A new report, commissioned by SolarPower Europe, highlights the cybersecurity risks for the EU’s growing solar energy generation
Existing frameworks cover centralized power plants but don’t really address possible threats for small-scale DERs
The report writers recommend tailored policy approaches, including restricting remote inverter access from outside Europe, to protect solar PV systems
As digitalization takes over the solar power systems, the European Union (EU) solar PV industry demands that policymakers and regulators develop and mandate industry-specific cybersecurity controls. This includes limiting remote access and control of the bloc’s solar PV systems from outside the EU via the inverter.
These are some of the recommendations made by a DNV-written and SolarPower Europe (SPE) commissioned report titled Solutions for PV Cyber Risks to Grid Stability. The association previously published a position paper in July 2024, demanding a cybersecurity standard for the secure operation of solar components like inverters and distributed energy resources (see SolarPower Europe Calls For Focus On Cybersecurity).
The release of this report coincides with the major power outage experienced in Spain and Portugal on April 28, 2025. While the jury is still out on what caused this massive blackout, possibly a ‘rare atmospheric phenomenon’, these episodes can also be caused by criminals and nation-state attackers. Hence, these reinforce the fact that cybersecurity needs to be dealt with immediately.
According to the report writers, there are broad regulatory frameworks such as the Network and Information Security Directive (NIS2) and the Network Code on Cyber Security (NCCS) among others that cover traditional energy infrastructure. This includes large, centralized power plants. However, these do not necessarily address the distributed energy sources (DER) — such as rooftop solar — that are important, as these reduce dependence on the grid and on single high-impact targets.
Though the bloc has a Cyber Resilience Act (CRA) that applies to all products with digital elements sold within the EU and also applies to installers, the writers believe this is limited in addressing the full end-to-end infrastructure.
Many rooftop PV systems and DERs are managed by homeowners or small businesses, making them too small to be classified as critical infrastructure usually required to be managed by utilities. These systems largely resemble Internet of Things (IoT) devices rather than centralized energy infrastructure. Therefore, as the writers point out, traditional industrial cybersecurity measures often don't apply.
They recommend that the EU bring in ‘tailored approaches’ to address the unique cybersecurity challenges posed by these systems in the EU.
A cyberattack on merely 3 GW of energy generation could seriously affect Europe’s power grid, according to the report. More than a dozen manufacturers control far more than this installed capacity currently. Out of the 14 risk areas evaluated in the report, 5 areas are categorized as medium risk, 6 areas are high risk, and 3 areas are critical risk.
Such factors make it imperative that policymakers take action to address cybersecurity gaps in grid-relevant devices, it adds.
“Like any technological revolution, digitalisation presents incredible opportunity, for example, energy system cost savings of €160 billion per year. It also comes with new challenges, like cybersecurity,” said SPE CEO Walburga Hemetsberger. “We didn’t need anti-virus protection for a typewriter – but we do need it for our laptops. As a responsible, forward-looking sector, we have mapped the cybersecurity challenge, and we’re rising to meet it with clear, comprehensive solutions.”
The complete report is available for free download on SPE’s website.