3. Background

From RECs to GCs to DeliveryTags

3.1 The Annual REC Era (2001–2022)

For two decades, the global market for voluntary renewable-energy procurement ran on annual-resolution Renewable Energy Certificates: one certificate per MWh of clean generation, with no time stamp finer than a calendar year, and no spatial binding below the market or country level. A corporate buyer could claim “100% renewable” while consuming coal-generated electricity in the dead of night or during a calm, cloudy winter afternoon. The market recognized the shortcoming: voluntary REC prices collapsed to €2–5/MWh, reflecting limited credibility.

3.2 The EnergyTag Era (2022–present)

The EnergyTag Initiative, launched in 2021 and consolidated in its foundational 2023 whitepaper, defined the Granular Certificate (GC): an EAC with time resolution ≤ 1 hour, issued by an EAC Issuing Body against measured generation and cancelled against measured consumption at a Consumption Point. The EnergyTag framework introduced formal roles, Measurement Body, GC Issuer, Registry, Consumption Verification Body, and a detailed principles catalogue (avoidance of double counting, immutability, verifiability, energy storage dual-role handling, UTC time zones, and more).

EnergyTag’s impact is now visible across the industry: Google’s 24/7 CFE program, Microsoft’s 100/100/0 pledge, M-RETS’s hourly certificate pilot in North America, Energinet’s Origin Hub in Denmark, TenneT’s CertiQ roadmap in the Netherlands. The 2023 whitepaper remains the canonical reference for temporal granularity in clean-energy attribution.

3.3 The Spatial Layer

The EnergyTag whitepaper is explicit about its scope: temporal granularity. It defines “Domain” as the geographic region in which GCs are issued and cancelled, typically mapped to a market or country. It does not address transmission congestion, corridor saturation, Power Transfer Distribution Factors, nodal pricing, or Locational Marginal Emissions. These are, by design, left for future work or for complementary frameworks.

In practice, this creates a structural limitation. On a congested grid, a GC can be issued for wind energy that was generated in one region but curtailed at the corridor interface, never reaching the consumption region. A buyer in a congested zone can cancel a GC against a clean MWh produced several PTDF-distant nodes away, while the marginal generator actually serving their busbar remains a coal or gas plant. The temporal principle is satisfied; the physical delivery is not.

Three Forces Making the Spatial Layer Load-Bearing

• Hyperscaler scale. A single 100–500 MW AI data center on a single 400 kV bus is large enough to move the marginal generator at that node. Diffuse matching at the country level no longer reflects the buyer’s actual grid impact.
• Regulatory tightening. EU RED III Article 19 (renewable fuel of non-biological origin criteria for hydrogen), the Inflation Reduction Act Section 45V hydrogen tax credit rules, and the GHG Protocol Scope 2 Market-Based Method revision all push toward geographic + temporal additionality. Nodal proof is becoming a compliance requirement, not a marketing differentiator.
• Available telemetry. TSOs now publish merit-order dispatch logs and PTDF matrices at 15-minute granularity (ENTSO-E Transparency Platform, MAVIR, MISO, ERCOT, PJM). The data required to prove nodal attribution is, for the first time, in the public domain.

3.4 The Market Mandate (GHG Protocol Scope 2 Public Consultation, 2025–2026)

Between 20 October 2025 and 31 January 2026, the World Resources Institute and the GHG Protocol Secretariat ran the first round of public consultation on the revised Scope 2 Standard. The draft revision makes two things mandatory for corporate reporting: hourly temporal correlation (Quality Criterion 4) and deliverability (Quality Criterion 5). Criterion 5 is satisfied through one of three approved pathways, zonal market boundaries, price-differential deliverability, or physical-delivery deliverability.

The third pathway, Alternate methodology 2, is the clause that operationalises physical delivery. Verbatim (consultation document, Section 5.1.2, p. 24):

"A reporting entity may claim consumption of power delivered from any point in an interconnected transmission system if it demonstrates the existence of exclusive rights allocating to the reporting entity or its energy provider the transmission capacity necessary to deliver power bundled with associated energy attributes from the point of generation to the point of consumption. […] Delivery of power and attributes must be demonstrated on an hourly or more frequent basis with no direct counterbalancing reverse transactions."

