As energy infrastructure attacks increase in Europe, energy security is becoming a critical focus for the modern EU energy system. However, current efforts primarily target traditional, centralized power plants.

To advance the shift toward a smart, digitized, renewables-based energy system, the European solar sector has urged EU policymakers and regulators to address the cybersecurity risks posed by digitalized solar technology. With solar PV systems increasingly connected to the internet via inverters, a new report by DNV, commissioned by SolarPower Europe, provides a comprehensive risk assessment and offers actionable recommendations:

• Develop and mandate industry-specific cybersecurity standards to secure remote-controlled solar PV infrastructure.
• Limit remote access and control of EU solar PV systems from outside the EU via inverters.

Walburga Hemetsberger, CEO of SolarPower Europe, highlighted that while digitalization offers significant opportunities, like €160 billion in annual energy savings, it also presents cybersecurity challenges. She stressed that the sector is proactively addressing these risks with clear and comprehensive solutions.

The report highlights that Europe’s shift from a centralized energy system to a more decentralized one brings clear benefits for energy security. To fully leverage these benefits, cybersecurity legislation, which currently focuses on centralized infrastructure, must be updated to address the unique security needs of distributed energy sources, such as small rooftop solar systems. While the solar sector has faced cyberattacks, these are not as severe as those in other parts of the energy industry, where industrial espionage, ransomware, and attacks causing grid blackouts have become more common in recent years.

The report highlights risks from direct control over inverters and security updates. While utility-scale installations are more secure due to experienced management and NIS2 Directive coverage, small-scale rooftop systems lack strict cybersecurity rules. Connected to manufacturers’ or service providers’ cloud networks, these systems, though individually low-risk, can aggregate into virtual power plants affecting overall power system efficiency.

To lower the cybersecurity risk category, the report recommends two main solutions. The first is to ensure that current cybersecurity laws are tailored to the specific needs of the solar sector. The second is to implement new regulations that restrict the control of solar systems via inverters to the EU or jurisdictions with comparable security standards.

For the second solution, the report suggests adopting a model similar to GDPR, where control over aggregated distributed devices, such as small-scale rooftop solar systems, should be limited to regions with security standards equivalent to those of the EU. This would be enforced through the EU NCCS or another expedited process. High-risk entities would be required to create cybersecurity solutions, which would be monitored and approved by the relevant authorities.