European solar cybersecurity needs superior implementation, says SolarPower Europe

Facebook
Twitter
LinkedIn
Reddit
Email
SolarPower Europe executives.
‘We need to clearly change the parameters of energy security that we have in Europe,’ said SolarPower Europe CEO Walburga Hemetsberger (fourth left) this morning. Image: SolarPower Europe.

Reassessing the role distributed solar operators and installers have to play in minimising cybersecurity risks, and developing legislation to support these parts of the European solar industry, could have a significant impact on the ability of the European solar industry to protect itself from cyberattacks.

These are some of the conclusions drawn by SolarPower Europe and DNV, which co-authored and today published a report into European cybersecurity. The report, ‘Solutions for PV Cyber Risks to Grid Stability’, identifies inverters as a critical piece of cybersecurity infrastructure; speaking on a panel hosted by the trade body to launch the report, SMA Solar director of global public affairs Eric Quiring dubbed inverters the “heart and brain of the power plant”.

This article requires Premium SubscriptionBasic (FREE) Subscription

Unlock unlimited access for 12 whole months of distinctive global analysis

Photovoltaics International is now included.

  • Regular insight and analysis of the industry’s biggest developments
  • In-depth interviews with the industry’s leading figures
  • Unlimited digital access to the PV Tech Power journal catalogue
  • Unlimited digital access to the Photovoltaics International journal catalogue
  • Access to more than 1,000 technical papers
  • Discounts on Solar Media’s portfolio of events, in-person and virtual

Or continue reading this article for free

The report notes that simulations have shown that an attack made against just 3GW of inverter capacity could have “significant implications” for Europe’s power grid, a warning that is all the more stark considering this week’s blackout in Spain and Portugal.

While Ryan Davidson, principal engineer for grid cybersecurity at DNV, suggested today that there have only been “reports” of this event being tied to a cyberattack, and that “at the moment all we can do is sit and wait” to learn more, the incident has once again refocused attention on the effectiveness and reliability of Europe’s power grid. Last year, a report from Ember found that Europe’s grids would lack capacity for over 200GW of solar power alone by the end of the decade.

The report also points out that the vast majority of inverter manufacturers have much greater manufacturing capacity than just 3GW, suggesting that should even a single inverter manufacturer fall to a cyberattack, Europe’s grid as a whole could suffer. The crucial importance of inverters to Europe’s grid, and the fact that inverter manufacturers are vulnerable in this way, means that the risks are “above acceptable limits”, according to the SolarPower Europe and DNV report.

Distributed energy challenges

At the panel discussion held this morning, speakers pointed out that improving European solar cyber-resilience is not as simple as imposing new legislation, due to the increasingly distributed nature of European solar.

While 2024 marked a significant slowdown in new capacity installations, particularly in the distributed sector, the residential rooftop sector alone still added 12.8GW of operating capacity, and SolarPower Europe still expects Europe’s cumulative installed solar capacity to exceed 800GW by the end of the decade.

This growth in distributed system deployments means that, increasingly, members of the public and commercial and industrial managers—that is, people who may not have access to specialised cybersecurity training—are increasingly shouldering the burden for ensuring Europe’s solar systems are protected from cyberattacks.

“The regulators have and tried to take on those challenges,” said Quiring. “While I wouldn’t say this was a market failure, the development of solar was so quick, at SMA we [tackled] those challenges over time.”

“The connected solutions we see in the solar field were initially not covered by the design of central power plants,” continued Quiring, highlighting how new solar projects particularly in the distributed sector or that rely on connected devices and Internet of Things technology, are not affected by both the design of and legislation covering traditional centralised power plants.

There are also gaps in the legislative framework itself. The report points out that the components of many PV systems, such as inverters used in distributed systems, are too small to be classified a “critical infrastructure,” so are excluded from some existing regulations, and are not the responsibility of utilities to manage.

As a result, simply expanding and enforcing existing legislation may not be sufficient; a broader rethinking of its purpose and scope, and which people and products it targets, may be necessary.

“We need to clearly change the parameters of energy security that we have in Europe,” said SolarPower Europe CEO Walburga Hemetsberger, who introduced a presentation on the report. “Traditionally we focused on the diversification of fossil fuel supplies. The new focus has to be on electrification, powered by abundant European renewables.”

Delivering practical change

Of course, if distributed system operators are to become an increasingly integral part of the European cybersecurity landscape, training and empowering those people to better manage their systems is an obvious starting point.

“What we do at corporate level is train employees,” explained Quiring. “Start with awareness and monitoring the system, helping customers to improve their own security level on both an individual level and on a corporate level.”

“Ideally we wouldn’t have to rely on the homeowners to take steps, but it’s important they do,” agreed Davidson. “They can do certain things like maintain basic cybersecurity hygiene so there’s some kind of access control. From the end user perspective they’re going to have access to comfort services for monitoring or collecting data on their phones or computers, so they want to have passwords for that, and [use] private networks.”

In addition to more comprehensive training, effectively implementing existing legislation could make a significant impact on European solar cybersecurity, according to Felipe Castro-Barrigon, cybersecurity policy officer at the European Commission, who also spoke on the panel. Castro-Barrigon said that legislation such as the EU’s Cyber Resilience Act (CRA), which sets cybersecurity requirements for hardware and software sold in the EU, is theoretically very effective, but that it needs to be better implemented.

