EU regulations hold back building energy management retrofits

Technology News | July 10, 2025

By Nick Flaherty

The complexity and uncertainty of regulation across the European Union is holding back the use of AI in existing buildings says a review of building energy management systems (BEMS).

Retrofitting sensors and AI into buildings to control heating and air conditioning systems can save 20 to 30% of the energy costs, and provide a significant reduction in overall carbon dioxide emissions as well as a more stable electricity grid. However there are several regulations that create uncertainty, says a review of systems conducted by the University of Southern Denmark. This is especially true for smaller buildings.

The review of AI and the Internet of Things (IoT) for Building Energy Management Systems (BEMS) by Bo Nørregaard Jørgensen and Zheng Grace Ma highlights the complex regulatory landscape, including the EU AI Act, the General Data Protection Regulation (GDPR), the EU Cybersecurity Act, and the Energy Performance of Buildings Directive (EPBD).

For example, GDPR imposes strict requirements on the handling of any personal data collected by building sensors, particularly occupancy and environmental conditions, while the coming EU Artificial Intelligence Act AI Act will classify certain AI applications such as HVAC as “high-risk” and so require risk assessments, transparency, and human oversight for those systems.

At the same time, the coming Cyber Resilience Act (CRA) will introduce mandatory security-by-design requirements for products with digital elements covering IoT hardware and software. Meanwhile, the Network and Information Security Directive NIS, updated as NIS2, extends cybersecurity obligations to operators of essential services, which can include building infrastructure in critical sectors.

The review covers 64 sources, from peer-reviewed articles to regulatory or policy documents, to identify legal and regulatory barriers that may hinder innovation are identified, including data protection constraints, cybersecurity compliance, liability concerns, and interoperability requirements. At the same time the review highlights the opportunities that compliant AI and IoT-based BEMS can provide for energy savings, operational efficiencies and new business models in smart buildings.

“There’s a clear opportunity here,” said Donatas Karčiauskas, CEO of Exergio in Vilnius, Lithuania. The company has ongoing projects using its AI tools in Poland, the United Kingdom, Ireland, the Czech Republic, Hungary, Oman, Sweden, and Lithuania and is planning to expand to Germany and France. “We’re seeing a growing interest in AI-based retrofits, yet many still assume the compliance cost is too high. In our experience, you can often unlock 20–30% energy savings without touching the walls.”

There is also a key technical challenge in interoperability as a regulatory goal. Modern BEMS must often integrate multiple subsystems. HVAC controls using legacy protocols, such as BACnet, Modbus, or KNX, while lighting systems, security and access control and fire safety systems use a wide array of IoT sensors from different vendors. Achieving seamless communication among these disparate components is complex and resource-intensive. Engineers frequently rely on middleware platforms or protocol gateways that can translate between these heterogeneous systems.

A building can use an IoT integration layer to standardize sensor data for AI analysis. Middleware and open APIs now play a central role in enabling legacy system integration and interoperability in smart BEMS.

Middleware platforms such as Eclipse SmartHome or openHAB act as abstraction layers to decouple application software from hardware-specific protocols, allowing disparate devices to communicate without requiring direct protocol compatibility. This allows interfaces with legacy systems via BACnet, Modbus, or KNX, reducing the need for costly hardware replacements.

Open APIs, particularly RESTful APIs and publish-subscribe protocols like MQTT and DDS, enable third-party services to interact securely and asynchronously with legacy devices and modern IoT components.

However, integrating middleware and APIs also introduces architectural complexity, such as the need for service orchestration, data normalization, and robust access control. Addressing these trade-offs through secure API gateways and middleware orchestration frameworks is essential for achieving scalable, resilient, and regulation-compliant smart building ecosystems.

This architecture also introduces latency and new points of failure, increasing system complexity and operational risk. Interoperability also involves connecting BEMS with external data sources such as electricity price signals from the grid, weather forecast APIs, or demand-response signals. This integration is vital for energy efficiency and grid interaction but requires robust handling of a wide range of data formats and secure external interfaces.

Building trust

These rules are meant to build trust, but often discourage early adoption, especially in smaller buildings, says Karčiauskas.

“Data privacy is essential, but it’s often misunderstood. With the right architecture – things like edge computing, anonymized data, and explainable AI – you can meet all regulatory requirements and still get results. We’ve seen digital upgrades pay for themselves in under 12 months, and still be fully compliant,” he said.

Tools such as SHAP (SHapley Additive exPlanations) which explain AI algorithm outcomes and federated learning, which trains AI locally without sharing sensitive data, already support privacy-aware, explainable systems. Yet many building owners still hesitate, unsure whether these upgrades will pass audits or qualify for funding.

“Digital retrofits are often judged by the wrong standards,” said Karčiauskas. “Stakeholders expect 100% certainty from AI, but are fine with ‘good enough’ when it comes to insulation. The difference is that AI lets you measure, adjust, and scale quickly. That kind of flexibility is valuable, especially in older buildings. It’s a resilience tool Europe isn’t using enough.”

This is increasingly important as the Energy Performance of Buildings Directive (EPBD) has been revised to promote smart technologies. For example, it requires the installation of building automation and control systems (BACS) in large non-residential buildings by the end of this year, recognizing that advanced control and monitoring can drastically cut energy losses.

However the EPBD mandate for continuous monitoring and benchmarking implies that BEMS must support standardized data export for national certification platforms and performance reporting. Meeting these obligations has encouraged the adoption of open metadata models like Project Haystack and Brick Schema, though the building automation sector remains fragmented and inconsistent in implementation, say the researchers.

To comply with regulations, buildings seeking smart-readiness or involvement in energy flexibility markets must show their BEMS use accepted standards, driving vendors to adopt open protocols and interoperable designs.

Interoperability can also introduce new cybersecurity vulnerabilities as every additional interface increases the potential attack surface. This is driving the need for robust access controls and secure authentication mechanisms at integration points and means engineers have to strike a careful balance between openness and security to ensure both regulatory compliance and operational resilience.

“Building energy management systems are already helping cut energy use and emissions across Europe. But their real impact shows when they’re connected to secure, compliant AI systems that deliver immediate results. As key EU policy deadlines approach in 2025, the time to act isn’t next year but now,” said Karčiauskas.

The review of the impact of EU Laws on the adoption of AI and IoT in advanced Building Energy Management Systems is at www.mdpi.com/2075-5309/15/13/2160

www.exergios.com