rules; eligible for redressHarmonize liability frameworks; reduce uncertainty in attribution of harm caused by autonomous systems
Table 3. Comparative Models of AI Regulation in the Energy Sector.
Table 3. Comparative Models of AI Regulation in the Energy Sector.
DimensionEU (Rules-Driven)US (Market-Driven)China (State-Driven)
AI Law CoverageComprehensive legal framework including AI Act, GDPR, NIS2No central AI law; relies on sectoral regulations and voluntary guidanceNo energy-specific AI law; governed by national AI strategy and digital governance laws
Governance ModelPreventive, legally binding, and rights-basedReactive, innovation-first, sectoral oversightCentralized, directive, tightly integrated with industrial policy
Privacy ProtectionStrong and enforceable through GDPRFragmented (e.g., CCPA in California); limited federal enforcementPersonal Information Protection Law (PIPL) grants rights, but broad exemptions for state actors
Cybersecurity FrameworkLayered and sector-specific (NIS2, CRA, NCCS)NERC CIP standards for bulk power; patchwork elsewhereCybersecurity Law and Data Security Law with strict localization requirements
Innovation ApproachSandboxes, conformity assessments, and ethical AI mandatesMarket experimentation and public–private partnershipsState-owned enterprise pilots and top-down national AI deployment
Trust and TransparencyLegal mandates for explainability, accountability, and human oversightVoluntary transparency; guided by frameworks (e.g., NIST AI RMF)Algorithm registries and ethical guidelines aligned with core socialist values
Source: Adapted from Jørgensen & Ma (2025) [15].
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Jørgensen, B.N.; Gunasekaran, S.S.; Ma, Z.G. Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits. Energies 2025, 18, 3002. https://doi.org/10.3390/en18123002

AMA Style

Jørgensen BN, Gunasekaran SS, Ma ZG. Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits. Energies. 2025; 18(12):3002. https://doi.org/10.3390/en18123002

Chicago/Turabian Style

Jørgensen, Bo Nørregaard, Saraswathy Shamini Gunasekaran, and Zheng Grace Ma. 2025. "Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits" Energies 18, no. 12: 3002. https://doi.org/10.3390/en18123002

APA Style

Jørgensen, B. N., Gunasekaran, S. S., & Ma, Z. G. (2025). Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits. Energies, 18(12), 3002. https://doi.org/10.3390/en18123002

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop