{"id":183727,"date":"2026-02-02T06:54:00","date_gmt":"2026-02-02T11:54:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/02\/a-growing-sense-of-threat-in-eu-cybersecurity-act-review\/"},"modified":"2026-02-02T07:00:10","modified_gmt":"2026-02-02T12:00:10","slug":"a-growing-sense-of-threat-in-eu-cybersecurity-act-review","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/02\/a-growing-sense-of-threat-in-eu-cybersecurity-act-review\/","title":{"rendered":"&#8216;A growing sense of threat&#8217; in EU cybersecurity act review"},"content":{"rendered":"<p><a href=\"https:\/\/www.pv-tech.org\/eu-cybersecurity-act-solar-energy-security-threat\/\">&#8216;A growing sense of threat&#8217; in EU cybersecurity act review<\/a><\/p>\n<p><a href=\"https:\/\/www.pv-tech.org\/eu-cybersecurity-act-solar-energy-security-threat\/\">https:\/\/www.pv-tech.org\/eu-cybersecurity-act-solar-energy-security-threat\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-02 06:54:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.pv-tech.org\">www.pv-tech.org<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>We spoke to cybersecurity experts about what the bill will do, and what it has proposed.<\/p>\n<p>\u2018A growing sense of risk\u2019<\/p>\n<p>The CSA proposal outlined plans to identify \u201chigh-risk\u201d countries and high-risk suppliers and exclude them from critical EU digital supply chains. The model comes largely from its existing restrictions on 5G networks, where it has restricted Huawei\u2019s access, as well as efforts to address supply dependencies on single countries or suppliers, which for renewable energy will mostly mean China. \u201cThe EU\u2019s risk mitigation logic in 5G is the right mindset to replicate in renewable connectivity architectures,\u201d says Rafael Narezzi, CEO and co-founder of cybersecurity firm Cyber Energia.<\/p>\n<p>Uri Sadot, founder of SolarDefend and chairman of SolarPower Europe\u2019s digitalisation workstream,\u00a0 expects the revised cybersecurity act to \u201chave teeth\u201d.<\/p>\n<p>Europe is on a new security footing, with military and defence spending increasing in the face of heightened geopolitical tensions and a push for self-reliance. \u201cThere\u2019s a growing sense of risk, there\u2019s a growing sense of threat and there\u2019s an impressive level of expertise within the Commission to understand this paradigm shift from centralised power generation to decentralised,\u201d Sadot says. He is part of the technical risk assessment group currently working to develop recommendations for the CSA\u2019s measures on energy.<\/p>\n<p>The CSA proposal references solar inverters, where it warns that \u201ckill switches could be used to negatively impact the availability of communication networks and electricity grids\u201d \u2013 a reference to a Reuters story from this year. This shows meaningful intent, Sadot suggests, as do the aggressive timelines for implementation that the Commission set out.<\/p>\n<p>Existing infrastructure<\/p>\n<p>The ongoing risk assessment process has to decide what to do about solar infrastructure already deployed in Europe that carries cybersecurity risks. Inverters are the key here. For utility-scale projects, there will likely be technical fixes, Sadot says. \u201cYou have a firewall, you have a network, electrical switches and inverters and meters\u2026inverters are just one piece in the broader system,\u201d he says. \u201cEven if you don\u2019t trust the inverter, you can compensate for it through a stronger firewall or a stronger inspection routine.\u201d<\/p>\n<p>The US did this by banning Huawei inverters but keeping many of them physically in place and imposing restrictions around them.<\/p>\n<p>\u201cI think rip and replace [removing high-risk inverters] is going to be the nuclear option [the Commission] is really going to try and avoid,\u201d he says. \u201cThey\u2019re going to try and avoid industry disruption and business disruption as much as possible. It\u2019s more likely that cyber companies and solutions will emerge.<\/p>\n<p>\u201cBut if you think about a big plant with different components and you squeeze all of that into a shoebox, you have a residential inverter,\u201d he says. \u201cIt\u2019s much harder to see how you could introduce additional protections or controls into that box.\u201d<\/p>\n<p>This could be a headache for risk assessment and politicians and might result in \u201crip and replace\u201d plans for small-scale PV installations. No politician will want to tell 100,000 people that they need to replace their inverter or home battery and buy a new one because it poses a cybersecurity risk, however sensible the idea might be. The Lithuanian government capped its 2024 rip and replace plans for inverters at 100kW to avoid annoying climate-conscious voters in an election year.<\/p>\n<p>\u201cI\u2019m not too optimistic about solutions for residential and commercial, I think that\u2019s going to be a very hard technical problem to solve,\u201d Sadot says.