“We need to differentiate [between] the existence and comprehensiveness of legislation and the implementation of this existing legislation, and how gaps may come, from the legislation itself or from implementation,” said Castro-Barrigon. “When we look at the existing framework there is a common understanding that it is relatively comprehensive.

“If you look inside you can find more or less all of the elements Ryan Davidson was describing, from device security to supply chain and remote access. It’s relatively recent—implementation is ongoing—so we need to see what is inside versus what can be done and how it will be done.”

Global risk assessment

Many of the difficulties in implementing these rules stems from the fact that connected systems over transcend national and international boundaries. The report notes that the cloud servers that drive inverter function “are assumed to be commonly hosted outside the EU”; while DNV notes that Tier-1 manufacturers typically use servers based in Europe, this remains a potential vulnerability as “inverters can be operated via these cloud servers without any restriction of the host following EU legislation”.

When asked about the prospect of Chinese inverters, deployed in markets such as Europe, being used as a lunch pad for cybersecurity attacks, Davidson noted that “there has been a lot of media attention” on the potential for such an event.

Figures from Rystad Energy suggest that China accounted for 68% of the world’s inverter manufacturing capacity in 2023, with Asia as a whole responsible for 77%. While Davidson described the prospect of China using inverters to launch cybersecurity attacks as “very unlikely”, this significant imbalance in the global supply chain still presents a cybersecurity risk.

“This would essentially be economic suicide for any manufacturers that would support this, and generally these manufacturers oppose the economic strategy of China at the moment. Also for China there would be pretty significant geopolitical implications of an attack like this; it’s bordering on this grey area of an act of war or an act of aggression, so that would stress geopolitical tensions quite quickly.

“At the current landscape it doesn’t seem like this is a likely scenario, but we can’t predict the future. We just look at the technical feasibility, and it is technically possible through these vendors, and they have the capacity — it’s gone past the threshold for having enough capacity to have an impact — but it’s extremely unlike that that capability will be used.”

Davidson went on to call for an “intermediate security layer” for all inverter systems currently in place in Europe, where a trusted third party would be able to provide cybersecurity services to all products, across manufacturers and markets, as part of a more dynamic approach to cybersecurity. This sentiment was echoed by Jörg Ebel, president of the German Solar Association and vice-president of IBC Solar, who also spoke on the panel.

“I think it’s very important that we start to look a cybersecurity not only now, but every time we do this,” said Ebel. “This report is just a glance at the different situations, because security is always a process. We have to work not only once at it but continuously.”

At this year’s Intersolar Europe event, Solar Media will host a panel discussion on European manufacturing at 3:30pm on Wednesday 7 May in hall A2, booth 159. Speakers include Gaëtan Masson of the Becquerel Institute and Edd Crossland of Oxford PV. Interested attendees can register to attend the panel for free here.

2 September 2025
Mexico City, Mexico
Intersolar Mexico is the leading platform for technology trends and B2B networking in Mexico's solar market. It focuses on photovoltaics, solar heating and cooling technologies, and energy storage. Together with the co-located events The GREEN Expo® and Aquatech Mexico, it has solidified its position as the largest gathering of professionals in the renewable energy and cleantech industry in Mexico since the debut in 2019. In 2024, the events hosted more than 400 exhibitors as well as 10,000 visitors and 12,000 industry professionals (total attendance). The sixth edition of Intersolar Mexico will take place from September 2 to 4, 2025 at the Citibanamex Center, in Mexico City.
2 December 2025
Málaga, Spain
Understanding PV module supply to the European market in 2026. PV ModuleTech Europe 2025 is a two-day conference that tackles these challenges directly, with an agenda that addresses all aspects of module supplier selection; product availability, technology offerings, traceability of supply-chain, factory auditing, module testing and reliability, and company bankability.
10 March 2026
Frankfurt, Germany
The conference will gather the key stakeholders from PV manufacturing, equipment/materials, policy-making and strategy, capital equipment investment and all interested downstream channels and third-party entities. The goal is simple: to map out PV manufacturing out to 2030 and beyond.

Read Next

June 27, 2025
Statkraft has signed PPAs with Better Energy to purchase energy from two solar power plants in Poland with a total capacity of 64GWh.
June 27, 2025
PV Tech spoke to Monika Paplaczyk about recent changes in the UK energy mix and opportunities for investors in the solar sector.
Premium
June 27, 2025
PV Talk: '2024 was a transformational year in terms of energy policy,' says Monika Paplaczyk ahead of this year's Clean Power 2030 Summits.
Premium
June 26, 2025
Carlos Rodriguez, Oktoviano Gandhi and Sun Huixuan examine the energy yield performance of different FPV system configurations.
June 26, 2025
Nextracker will supply solar tracker systems to a 550MW solar PV project in the Greek province of Western Macedonia, owned by Greek renewables developer PPC Renewables.
June 24, 2025
FRV has started commercial operations at its 55MW Masrik-1 PV project in Armenia, the largest to enter operation in the country.

Subscribe to Newsletter

Upcoming Events

Upcoming Webinars
June 30, 2025
10am PST / 6pm BST
Solar Media Events
July 1, 2025
London, UK
Solar Media Events
July 1, 2025
London, UK
Media Partners, Solar Media Events
July 2, 2025
Bangkok, Thailand
Media Partners, Solar Media Events
September 2, 2025
Mexico City, Mexico