This clause did not exist in the 2015 Scope 2 Guidance. Its appearance in the 2025 draft reflects a convergence of integrity-camp demand and regulator recognition that annual matching, even layered over high-quality EACs, no longer maps to physical flows.

3.4.1 The Feasibility Gap the Market Identified

The first-round consultation surfaced a consistent objection. The Clean Energy Buyers Association (CEBA), in its 23 May 2025 letter to the Independent Standards Board signed by CEO Rich Powell, stated: "mandatory matching is infeasible in many markets and would hinder energy buyers' efforts to procure carbon emissions-free electricity." WattTime's public position is that the proposed requirements will be "considerably more complex, and in most cases far more expensive." Morrison Foerster's practitioner survey found "nearly 80% of respondents lack confidence in their ability to procure time-matched clean electricity within smaller market boundaries" and "70% stated that their current procurement contracts would no longer be eligible."

These concerns are empirically correct for today's infrastructure. They describe the gap between what the Standard now requires and what market participants can currently prove. They do not describe a permanent limitation, they describe the absence of purpose-built physical-verification infrastructure.

3.4.2 DeliveryTag Maps Clause-by-Clause to Alternate Methodology 2

DeliveryTag v1.2 is calibrated against the published proposed text. The mapping is deliberate, not coincidental:

DeliveryTag does not ask the Secretariat to invent a new category, it supplies the technology the category presupposes.

3.4.3 Protection for Buyers and Sellers Against Greenwashing

The anti-gaming clause, "no direct counterbalancing reverse transactions", is the load-bearing anti-greenwashing provision in the entire deliverability regime. Human-audited registries enforce this post hoc. DeliveryTag enforces it ex ante: a second certificate claiming the reverse flow on the same corridor-hour-MWh triple is rejected by the Guardian policy at the cryptographic layer and cannot be recorded.

For buyers, this means a 24/7 CFE claim is substantiated by the TSO's own operational data, signed hardware, and an Accredited Signer opinion under ISAE 3000, not a self-reported attestation.

For sellers (clean generators, flex loads), it means delivery proof is independently verifiable and cannot be forged by a competitor or arbitrageur. The forensic moat protects both sides of the transaction.

3.4.4 Alignment with Adjacent Frameworks (SBTi, IFRS S2, CSRD, RED III, 45V)

The WRI GHG Protocol revision is the upstream source, but corporate reporters are bound by a broader set of frameworks that inherit from or reference Scope 2 methodology. DeliveryTag maps to each:

DeliveryTag is framework-agnostic by design: the same DT-F certificate serves GHG Protocol Scope 2, SBTi, IFRS S2, CSRD, RED III, and 45V reporting without re-issuance or re-verification, because it carries the union of their evidence requirements natively.

3.4.5 UK Market Context, Existing Flex Infrastructure Meets Nodal Verification

The UK is a distinctive case. As an island system with a single transmission operator (NESO) and a well-developed DNO / DSO flexibility layer, it has the institutional surface for nodal-level attribution but has approached the problem from the opposite direction, dispatch first, verification second. DeliveryTag slots into that stack as the verification-first complement, not as a competing marketplace.

Commercial demand is live, not speculative. Google's UK operations are committed to 24/7 Carbon-Free Energy by 2030; Microsoft, Amazon, and Meta are building UK data-centre capacity against the same shareholder and reporting pressure. NESO's connections queue contains on the order of 50 GW of data-centre demand. DESNZ's AI Growth Zones framework and the Clean Power 2030 programme both treat locational signals as load-bearing.

Constraint economics are already material. UK balancing constraint costs ran £1.9bn in 2023 (NESO) and are trending higher. The Scottish B5 / B6 transmission boundary alone accounts for a material fraction, driven by constrained-off Scottish wind that cannot physically reach southern demand. Every constrained MWh is a nodal-delivery question: the GC timestamp matches but the electrons do not arrive. This is the textbook geography for DeliveryTag's virtual-transmission mechanism (see §5.3), a downstream flex load that reduces demand upstream of B5 / B6 earns PTDF-weighted relief measured in MWh delivered to the buyer's node.