<\/p>\n<p>But the cybersecurity risk of those small residential and commercial systems is significant. Residential inverter suppliers like SMA Solar or SolarEdge control millions of systems across Europe from a single control centre, and virtual power plant (VPP) companies can operate multiple gigawatts of capacity across countless small installations. \u201cIt\u2019s counterintuitive, but small systems are controlled from a central point,\u201d Sadot explains, \u201cIt\u2019s like \u2018one ring to rule them all\u2019; one data centre controls who knows how many systems.\u201d<\/p>\n<p>PV Tech heard that the Commission may consider extending its regulatory authority to PV systems below 1MW, though we were unable to find conclusive proof of this in the CSA proposal. This change could potentially prove dramatic for residential and other distributed PV systems, bringing hundreds of thousands of inverters from firms like Enphase, SolarEdge and SMA Solar under the regulatory eye of the Commission\u2019s Network and Information Systems (NIS) directive, a 2016 cybersecurity legislative package. We have contacted the European Commission for clarity on these rumours.<\/p>\n<p>US-Europe relations<\/p>\n<p>One particularly sticky point might be cybersecurity threats that come from the West rather than the East. The EU\u2019s digital infrastructure is heavily reliant on US software and networks, and relations between the two have soured in recent months. We don\u2019t have details on \u201chigh-risk\u201d dependencies yet, and active cyberattacks on Europe from US technology seem highly unlikely, but US tech firms that are deeply enmeshed in Europe\u2019s infrastructure could raise concerns.<\/p>\n<p>Any changes with the US likely won\u2019t begin with solar inverters, due to the entanglement between the two in this respect, Sadot says: \u201cIf you were to consider a decoupling of European and American technology, it\u2019s probably not going to start from inverters. Europe and America have a lot of reciprocity in that sense; there are a lot of Fronius and SMA inverters in America, and you have Siemens and Schneider Electric. The two economies are much more entangled, and so are the grids.\u201d<\/p>\n<p>Far more likely under the microscope are firms like Palantir and Oracle with explicit ties to the US administration, and the fact that the two countries are linked through cloud services, AI, phones, laptops and almost everything else. Were any broader disentanglement of the EU from US tech dominance to happen, this could reach the solar industry eventually, Sadot suggests.<\/p>\n<p>New certificates<\/p>\n<p>The CSA also proposed streamlined EU-wide cybersecurity certifications, with plans to introduce a certification within 12 months with a broader scope that will include corporate cybersecurity practices alongside government action.<\/p>\n<p>Narezzi argued before the proposal was released that a successful certification scheme should adopt the same framework as the banking industry, where cybersecurity is seen as a \u201ccore operational risk\u2026 and their licence to operate is explicitly tied to regulatory compliance\u201d.<\/p>\n<p>\u201cIf energy systems are critical infrastructure, then\u00a0cybersecurity can\u2019t remain a best-effort exercise,\u201d he continued. \u201cI believe that you need to link\u00a0cybersecurity obligations to the right to operate, which means board-level responsibility for\u00a0cyber\u00a0risk, mandatory governance and reporting, not just audits, and enforcement mechanisms that incentivise prevention, not reaction.\u201d<\/p>\n<p>The Commission\u2019s certification plans haven\u2019t gone this far yet, but a broader EU-wide certification scheme with real authority and technical requirements behind it could potentially make a real difference. As with many certifications or standards, it risks becoming a badge for good behaviour rather than a meaningful part of industry security, but Sadot, who says he has \u201cbeen frustrated by standards and certifications\u201d, says that including technical requirements and potentially vetting for non-EU companies could lead to a regulation with muscle.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8216;A growing sense of threat&#8217; in EU cybersecurity act review https:\/\/www.pv-tech.org\/eu-cybersecurity-act-solar-energy-security-threat\/ Publish Date: 2026-02-02 06:54:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":183728,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.pv-tech.org\/wp-content\/uploads\/2026\/02\/christian-lue-MZWBMNP7Nro-unsplash.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24],"class_list":["post-183727","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183727"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=183727"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183727\/revisions"}],"predecessor-version":[{"id":183729,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183727\/revisions\/183729"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/183728"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=183727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=183727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=183727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}