Lithuania Solar Cybersecurity Rules Expose Europe’s Renewable Remote Access Risks

Lithuania Solar Cybersecurity Rules Expose Europe’s Renewable Remote Access Risks

Lithuania Solar Cybersecurity Rules Expose Europe’s Renewable Remote Access Risks

https://www.forbes.com/sites/guneyyildiz/2026/07/09/europes-green-transition-has-a-remote-control-problem/

Publish Date: 2026-07-09 09:00:00

Source Domain: www.forbes.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. Grid operators in Lithuania can now disconnect solar plants above 100 kilowatts that lack required cybersecurity measures. 2. A solar installation in Lithuania. New rules test whether Europe can impose security boundaries on distributed renewable assets after they are already deployed and remotely connected. (Photo by Christopher Furlong/Getty Images)Getty ImagesLithuania’s grid operators can now disconnect solar plants above 100 kilowatts that fail new cybersecurity rules. That sounds like narrow local regulation. It isn’t. It is one of the clearest signs yet that Europe’s renewable build-out has become a critical-infrastructure problem as much as a climate one.For utilities, storage developers, infrastructure investors and regulators, the question is no longer just how fast to add solar and batteries. It is who still holds remote access once those assets are commissioned, what software path reaches the inverter, and what happens when a fleet built for low-cost generation turns out to be manageable from somewhere else.Three risks now sit inside the same box: supply-chain concentration, operational remote access, and late regulatory retrofit. Lithuania is small, but the framework is large enough to matter. It moved from warning about the risk to giving grid operators a blunt power: comply or disconnect.A Cyber Rule With Physical TeethLithuania’s rules took shape in stages. New renewable installations above 100 kilowatts have had to meet the requirements since May 1, 2025. Existing plants crossed the line on June 1, 2026. Earlier this month, pv magazine reported that grid operators can now disconnect non-compliant solar assets. Grid operators hold the formal authority, although unofficial guidance after discussions with the National Energy Regulatory Council suggests flexibility for plants that have begun implementation and signed contracts. Queues for specialist implementers currently run several months. That combination of enforcement power and practical friction is what makes this different from another policy paper or vendor checklist.The commercial logic is just as important as the legal one. Compliance for a new plant is not, on its own, ruinous. Stanaitis told me the extra cybersecurity measures for a new grid-connected renewable asset can come in below EUR2,000, a rounding error on a multi-megawatt installation. The pain arrives elsewhere: retrofits, queues for scarce implementers, and smaller owners who built the plant before anyone treated the inverter as a geopolitical asset.That matters because Lithuania is not dealing with an edge case. Its solar capacity reached more than 3 gigawatts by the end of 2025, after adding roughly 600 megawatts that year, according to IEA-PVPS data reported by pv magazine. The wider European story is bigger still: a fast-growing fleet of distributed, cloud-connected assets added under one set of assumptions, then re-evaluated under another.The Inverter Is Now Part Of The ArgumentStanaitis’s central point is not about solar being uniquely insecure. It is about Europe treating the inverter as a technical component when it is really a control point. In his telling, the real risk starts with vendor access. Around 80 percent of the plants he sees still have remote access of some kind, he said, and the deeper question is who retains credentials after installation: the plant owner, the installer, the monitoring platform, or the manufacturer.His most forceful claim is also one that should be handled carefully. Stanaitis argues that Chinese-made inverters dominate Lithuanian solar and still shape the operational risk. That estimate broadly matches the direction of the wider European debate, even if the precise share still needs independent plant-by-plant confirmation. A 2024 case in the United States illustrated the point: Deye, a Chinese manufacturer, remotely disabled inverters amid a commercial dispute over distribution rights. The episode showed how manufacturer-level remote control can survive installation. SolarPower Europe has already argued for a harmonized cybersecurity baseline for solar and warned against treating cybersecurity as an optional afterthought in project design.The stronger argument is operational, not theatrical. A large fleet of remotely reachable assets creates more than one failure path: forced curtailment, corrupted settings, manipulated monitoring, firmware dependence and, in the case of battery storage, more consequential interactions with the grid. Stanaitis’s view is that batteries raise the stakes because they can inject as well as curtail power. That is not a headline about espionage. It is a question of system behavior.Europe Is Still In Retrofit ModeThe hardest part of the Lithuanian case may be what comes after the headline. Blocking insecure remote access is one thing. Replacing the monitoring and workflow built around it is another.Stanaitis described a practical problem that will sound familiar across Europe. Operators got used to logging into the manufacturer’s cloud portal and seeing everything. Once that route is blocked, someone still needs a secure monitoring layer, a local control architecture, and a way to update settings without reopening the same vulnerability. Solar can often absorb that change. Battery storage is trickier, because some settings remain tied to the vendor platform and because batteries can push power in both directions.This is where the boardroom question appears. If Europe keeps buying the cheapest hardware and layering governance on top later, cybersecurity becomes a retrofit cost. If it builds the cyber boundary into procurement, monitoring and grid-connection requirements from the start, it becomes a design condition. That is a different investment case.Lithuania is trying to impose that condition after the build-out has already begun. Larger states will have a harder version of the same task. The residential fleet is an even bigger blind spot. Stanaitis estimated that Lithuania may already have around 170,000 small-scale installations, most of them far beyond the reach of any serious site-by-site cyber audit. That is where the policy challenge shifts from utility governance to mass consumer infrastructure.The Question Lithuania Is Asking FirstLithuania may turn out to be early, imperfect and slightly improvisational. But it is asking the right question before most of Europe: who controls the connected assets of the energy transition once they are deployed at scale?That is no longer a niche technical debate. It affects developers choosing equipment, investors underwriting storage, grid operators thinking about resilience and policymakers deciding whether energy security can still be separated from digital control. The green transition did not only add clean generation. It also added a distributed attack surface.The countries that move first will shape the next rulebook. The others may find themselves doing what Lithuania is doing now: trying to draw a security perimeter around infrastructure they already built.