Regulatory trajectory is convergent. DESNZ's Low-Carbon Hydrogen Standard v3 already requires both temporal and geographic correlation for RFNBO eligibility, aligning UK hydrogen policy with EU RED III Article 19. Ofgem's REMA (Review of Electricity Market Arrangements) and NESO's Strategic Spatial Energy Plan both move toward locational pricing signals. The direction of travel is identical to the GHG Protocol Scope 2 deliverability clause, spatial granularity is no longer a US-nodal curiosity.

The UK does not need a new flex marketplace. It needs an interoperable authentication standard that lets UK-dispatched flex service a Scottish wind corridor relief event for a London hyperscaler in a way that survives CSRD and IFRS S2 assurance. That is the gap DeliveryTag fills.

4. Components of a DeliveryTag System

A DeliveryTag system preserves the EnergyTag component architecture and adds two roles: the Dispatch Verification Body and the Nodal Attribution Registry extension.

4.1 Account Holding

Identical to EnergyTag. Producers, traders, and consumers hold accounts in an EnergyTag-compliant registry. DeliveryTag verificates are issued, held, transferred, and cancelled within these same accounts as extension attributes on standard GCs.

4.2 Avoidance of Double Counting

DeliveryTag inherits the EnergyTag double-counting avoidance principle in full. A DeliveryTag attribute set can only be attached to a GC that is itself non-duplicated within the registry. Additionally, because the DeliveryTag binds the certificate to a specific node, the same clean MWh cannot simultaneously be claimed as "delivered" at two different nodes. The nodal binding is exclusive.

Tradability on EAC secondary markets. DeliveryTags are transferable between accounts (Principle 17) but the Node of Attribution is immutable. A DeliveryTag for Node A can be resold to another buyer at Node A, but never re-scoped to Node B. On EAC secondary markets, buyers filter by their node; the marketplace matches sellers who hold certificates attributed to that specific node. This creates node-specific liquidity pools rather than a single fungible market, reflecting the physical reality of grid delivery.

4.3 Issuance

A DeliveryTag is issued by the Integrity Protocol Foundation upon certification by an Accredited Signer, a party qualified to issue a reasonable-assurance opinion under ISAE 3000 (or equivalent). Intended scope includes Big 4 audit practices and ISO 14065 / IAF-MLA accredited validation bodies; engagement of specific signers is contractual and disclosed only once in place. Issuance requires the following independent inputs:

• a valid underlying GC (produced and metered under the EnergyTag framework),
• a TSO dispatch log entry (merit-order data covering the issuance time interval),
• a Power Transfer Distribution Factor attestation from the Dispatch Verification Body, confirming that the named generator or flex curtailment physically relieved the buyer’s node during the interval,
• for US RTO/ISO jurisdictions (MISO, PJM, ERCOT, CAISO, SPP, NYISO), a third-party Locational Marginal Emissions (LME) attestation from an accredited LME provider, quantifying the fossil-marginal emissions displaced by the clean injection or flex curtailment at the specific node and hour (for EU bidding-zone jurisdictions, ENTSO-E and national TSO dispatch data is used instead, as described in the subsection below), and
• an Accredited Signer certification confirming proof integrity and compliance with the DeliveryTag standard.

Issuance timing is jurisdiction-dependent and is bounded by the availability of final settlement data:

4.3.1 Provisional and Final Issuance States

To support the two-speed timing of EU and US markets without forcing buyers to wait 30–45 days for a certificate, the DeliveryTag specification defines two issuance states:

Provisional DeliveryTag (DT-P). A DeliveryTag issued with preliminary dispatch data and a candidate LME estimate. DT-P is valid for internal reporting, PPA settlement, and buyer-side accruals, but is not ISAE 3000 attestable as a final certificate. DT-P is issued at D+1 to D+7.

