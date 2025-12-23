As part of its year-in-review series, PV Tech spoke to Uri Sadot, head of the digitisation workstream at SolarPower Europe and MD of cybersecurity consultancy SolarDefend, about how security concerns finally went “mainstream” in 2025, and what can be done to improve solar cybersecurity.

PV Tech: What are some of the cybersecurity risks that affected European solar PV in 2025?

Uri Sadot: 2025 was the year solar-sector cybersecurity went mainstream. We saw real-world attacks on solar, such as the attack on 22 Ignitis customers in Lithuania, and others reported in Ukraine.

But more importantly—the major shift in 2025 was in awareness. Analysts like Forescout, DNV and DERsec showed how deeply the grid now depends on solar assets. Security researchers demonstrated how easily these systems can be compromised. Global media reported on alleged backdoors in commercial inverters —casting doubt on the integrity of globalised supply-chain.

By late 2025, parliamentarians, members of Congress and the European Commission itself had all launched formal inquiries and risk assessments into the solar sector. Financing bodies like development banks began introducing cybersecurity baselines into their project financing checklists. Bottom line, cybersecurity in solar stopped being a niche concern and became a top-of-mind issue for major industry stakeholder.

How can these risks be mitigated? Is the emphasis on regulators to provide more robust cybersecurity legislation, or on individual companies to make their products more secure?

No single silver bullet. Lawmakers are trying to create a set of minimum requirements, and to incentivise greater investment through various incentive mechanisms like the Net-Zero Industry Act (NZIA). Grid operators are developing their own reliability baselines for granting interconnection permits, which include cybersecurity considerations.

Independent Power Producers (IPPs) too are placing bigger budgets to meet the requirements of NIS 2 (EU) and NERC CIP 15 (US). Investors are now factoring cyber risk into their investment procedures just as they do with considering burglary risks, fire risks or extreme weather damage risks, and demand projects include protections. When it comes to residential solar products, the main responsibility falls on the inverter original equipment manufacturer (OEM) to ship out secure inverters and batteries.

Is there something of a chicken-and-egg situation between more robust policy requirements and desire within the industry to improve cybersecurity compliance?

Companies will generally go for the bare minimum allowed by law. However, there are always a few who seek to differentiate and invest more in security as a quality premium offering. Sometimes it’s big firms who are afraid of brand impact, and sometimes it’s operations and maintenance companies (O&Ms) who wish to differentiate by providing premium services like solid NIS 2 compliance.

There is definitely a virtuous cycle between regulatory requirements and industry standards, which push each other upwards. Regulators avoid going too far ahead of present industry practices, and always seek feedback from industry before raising the bar.

Where I see us at present in Europe is that NIS 2 forces many small-medium companies to think through their risk postures. You see many new hiring of internal security teams and consultants, who usually start by fixing the most glaring gaps like unauthorised remote access.

How will the shift towards smaller-scale solar projects affect cybersecurity concerns?

Generally speaking, solar plants in Europe are much smaller than in the US, especially in the 1-5MW category. And what we are seeing is that regulatory thresholds are moving to include smaller solar projects. Suddenly, you have hundreds, maybe thousands, of new companies that are getting regulatory attention.

This change will require smaller projects to undergo audits and inspections, after many years of operating ‘under the radar’, which led to ‘cyber anarchy’ in many power plants. This is true for utility-scale solar parks.

For residential and light commercial projects there is a very different dynamic. Such small installations are typically under the responsibility of a small company or a homeowner, and regulators do not expect consumers to make any investment to protect the national grid. For that segment, the Cyber Resilience Act, which goes into effect in the coming two years, will place a lot of new responsibilities on OEMs of residential systems. But we are still waiting to see what EU-level decisions on remote controllability of such systems from outside Europe will be. It may be a dramatic decision, or it may not.

What policies are in place, or in the pipeline, for the European solar sector?

There is lots in the pipeline. In the second half of 2025 there was considerable research work done by regulators. This work will likely turn into guidance and even binding rules throughout 2026. For example, Europe’s transmission system operators (TSOs) and grid operators are expected to introduce cybersecurity standards in the next revision of the network code. This means that if a solar developer or engineering, procurement and construction company (EPC) don’t meet these rules, they won’t receive an interconnection permit to sell their electricity over the public grid.

We are also seeing many banks and investors ‘tighten the screws’ on what cyber protection they want to see, to protect their investment. You can think of it like an insurance requirement to build a fence around the plant against burglars, if you want to get insured and financed.

What would be the single most significant thing that could happen in 2026 that would advance either your own organisation or the wider market, or both?

One of the biggest open questions are whether the EU Commission will set limitations on Chinese imports or not. We have seen this dynamic play out in the telecommunications sector, and there are now similar discussions taking place in solar. That is not a technical cybersecurity question, but rather a question of geopolitical trust.

We are also seeing open questions on the technical cybersecurity side of things. What will be the level of requirements for solar asset owners by NIS 2? How stringently will they be enforced? How standardised will they be across the 27 member states? These are the primary questions to watch out for in 2026.

