‘A growing sense of threat’ underpins EU’s cybersecurity act revision

We spoke to cybersecurity experts about what the bill will do, and what it has proposed.

‘A growing sense of risk’

The CSA proposal outlined plans to identify “high-risk” countries and high-risk suppliers and exclude them from critical EU digital supply chains. The model comes largely from its existing restrictions on 5G networks, where it has restricted Huawei’s access, as well as efforts to address supply dependencies on single countries or suppliers, which for renewable energy will mostly mean China. “The EU’s risk mitigation logic in 5G is the right mindset to replicate in renewable connectivity architectures,” says Rafael Narezzi, CEO and co-founder of cybersecurity firm Cyber Energia.

Uri Sadot, founder of SolarDefend and chairman of SolarPower Europe’s digitalisation workstream,  expects the revised cybersecurity act to “have teeth”.

Europe is on a new security footing, with military and defence spending increasing in the face of heightened geopolitical tensions and a push for self-reliance. “There’s a growing sense of risk, there’s a growing sense of threat and there’s an impressive level of expertise within the Commission to understand this paradigm shift from centralised power generation to decentralised,” Sadot says. He is part of the technical risk assessment group currently working to develop recommendations for the CSA’s measures on energy.

The CSA proposal references solar inverters, where it warns that “kill switches could be used to negatively impact the availability of communication networks and electricity grids” – a reference to a Reuters story from this year. This shows meaningful intent, Sadot suggests, as do the aggressive timelines for implementation that the Commission set out.

Existing infrastructure

The ongoing risk assessment process has to decide what to do about solar infrastructure already deployed in Europe that carries cybersecurity risks. Inverters are the key here. For utility-scale projects, there will likely be technical fixes, Sadot says. “You have a firewall, you have a network, electrical switches and inverters and meters…inverters are just one piece in the broader system,” he says. “Even if you don’t trust the inverter, you can compensate for it through a stronger firewall or a stronger inspection routine.”

The US did this by banning Huawei inverters but keeping many of them physically in place and imposing restrictions around them.

“I think rip and replace [removing high-risk inverters] is going to be the nuclear option [the Commission] is really going to try and avoid,” he says. “They’re going to try and avoid industry disruption and business disruption as much as possible. It’s more likely that cyber companies and solutions will emerge.

“But if you think about a big plant with different components and you squeeze all of that into a shoebox, you have a residential inverter,” he says. “It’s much harder to see how you could introduce additional protections or controls into that box.”

This could be a headache for risk assessment and politicians and might result in “rip and replace” plans for small-scale PV installations. No politician will want to tell 100,000 people that they need to replace their inverter or home battery and buy a new one because it poses a cybersecurity risk, however sensible the idea might be. The Lithuanian government capped its 2024 rip and replace plans for inverters at 100kW to avoid annoying climate-conscious voters in an election year.

“I’m not too optimistic about solutions for residential and commercial, I think that’s going to be a very hard technical problem to solve,” Sadot says.

But the cybersecurity risk of those small residential and commercial systems is significant. Residential inverter suppliers like SMA Solar or SolarEdge control millions of systems across Europe from a single control centre, and virtual power plant (VPP) companies can operate multiple gigawatts of capacity across countless small installations. “It’s counterintuitive, but small systems are controlled from a central point,” Sadot explains, “It’s like ‘one ring to rule them all’; one data centre controls who knows how many systems.”

PV Tech heard that the Commission may consider extending its regulatory authority to PV systems below 1MW, though we were unable to find conclusive proof of this in the CSA proposal. This change could potentially prove dramatic for residential and other distributed PV systems, bringing hundreds of thousands of inverters from firms like Enphase, SolarEdge and SMA Solar under the regulatory eye of the Commission’s Network and Information Systems (NIS) directive, a 2016 cybersecurity legislative package. We have contacted the European Commission for clarity on these rumours.

US-Europe relations

One particularly sticky point might be cybersecurity threats that come from the West rather than the East. The EU’s digital infrastructure is heavily reliant on US software and networks, and relations between the two have soured in recent months. We don’t have details on “high-risk” dependencies yet, and active cyberattacks on Europe from US technology seem highly unlikely, but US tech firms that are deeply enmeshed in Europe’s infrastructure could raise concerns.

Any changes with the US likely won’t begin with solar inverters, due to the entanglement between the two in this respect, Sadot says: “If you were to consider a decoupling of European and American technology, it’s probably not going to start from inverters. Europe and America have a lot of reciprocity in that sense; there are a lot of Fronius and SMA inverters in America, and you have Siemens and Schneider Electric. The two economies are much more entangled, and so are the grids.”

Far more likely under the microscope are firms like Palantir and Oracle with explicit ties to the US administration, and the fact that the two countries are linked through cloud services, AI, phones, laptops and almost everything else. Were any broader disentanglement of the EU from US tech dominance to happen, this could reach the solar industry eventually, Sadot suggests.

New certificates

The CSA also proposed streamlined EU-wide cybersecurity certifications, with plans to introduce a certification within 12 months with a broader scope that will include corporate cybersecurity practices alongside government action.

Narezzi argued before the proposal was released that a successful certification scheme should adopt the same framework as the banking industry, where cybersecurity is seen as a “core operational risk… and their licence to operate is explicitly tied to regulatory compliance”.

“If energy systems are critical infrastructure, then cybersecurity can’t remain a best-effort exercise,” he continued. “I believe that you need to link cybersecurity obligations to the right to operate, which means board-level responsibility for cyber risk, mandatory governance and reporting, not just audits, and enforcement mechanisms that incentivise prevention, not reaction.”

The Commission’s certification plans haven’t gone this far yet, but a broader EU-wide certification scheme with real authority and technical requirements behind it could potentially make a real difference. As with many certifications or standards, it risks becoming a badge for good behaviour rather than a meaningful part of industry security, but Sadot, who says he has “been frustrated by standards and certifications”, says that including technical requirements and potentially vetting for non-EU companies could lead to a regulation with muscle.