U2Demo_D3.2_Standardization, cybersecurity and data privacy

This deliverable, D3.2 – U2Demo Standardization, Cybersecurity, and Data Privacy, defines the technical, semantic, and security foundations required for the development and deployment of the U2Demo platform, an open-source peer-to-peer (P2P) energy sharing and flexibility management solution for diverse Energy Community (EC) contexts. It is produced under Task T3.2 – Standards, Interoperability, and Cybersecurity, which ensures that the platform is designed to be interoperable, secure, standards-aligned, and replicable across different regulatory and technical environments in the European Union (EU). The work begins with a comprehensive consortium-wide questionnaire to assess the current status of the adoption of interoperability standards, communication protocols, data models, cybersecurity measures, and data privacy practices. The analysis reveals significant heterogeneity: while some partners are already aligned with open standards such as Smart Applications REFerence (SAREF), Smart Energy Aware Systems (SEAS), and Open Automated Demand Response (OPENADR), others rely on proprietary protocols, ad-hoc data formats, and minimal security controls. This diversity highlights the need for a harmonized semantic and technical integration framework. To address this, the deliverable develops a modular, FAIR-compliant (Findable, Accessible, Interoperable, and Reusable) ontology following a six-step agile methodology adapted from Agile Interaction Model based ontology development Methodology (AIME). The ontology reuses and aligns with existing European standards and ontologies (SAREF, SEAS, ENERSHARE) and introduces U2Demo-specific modules to cover gaps in areas like internal community pricing, flexibility scheduling, EC governance roles, and domain-specific event taxonomies. A set of eleven interoperable core modules (System, Player, Market, Forecast, TimeSeries, Schedule, Device, Building, Event, Price, and Properties) has been defined to enable a consistent, machine-readable representation of data across heterogeneous systems. Beyond semantic alignment, interoperability is also addressed at the architectural level, including integration scenarios with Simpl Middleware to enable secure, contract-based data exchange across pilot systems. It provides detailed Application Programming Interface (API) requirements and supported data exchange formats, illustrated with the Energy Web (EW) Digital Spine Client as a reference implementation. This includes both RESTful and WebSocket (WSS) APIs, covering modules such as authentication, user and key management, enterprise credential handling, client gateway configuration, topic and channel management, address book services, and secure messaging. Supported formats include JSON objects (JSD-7 specification) and file-based formats such as JSON, Comma-separated values (CSV), Table-separated values (TSV), and eXtensible Markup Language (XML). Together, these specifications and authentication methods (Open Authorization Protocol OAuth2, Mutual Transport Layer Security mTLS) ensure secure, standardised, and consistent data sharing across the U2Demo ecosystem. A multi-layered cybersecurity and data privacy framework has been established, grounded in internationally recognized standards (International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC) 27001 [9], IEC 62443 [10], [11], National Institute of Standards and Technology Interagency Reports (NISTIR) 7628 [12]) and fully aligned with EU regulatory requirements (General Data Protection Regulation – GDPR [13], Network and Information Systems 2 Directive - NIS 2 [14], and the forthcoming Network Code on Cybersecurity [15]). The framework introduces strong authentication (Public key infrastructure - PKI, Multi-factor authentication - MFA), encryption in transit and at rest (Transport Layer Security TLS 1.3 [16], Advanced Encryption Standard AES-256[17]), granular access control (Role-based access control - RBAC, Attribute-based access control - ABAC), secure logging and auditing, and privacy-by-design principles. Special attention is given to risks inherent in P2P environments, such as rogue node injection, data manipulation, and unauthorized control. Countermeasures include device attestation, anomaly detection, and secure onboarding protocols, ensuring robust protection of operational and personal data. The deliverable concludes that interoperability and cybersecurity must be developed together to ensure trust, resilience, and scalability. The next steps focus on formalizing the ontology in machine-readable formats, developing API, data models and their specifications (D3.4), potentially creating protocol adapters for proprietary systems, implementing the security baseline across all partners, and validating interoperability and security in pilot environments. By combining semantic standardization, secure architecture, and alignment with the frameworks, previously developed in European projects, this deliverable ensures that the U2Demo platform is positioned as a robust, trustworthy, and replicable solution for energy communities, capable of scaling across different technical and regulatory landscapes in Europe.