In force since January 2023, the European Union’s NIS2 Directive has significantly increased security requirements for operators of critical infrastructure, including energy systems such as photovoltaic plants.
Under these provisions, PV asset operators are required to implement robust cybersecurity risk management across both IT and operational technology (OT) systems, including inverters, SCADA, and monitoring platforms. They must also establish clear processes for rapidly reporting cyber incidents, with strict timelines for early warnings and detailed notifications.
In addition, operators are expected to assess and manage risks within their supply chains, particularly those involving hardware and software vendors.
Ensuring business continuity is another key obligation, meaning operators need effective backup and recovery plans to maintain operations during disruptions. Finally, company management is directly accountable for compliance and must actively oversee cybersecurity measures, with potential penalties in cases of negligence.
“For solar park operators, this means that greater attention must be paid to both IT system security and the physical protection of the facilities. Furthermore, management’s responsibility increases: executives must oversee cybersecurity measures and may be held personally liable in the event of breaches,” Albert Biagetti, sales manager at German surveilance company Sauermann, told pv magazine.
Join us on Apr. 29 for pv magazine Webinar+ | Decoding the first massive cyberattack on Europe’s solar energy infrastructure – The Poland case and lessons learned Industry experts will explore real-world cyberattack scenarios, highlight potential vulnerabilities in solar and storage systems, and share practical, actionable strategies to protect your energy assets. Attendees will gain valuable knowledge on how to anticipate, prevent, and respond to cyber threats in the rapidly evolving solar energy sector. Biagetti explained that strategic responsibility for cybersecurity ultimately lies with management. Operational management, however, requires specific technical expertise and often collaboration with specialized partners. For this reason, many companies combine internal oversight with external technological solutions and services. Like many of its competitors, the German company relies on AI-based video surveillance systems that automatically analyze images and flag suspicious activity. At the same time, every alarm is verified by an operations center. “An important factor is our flexibility. While we operate with standards and capabilities similar to those of large companies, we maintain a structure that allows us to make decisions quickly and adapt to the needs of our customers and individual projects. Pricing is generally tailored to the project, system size, and required level of security,” said Biagetti. In the alarm system proposed by Sauermann, cameras monitor the area and automatically analyze recorded images. “If an alarm is triggered, our operations center immediately assesses the situation. In cases of risks such as theft of copper, inverters, or other components, a rapid response is critical. The operations center operator can make a live voice announcement or directly contact police or emergency response teams,” Biagetti added. According to Sauermann, safety standards in Europe have gradually become more harmonized in recent years. “There are already various certifications and technical standards, but differences still persist between countries, especially regarding regulation and data protection,” said Biagetti. He then explained that the solution recently recently proposed by Solarsecure Tech could be useful. The German startup has introduced a gateway designed to decouple photovoltaic inverters from manufacturers’ clouds and block unauthorized remote control commands. “Solutions of this kind demonstrate how central the issue of security is becoming in the energy sector. Technologies that limit unauthorized access can be a useful element, but they must always be integrated into a broader security strategy,” said Biagetti. “Physical and cybersecurity are increasingly interconnected. If an intruder gains physical access to a facility, they can tamper with devices or compromise digital systems. For this reason, perimeter protection often represents the first line of defense.” According to Biagetti, in some regions the main risk involves theft or vandalism, especially at isolated facilities. In other contexts, cyber risks are more significant. “In any case, today it is necessary to consider both dimensions of security,” he added. For the physical security of plants, artificial intelligence plays a central role in modern surveillance. Many systems analyze images directly on the device, enabling relevant events to be identified in real time. “Only a portion of the data is then sent to servers or the operations center for further verification. This reduces data traffic and makes the systems more efficient,” said Biagetti. The sales manager added that in cybersecurity, artificial intelligence is primarily used for data analysis and detecting anomalous behavior. “This allows potential threats or unauthorized access to be identified more quickly,” he stated. In PV plants, the contact center infrastructure (CCI) is an important component to protect, but system security is not limited to a single element. Other parts of the infrastructure, such as the perimeter, access points, and control systems, must also be safeguarded. The reference server is another sensitive element of the security architecture. According to Biagetti, the most important aspects are ensuring data protection, access control, and regulatory compliance. “In many cases, servers can also be located in other European countries, provided they comply with the security and data protection requirements set forth by regulations,” Biagetti added, noting another critical aspect – the need for consistent monitoring and rapid incident response across all locations. This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.