The European Union’s NIS2 directive forces PV operators to strengthen both cyber and physical security, with solar assets considered critical infrastructure. It also highlights the need for stronger physical protection measures such as site surveillance, access control and perimeter security to prevent tampering and burglary.
The European Union’s NIS2 Directive, in force since January 2023, has significantly increased security requirements for operators of critical infrastructure, including energy systems such as photovoltaic installations.
Under these provisions, PV plant operators are required to implement robust cybersecurity risk management in both IT and operational technology (OT) systems, including inverters, SCADA and monitoring platforms. They must also establish clear processes for reporting cyber incidents quickly, with strict timelines for early warnings and detailed notifications.
In addition, operators are expected to assess and manage risks within their supply chains, especially those involving hardware and software suppliers.
Ensuring business continuity is another key obligation, meaning operators need effective backup and recovery plans to maintain operations during disruptions. Finally, company management is directly responsible for compliance and must actively monitor cybersecurity measures, with possible sanctions in case of negligence.
“For solar park operators, this means that more attention must be paid to both the security of the IT system and the physical protection of the facilities. In addition, the responsibility of management is increasing: executives must monitor cybersecurity measures and can be held personally liable in case of breaches,” says Albert Biagetti, sales manager at German surveillance company Sauermann. pv magazine.
Biagetti explained that the strategic responsibility for cybersecurity ultimately lies with management. However, business operations require specific technical expertise and often collaboration with specialized partners. For this reason, many companies combine internal monitoring with external technological solutions and services.
Like many of its competitors, the German company relies on AI-based video surveillance systems that automatically analyze images and flag suspicious activity. At the same time, each alarm is verified by an operations center.
“An important factor is our flexibility. Although we work with standards and capabilities comparable to those of large companies, we maintain a structure that allows us to make quick decisions and adapt to the needs of our customers and individual projects. Prices are generally tailored to the project, system size and level of security required,” says Biagetti.
In the alarm system proposed by Sauermann, cameras monitor the environment and automatically analyze recorded images. “If an alarm is triggered, our operations center immediately assesses the situation. In case of risks such as theft of copper, inverters or other components, a quick response is crucial. The operations center operator can make a live voice announcement or contact the police or emergency response teams directly,” Biagetti added.
According to Sauermann, safety standards in Europe have gradually become more harmonized in recent years.
“There are already several certifications and technical standards, but differences between countries still remain, especially in the areas of regulation and data protection,” Biagetti said. He then explained that the solution recently proposed by Solarsecure Tech could be useful. The German startup has introduced a gateway designed to disconnect photovoltaic inverters from manufacturers’ clouds and block unauthorized remote control commands.
“These types of solutions show how central the issue of security is becoming in the energy sector. Technologies that limit unauthorized access can be a useful element, but they must always be integrated into a broader security strategy,” Biagetti said. “Physical security and cybersecurity are increasingly interconnected. If an intruder gains physical access to a facility, they can tamper with devices or compromise digital systems. For this reason, perimeter security is often the first line of defense.”
According to Biagetti, the greatest risk in some regions is from theft or vandalism, especially in isolated facilities. In other contexts, cyber risks are greater. “In any case, today it is necessary to consider both dimensions of security,” he added.
Artificial intelligence plays a central role in modern surveillance for the physical security of installations. Many systems analyze images directly on the device, allowing relevant events to be identified in real time. “Only some of the data is then sent to servers or the operations center for further verification. This reduces data traffic and makes the systems more efficient,” Biagetti said.
The sales manager added that artificial intelligence in cybersecurity is mainly used for data analysis and detecting anomalous behavior. “This allows for quicker identification of potential threats or unauthorized access,” he said.
In PV installations, the contact center infrastructure (CCI) is an important component to protect, but system security is not limited to a single element. Other parts of the infrastructure, such as the perimeter, access points and control systems, also need to be secured. The reference server is another sensitive element of the security architecture. According to Biagetti, the most important aspects are ensuring data protection, access control and regulatory compliance.
“In many cases, servers can also be located in other European countries, provided they meet the security and data protection requirements set out in regulations,” Biagetti added, noting another crucial aspect: the need for consistent monitoring and rapid response to incidents across all locations.
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
Popular content
