Grid operators in Lithuania can now disconnect solar power plants from the grid that do not comply with current cybersecurity measures.
Lithuania first announced plans to tighten its cybersecurity laws in November 2024, passing legislation that prevented Chinese manufacturers from remotely accessing the country’s solar, storage and wind energy facilities.
The legislation, which applies to installations and equipment with a capacity of more than 100 kW, came into effect for new projects on May 1, 2025, with existing sites given until June 1 this year to comply. It requires project owners to comply with cybersecurity requirements, including multi-factor authentication, secure communications, supply chain security controls, incident reporting procedures and physical security, and to impose restrictions on remote access. Plant owners must then pass an audit showing that they comply with the regulations.
Lithuanian green energy technology company Inion Software says it has been working with and assessing numerous solar, wind and battery projects across Lithuania as operators prepared for the new rules.
This was stated by the company’s CEO, Šarūnas Stanaitis pv magazine that Lithuanian power stations will become safer as a result of the measures, making the country’s electricity grid independent and safer, but recognizes that additional equipment will need to be installed and programming required to operate.
“Here, factory owners are faced with two problems,” he explains. “Firstly, the cost of cybersecurity requirements for small installations, for example 120 kW, is quite high. Secondly, there are not many companies on the market that can implement cybersecurity measures and the waiting list is a few months.”
“The cybersecurity deadline has already passed and many companies are now stressed as grid operators may close their factories until they implement cybersecurity measures.”
Stanaitis confirmed that since the deadline for implementing cybersecurity measures has already passed, grid operators can theoretically shut down power plants where no cybersecurity measures are installed.
“In practice, grid operators do not know how to behave, which creates uncertainty,” he adds. “After consultation with the National Energy Regulatory Council and grid operators, the unofficial version is that those who have started implementing cybersecurity and are contracted for the work will not be shut down, but others will be.”
When asked what the biggest cybersecurity problem facing power plants is, Stanaitis said the biggest threat to solar and battery projects is dependence on China.
“Since 99% of power plants use Chinese inverters, they can be controlled remotely and at once from China,” he explains. “The threat from hackers is also quite high because in most projects access to the power stations is not secure. The situation is better for wind farms, but cyber security measures are still weak there too.”
Stanaitis said pv magazine he is confident that other European countries will follow Lithuania’s example and implement similar cybersecurity laws.
“It is a matter of national security,” he said. “I would even see this as a question for the European Commission. They must take the lead here and make the law applicable to all countries.”
Lithuania added around 600 MW of solar energy last year, bringing its total capacity above the 3 GW threshold. Technical permits have been issued for an additional 4 GW of solar energy.