Final DeliveryTag (DT-F). A DeliveryTag issued after final settlement data and third-party LME attestation are received. DT-F supersedes the DT-P with identical registry serial (same parent GC, same Node of Attribution) and carries the full Causal Dispatch Proof object. DT-F is issued at D+30 to D+45 in US jurisdictions and at D+1 to D+7 in EU jurisdictions where no third-party LME settlement is required.

A DT-P that is not promoted to DT-F within the maximum window (60 days) is automatically voided in the registry and cannot be used for cancellation. A DT-F that materially diverges from its DT-P predecessor (>10% on PTDF relief or >15% on LME) triggers a mandatory correction notice to the offtaker and the Dispatch Verification Body.

This two-state lifecycle mirrors the provisional/final structure already used in RTO settlement accounting (e.g. MISO’s Initial Settlement Statement at T+5 days and Final Settlement Statement at T+55 days) and preserves the EnergyTag principle of cancellation against measured consumption without blocking near-real-time operational workflows.

4.4 Transfer

DeliveryTag verificates transfer as extension attributes on their parent GCs. Transfer between accounts follows EnergyTag transfer semantics. However, transfer does not break the nodal binding: a DeliveryTag continues to attest to its original node of attribution regardless of which account holds it. Buyers may transfer DeliveryTags to affiliates or aggregators but may not re-scope the node of attribution.

4.5 Cancellation and Retirement

DeliveryTags cancel against measured consumption at a specific Consumption Point in accordance with the EnergyTag cancellation principle. Additionally, the DeliveryTag can only be cancelled against consumption that is electrically connected to the node of attribution specified in the certificate. A DeliveryTag issued for node X cannot be cancelled against consumption at node Y, even if the timestamps match.

The node-binding check is enforced cryptographically through the Demand-side PIN (D-PIN) installed at the buyer’s consumption point, which is registered to a specific transmission node in the Guardian policy and signs the cancellation certificate with CRYSTALS-Dilithium before Hedera anchoring. This makes the “node X ≠ node Y” rule a computational constraint, not a procedural one. See Section 4.11.2 for the D-PIN architecture and the three cancellation tiers (Tier 1 full Hepta with D-PIN; Tier 2 attested meter; Tier 3 registry-only).

4.5.1 Claim-Based Allocation at Multi-Buyer Nodes

Most practical grid nodes serve several consumers simultaneously (urban substations, 345 kV collector buses, industrial zones, hyperscaler co-location campuses). When a node’s PTDF-deliverable clean capacity at hour H is less than the aggregate demand of the buyers connected to that node, a resolution rule is required. DeliveryTag uses a market-driven, claim-based allocation with two cryptographic constraints, enforced at the Guardian policy layer:

Issuance constraint. The Guardian policy rejects any DT-F issuance that would push the total issued at (node, hour) above the PTDF-deliverable MWh for that node-hour. This is enforced by the total-node-issuance-check-block against the TSO’s published PTDF matrix. Scarcity at the node is enforced at the source, not post hoc.

Cancellation constraint. Each buyer can only retire DT-Fs against its own verified consumption at the node. In Tier 1 this is enforced cryptographically: the buyer’s D-PIN signs a cancellation bundle and the Guardian policy compares the retired volume against the D-PIN’s attested consumption for the hour. A buyer cannot retire more than it consumed, and cannot retire against another buyer’s consumption. In Tier 2 the same constraint is enforced by an Accredited Signer attestation over the buyer’s metered consumption.

Market allocation. Scarce node-hour DT-Fs are traded on the EAC-compatible secondary markets. Price allocates scarce capacity to the highest willingness-to-pay, naturally serving the most demanding 24/7 CFE commitments first. The protocol does not set the allocation; it enforces the two constraints and lets the market resolve the distribution.

The combination of PTDF-bounded issuance, D-PIN-enforced cancellation, and market-priced allocation makes multi-buyer node attribution fully decentralised, cryptographically verifiable, and privacy-preserving between competing buyers. No buyer needs to disclose its consumption data to another, and the TSO remains a passive publisher of PTDF and dispatch data rather than an active data intermediary.

