Today in Strasbourg, the European Commission published a draft revision of the EU Cybersecurity Act. The draft would give the European Commission the power to identify cybersecurity risks and mandate mitigation measures, following the outcome of comprehensive risk and impact assessments.
The draft follows the publication of SolarPower Europe’s ‘Solutions for PV Cyber Risks to Grid Stability’ report with DNV, which calls for the EU to:
- Develop and mandate industry-specific cybersecurity controls, for example via EU-wide standards and protocols.
- Limit remote access and control of EU solar PV systems from outside the EU via the inverter.
SolarPower Europe has issued the following statement in reaction.
Dries Acke, Deputy CEO of SolarPower Europe (he/him):
“It is very good that the European Commission takes cybersecurity topics seriously. As we underline in our ‘Solutions for PV Cyber Risks to Grid Stability’ report with DNV’, a 21st century economy calls for 21st century security.
The key remains to have robust EU-wide standards and protocols for cybersecurity that apply to all digital components and companies active on the European energy market. Europe needs to be resilient to all types of attacks from all sides.
As the solar-specific risk and impact assessment on cybersecurity is ongoing, we look forward to continuing the constructive cooperation with the Commission, and engage with the renewed mandate of ENISA, as well as through the streamlined European Cybersecurity Certification Framework.”
Notes
The European Commission Solar PV impact and risk assessment on cybersecurity is ongoing and expected to be delivered this year.
SolarPower Europe & DNV report
In April 2025, SolarPower Europe published its Solutions for PV Cyber Risks to Grid Stability’. Commissioned by SolarPower Europe and written by DNV, the report highlights risks from direct controls on inverters, particularly those which are part of small-scale solar systems. While the impact of compromising a single installation is low, when aggregated for power system efficiency, those small installations become virtual power plants of significant scale.
The report states that a targeted compromise of 3 GW of generation capacity can have significant implications for Europe’s power grid. The analysis reveals that over a dozen Western and non-Western manufacturers control significantly more than 3 GW of installed inverter capacity today. As consequence, of the 14 risk areas evaluated in the report, 5 areas are categorised as medium risk, 6 areas are high risk, and 3 areas are critical risk. The measurement of risk combines severity of impact and probability.
To return to a ‘low’ cyberrisk category, the report recommends two overarching solutions. The first would ensure that existing laws on cybersecurity are specific enough to the needs of the solar sector. The second would introduce new rules that keep the control of relevant solar systems via inverters within the EU or jurisdictions that can provide an equivalent level of security.
Learn more about the report here.
Questions? Get in touch.
Bethany Meban
Head of Press & Policy Communications
Header Image
Interested in becoming a member?
Why become a member?
Do you want to stay up-to-date about solar energy?
