The European solar industry has issued a stark warning: cybersecurity gaps could severely compromise the continent’s grid stability if urgent action is not taken.
A new report by SolarPower Europe, developed in collaboration with DNV, finds that the compromise of just 3 GW of solar generation capacity could have significant systemic consequences.

“Digitalisation offers huge opportunities, including €160 billion per year in energy system savings by 2040, but it also brings new vulnerabilities like cybersecurity risks,” explains Walburga Hemetsberger, CEO of SolarPower Europe.

Despite a wave of new legislation — including the NIS2 Directive, the Cyber Resilience Act, and the Network Code for Cybersecurity (NCCS) — the current regulatory frameworks largely focus on traditional, centralised infrastructure. Distributed assets such as small rooftop PV systems remain largely uncovered.

Specific vulnerabilities of distributed solar systems

The report highlights that solar PV systems are becoming increasingly digitalised and interconnected, often relying on internet-enabled inverters that behave more like IoT devices than conventional power plants.

“We didn’t need antivirus for a typewriter, but we do for our laptops,” Hemetsberger points out.
Without appropriate cybersecurity measures, small-scale systems — operated by private homeowners or SMEs — pose a growing risk as their aggregated capacity increases.

Key vulnerabilities include:

• Unsecured remote access points to solar inverters.

• Firmware updates are transmitted without robust verification processes.

• Remote control capabilities are managed via cloud servers and are often hosted outside EU jurisdiction.

Furthermore, while utility-scale solar installations benefit from stricter security standards and experienced operators, small-scale and rooftop systems frequently lack the same level of protection and oversight.

The systemic risk to Europe’s energy grid

According to the study, the solar sector in Europe is growing at an unprecedented rate. As of 2024, 337 GW of solar PV capacity was installed, 65% of which was deployed on rooftops.
Annual installations have exceeded 60 GW, and by 2030, Europe is expected to have over 816 GW of cumulative capacity.

The problem is compounded by market concentration: over a dozen manufacturers control more than 3 GW each of installed inverter capacity. A targeted cyberattack exploiting these access points could lead to widespread disruptions.

“The transition to a decentralised energy system brings resilience by reducing reliance on single, high-impact assets. However, this resilience is only real if new risks are proactively addressed,” the report stresses.

Although solar has thus far seen fewer cyberattacks compared to sectors like oil, gas, and nuclear, the increasing penetration of solar into Europe’s energy mix makes it a prime target for future attacks, whether motivated by financial gain or geopolitical tensions.

Clear recommendations to mitigate risks

SolarPower Europe’s report outlines two overarching strategic solutions:

1. Develop industry-specific cybersecurity standards for the solar sector.
Current generic cybersecurity standards, while helpful, are insufficient. A solar-specific framework should address:

• Secure design of inverters.

• Protection of cloud-based monitoring platforms.

• Mandatory certification schemes for critical equipment.

2. Limit remote access to within the European Union or trusted jurisdictions.
Following a model similar to GDPR, remote operation of solar assets must be restricted to countries with equivalent security guarantees. Remote access by entities outside these regions should be prohibited unless strong cybersecurity measures are demonstrably in place.

“We must guarantee that control over Europe’s solar infrastructure remains firmly within secure jurisdictions,” Hemetsberger insists.

SolarPower Europe also urges the European Commission to accelerate the implementation of these measures through the Network Code for Cybersecurity or equivalent mechanisms. In addition, a whitelist of certified solar devices could be created to strengthen supply chain security.

The price of inaction

The benefits of digitalisation are clear. A flexible, distributed energy system could generate €160 billion in cost savings annually for Europe by 2040, according to SolarPower Europe’s Mission Solar 2040 modelling.

However, these savings and energy security gains are contingent upon robust cybersecurity frameworks. Without them, the very decentralisation that strengthens Europe’s resilience could become a new vector for destabilisation.

“To build a modern, secure, and reliable energy infrastructure, cybersecurity must be embedded from the ground up — not treated as an afterthought,” concludes SolarPower Europe.

As Europe races towards a renewable, digital energy future, safeguarding the security of solar infrastructure is not just a technical necessity; it is a geopolitical imperative.