4.6 Registration

DeliveryTags register in an EnergyTag-compatible registry (e.g. M-RETS, Guarantee of Origin hub, Hedera Guardian topic). Proof data is anchored on Hedera (HCS for consensus, HTS for tokenized certificates). Certificates carrying DeliveryTag proofs trade on the EAC-compatible secondary markets, where buyers access verified 24/7 CFE instruments. The extension attributes required for DeliveryTag registration are:

4.7 Nodal Attribution (New Component)

The Dispatch Verification Body, an independent entity distinct from the GC Issuer and the Measurement Body, is responsible for validating that the TSO dispatch log and the flex-curtailment telemetry are consistent and that the PTDF-weighted relief attested in the DeliveryTag is mathematically sound. Candidate entities include national TSOs, regional system operators (ENTSO-E for the EU), independent grid analytics firms (accredited LME providers for North America), and accredited third-party auditors.

4.8 Causal Dispatch Proof (New Component)

Each DeliveryTag carries a causal dispatch proof: a structured data object containing:

• (i) the TSO merit-order log for the interval,
• (ii) the PTDF matrix row covering the node of attribution,
• (iii) the flexible-load SCADA telemetry that was curtailed or dispatched, and
• (iv) the counterfactual LME calculation.

This object is hashed and anchored in the registry.

4.9 Hepta-Validation™: The Forensic Proof Stack

To ensure verifiability and prevent replication by pure software traders, the DeliveryTag protocol anchors each Causal Dispatch Proof in seven independent Hardware-Verified Event layers, each grounded in a fundamental law of physics:

Layers 1–4 are collected at the edge gateway installed at the flex load facility (not on grid infrastructure). Layer 5 is sourced from independent satellite providers using multispectral imagery. Layer 6 applies Lavoisier’s conservation of mass to verify emissions displacement. Layer 7 is computed from real-time market prices and the facility’s production schedule, establishing the economic baseline that proves curtailment was a genuine financial sacrifice.

Each Hepta-Validation event is signed with a Post-Quantum Cryptographic (PQC) signature (CRYSTALS-Dilithium) at the edge gateway, ensuring tamper-resistance against both classical and quantum adversaries. The signed proof object is then anchored to a Hedera Guardian topic, producing a public, immutable, timestamped record that can be independently verified by any auditor without privileged access. The combination of hardware-verified sensor data, PQC-signed proof objects, and Hedera’s distributed ledger creates a forensic moat that software-only certificate systems are not designed to provide.

4.10 Six Laws of Physics as Verification Infrastructure

DeliveryTag anchors each certificate in six fundamental laws of physics: Kirchhoff’s and Ohm’s Laws (electrical/thermal), Ampère’s Law (magnetic), Newton’s Second Law (acoustic), and Lavoisier’s Law (emissions). This transforms each certificate from a mere accounting document into an unforgeable physical proof.

1. Ohm’s Law and the Thermal Signature (Joule Effect)

Ohm’s Law is inseparable from the Joule effect: P = R × I². When current (I) flows through a cable or machine, resistance (R) converts part of the energy into heat.

2. Ampère’s Law and the Magnetic Signature

Ampère’s Law states that every electric current generates a magnetic field proportional to its intensity. Ohm’s Law determines the current intensity (I) flowing through a circuit for a given voltage (U), and Ampère’s Law translates that current into a measurable magnetic field.

3. PTDFs: Ohm’s Law Applied to the Grid

The Power Transfer Distribution Factors (PTDFs) used to compute the “Virtual Cable” are the mathematical resolution of Ohm’s Law across a complex network. Electricity distributes across all available paths inversely proportional to impedance (Kirchhoff's Laws).

4. Why This Is the Anti-Greenwashing Argument

An energy trader works with LMPs (Locational Marginal Prices), which are economic signals. DeliveryTag works with Ohm’s Law, which is a law of nature.

5. Newton’s Second Law and the Acoustic Signature

Newton’s Second Law (F = m × a) governs mechanical vibration. Industrial equipment (arc furnaces, compressors, turbines) produces acoustic signatures proportional to the forces and accelerations within them.

