BRUSSELS, Belgium (Tuesday 29 April 2025): Amid increasing attacks on energy infrastructure in Europe, energy security measures are becoming a pivotal element of a modern EU energy system. Current efforts are, however, focused on traditional energy infrastructure such as large, centralised power plants.
To accelerate the transition to a smart, digitised renewables-based energy system, the European solar sector has issued strong recommendations to EU policymakers and regulators to address cybersecurity risks associated with its technology in an increasingly digital energy system. Solar PV systems are digitalised and more and more connected to the internet via inverters. A new report, produced by DNV, and commissioned by SolarPower Europe, performs a comprehensive risk assessment for the sector, and offers clear remedies:
- Develop and mandate industry-specific cybersecurity controls, for example via a Standard, for securing remote-controlled solar PV infrastructure.
- Limit remote access and control of EU solar PV systems from outside the EU via the inverter.
Solutions for PV Cyber Risks to Grid Stability
Unlocking the benefits of digitalised energy. Solar specific cyber standards. Limiting remote access of solar assets.
Read the report
Walburga Hemetsberger, CEO of SolarPower Europe (she/her) said: “Like any technological revolution, digitalisation presents incredible opportunity, for example, energy system cost savings of €160 billion per year. It also comes with new challenges, like cybersecurity. We didn’t need anti-virus protection for a typewriter – but we do need it for our laptops. As a responsible, forward-looking sector, we have mapped the cybersecurity challenge, and we’re rising to meet it with clear, comprehensive solutions.”
The report notes that Europe’s move away from an energy system dependent on a few, high-impact targets, to a more decentralised system, offers clear energy security benefits. To maximise this benefit, cybersecurity legislation – which focuses on that legacy, centralised energy infrastructure – needs to be updated. It must address the specific security needs of distributed energy sources, like smaller rooftop solar installations. The report also notes that although the solar sector has been targeted by cyberattack, they do not compare to those seen in other parts of the energy sector, where industrial espionage, ransomware, and attacks leading to public grid blackouts have occurred with increasing frequency over the past decade.
In analysing risk, the report highlights risks from direct controls on inverters, e.g. intended for providing grid services, and updates, e.g. intended for security updates. On the one hand, it finds that utility-scale installations are more secure. They’re often managed by experienced utilities and covered by the EU’s NIS2 Directive. On the other hand, small-scale solar systems, which are often rooftop installations, lack stringent cyber rules. They are connected to the clouds of manufacturers, installers, or service providers. While the impact of compromising a single installation is low, when aggregated for power system efficiency, they become virtual power plants of significant scale.
The report states that a targeted compromise of 3 GW of generation capacity can have significant implications for Europe’s power grid. The analysis reveals that over a dozen Western and non-Western manufacturers control significantly more than 3 GW of installed capacity today. As consequence, of the 14 risk areas evaluated in the report, 5 areas are categorised as medium risk, 6 areas are high risk, and 3 areas are critical risk. The measurement of risk combines severity of impact and probability. While adopted EU legislation like the Cyber Resilience Act, NIS2 Directive, and the Network Code for Cybersecurity (NCCS) mitigate some of the risk, SolarPower Europe outlines a clear pathway to achieve ‘low risk’ status on all 14 risk areas.
To return to a ‘low’ risk category for cybersecurity, the report recommends two overarching solutions. The first would ensure that existing laws on cybersecurity are specific enough to the needs of the solar sector. The second would introduce new rules that keep the control of relevant solar systems via inverters within the EU or jurisdictions that can provide an equivalent level of security.
On the second solution, the report recommends following an approach similar to GDPR rules, where control of aggregated distributed devices, like small-scale rooftop solar systems, should only take place in regions judged equivalent in security to the EU. This should be implemented through the EU NCCS or another new fast-track procedure. High-risk entities would then be required to develop cyber solutions which would be monitored and approved by the competent authorities.
Note
- This report was written by DNV and commissioned by SolarPower Europe. The publication was drafted with the technical input of the European Inverter Forum and adopted by the SolarPower Europe Board.
- According to Mission Solar 2040 modelling, a digital, flexible, and electrified energy system would save EU energy system costs by around €160 billion annually by 2040.
- This report follows SolarPower Europe’s position paper on cybersecurity from July 2024.
Questions? Get in touch.
Bethany Meban
Head of Press and Policy Communications
Header Image
© Shutterstock
Interested in becoming a member?
Why become a member?
Do you want to stay up-to-date about solar energy?