6. Lavoisier’s Law and the Emissions Signature

Lavoisier’s Law (Conservation of Mass) states that in any chemical reaction, mass is neither created nor destroyed. In combustion: carbon in fuel = carbon in exhaust. This principle underpins emissions verification.

7. The Economic Baseline: Why Financial Sacrifice Matters

Physical verification alone is necessary but not sufficient. A facility that shuts down because spot prices dropped below its marginal cost has not made a sacrifice; it has simply exited the market. For freed transmission capacity to be credible and tradeable, the protocol must prove that curtailment was a deliberate economic sacrifice, that the facility was forgoing real revenue by curtailing.

4.10b The Seven-Step Certification Pipeline

From grid physics to immutable certificate: seven steps transform raw sensor data into a verifiable, auditable DeliveryTag anchored on the Hedera Guardian ledger.

4.11 The Physical Integrity Node (PIN), Supply-side and Demand-side

DeliveryTag uses a dual-PIN architecture: a Supply-side PIN (S-PIN) at the generation or flex-load facility, and a Demand-side PIN (D-PIN) at the buyer’s consumption point. Together they close the forensic chain end-to-end. The S-PIN proves the MWh was produced or curtailed; the D-PIN proves it was consumed at the node claimed on the certificate. Without the D-PIN, cancellation would depend on a human-audited utility meter, which is the same weak link DeliveryTag removes on the supply side.

4.11.1 Supply-side PIN (S-PIN)

The S-PIN is a tamper-evident, industrially sealed hardware unit installed at the point of interconnection (busbar) of each generation or flex-load facility. It is the physical root of trust for issuance-side Hepta-Validation data.

Definition. The S-PIN is an industrial “black box” sealed at the busbar, combining sensor fusion, cryptographic signing, and secure uplink in a single enclosure. It cannot be accessed, modified, or bypassed by the facility operator without breaking the tamper-evident seal, which invalidates all subsequent certificates.

Sensor fusion. The S-PIN aggregates four real-time sensor streams at the point of measurement:

• Electrical: Revenue-grade IEC 62053-22 Class 0.2S current/voltage measurement at 15-min intervals
• Magnetic + Frequency: Fluxgate magnetometer measuring magnetic field (Ampère’s Law) + frequency analyzer monitoring 50/60 Hz grid frequency deviations (Faraday-Tesla Law, AC frequency) at the flex load facility feeder conductors
• Thermal: FLIR infrared sensor capturing the Joule-effect thermal signature (Ohm’s Law) at the flex load facility equipment
• Acoustic: Decibel array monitoring mechanical vibration of industrial equipment

Post-Quantum Cryptographic (PQC) signing at the source. Every 15-minute sensor bundle is signed inside the S-PIN using CRYSTALS-Dilithium (NIST FIPS 204), a lattice-based digital signature algorithm resistant to both classical and quantum adversaries. The private key is generated and stored in the S-PIN’s secure element and never leaves the device.

4.11.2 Demand-side PIN (D-PIN)

The D-PIN is the mirror-image hardware unit installed at the point of interconnection of the buyer’s consumption site, typically the main busbar or service entrance of a hyperscaler data center, industrial facility, or aggregated flex-load pool. Its role is the cancellation counterpart to the S-PIN’s issuance proof.

The D-PIN performs three functions:

1. Consumption measurement. Revenue-grade IEC 62053-22 Class 0.2S metering at 15-min intervals, signed inside the D-PIN with CRYSTALS-Dilithium and anchored on Hedera.
2. Node binding proof. The D-PIN’s device certificate is registered to a specific transmission node in the Guardian policy and is cryptographically bound to the buyer’s TSO interconnection agreement. A DeliveryTag issued for node X can only be cancelled against a D-PIN registered at node X. Registry-level binding plus hardware-level PQC signing make node spoofing computationally and physically infeasible.
3. Counterbalance check. The D-PIN signs a cancellation certificate that goes onto Hedera alongside the issuance certificate. The Guardian policy rejects any second cancellation against the same consumption hour on the same D-PIN, enforcing the “no direct counterbalancing reverse transactions” clause from WRI Alternate Methodology 2 (see Section 3.4).

D-PIN sensor stack. Unlike the S-PIN, which carries the full seven-layer Hepta-Validation stack to prove curtailment events, the D-PIN answers a narrower question: “did this buyer consume N kWh at this node during this hour?” This requires only three of the seven Hepta layers, with a fourth optional for reasonable-assurance engagements.

Layers 5 (Spatial/SAR), 6 (Emissions), and 7 (Opportunity Cost Oracle) are not applicable to the D-PIN. They are S-PIN-specific proofs of curtailment and generation events.

Every D-PIN shares the same cryptographic core as the S-PIN: a secure element generating and storing a CRYSTALS-Dilithium private key that never leaves the device, a tamper-evident seal that zeroises the key if broken, a GPS-disciplined UTC time source for 15-min interval alignment, and a hardened uplink to the Guardian relay. The lighter sensor set means D-PIN CapEx is materially lower than S-PIN CapEx, which is what makes Tier 1 deployment practical at hyperscaler scale.

Deployment and Regulatory Footprint

The D-PIN is a passive measurement device installed on the buyer’s side of the utility revenue meter. It clamps non-invasively onto the buyer’s own conductors (CT/VT tap, fluxgate on the feeder), signs bundles inside the tamper-sealed enclosure, and pushes signed telemetry via an outbound uplink. It does not inject power, control loads, or interact with the grid operator’s equipment. Its regulatory category is identical to a commercial power-quality monitor, a tenant sub-meter, or a Building Energy Management System.

Required for deployment:

• UL listing (US) or CE marking (EU) on the hardware, provided once by the manufacturer
• Licensed electrician to perform the physical install (four to eight hours of work per site)
• Local electrical inspector sign-off under the applicable electrical code (NEC in the US, national code in the EU); typical one-day turnaround

Not required:

• Utility or transmission-operator approval
• PUC or PSC filing (US state), or FERC notification (US federal)
• TSO interconnection study (EU or US)
• Any form of grid-operator sign-off

For audit-grade deployment (Tier 1), the Accredited Signer additionally witnesses the install, verifies the CT/VT tap points and tamper seal, photographs the installation for the ISAE 3000 evidence file, and issues the AssuranceAccreditation VC that binds the device’s Dilithium public key to the claimed transmission node.

Strategic consequence. Because the D-PIN sits entirely on buyer-owned property, hyperscalers and large industrial buyers can deploy unilaterally, without negotiating with the serving utility or entering a regulatory docket. Time to deploy is measured in weeks per site, and sites can be onboarded in parallel across an entire portfolio.

Multi-POI and Multi-Source Configurations

A single buyer may operate multiple D-PINs under one Buyer DID when the site has redundant feeders (two POIs at the same node) or dual-fed service (two POIs at different transmission nodes). Each D-PIN registers against its own tso_interconnection_node. At cancellation, the Guardian policy matches each DT-F to the D-PIN whose node equals the certificate's node_of_attribution, and sums D-PIN-attested consumption when multiple feeders serve the same node. Certificate-level generator provenance (nuclear, wind, solar) is preserved by the DT-F's immutable fields (generator_did, generator_node_of_injection) and is independent of which D-PIN the certificate retires against: a nuclear-backed DT-F and a solar-backed DT-F can both retire against the same D-PIN in the same hour, provided the sum of retirements does not exceed the D-PIN's attested consumption and each certificate's node_of_attribution matches a registered D-PIN. Physically source-segregated internal loops (“green loops”, where a tenant or use case is fed only by specific generation types) can be served by dedicated sub-D-PINs registered under the same Buyer DID if the buyer requires loop-level claim attribution.

4.11.3 Deployment Tiers

Not every reporter requires a D-PIN in every deployment. The specification defines three cancellation tiers matching audience requirements:

Tier 1 is the default for DeliveryTag-issued certificates. Tier 2 is available during the transition window (2026, 2028) to support buyers whose infrastructure cannot yet accommodate a D-PIN. Tier 3 covers operational or internal reporting only.