Lithuania is facing a potential shortfall in cybersecurity compliance for its renewable energy sector as a critical deadline approaches. While new legislation requiring enhanced security measures for renewable energy systems came into effect on , adoption rates remain low, raising concerns about the country’s energy security.
The legislation, an amendment to the Law on Energy, mandates that solar, wind, hydro, and hybrid power plants, as well as energy storage facilities with an installed capacity exceeding 100 kW, must meet stringent cybersecurity standards. These standards are designed to prevent remote access and control of these systems by entities identified as national security threats, with specific mention of China. Grid operators are prohibited from connecting devices that do not comply with these requirements.
A transitional period was granted to existing facilities, giving them until , to obtain the necessary certifications. However, with just three months remaining until that deadline, the pace of audits and certifications is described as “not brisk” by Energijos Skirstymo Operatorius (ESO), Lithuania’s energy distribution operator. ESO has not released detailed statistics on compliance, citing security concerns, but reports having received only 11 security declarations, with just 3 meeting the required standards.
This slow uptake comes after Lithuania amended its national Cyber Security Law in 2024, officially replacing its previous NIS-1 regime with a framework aligned with the European Union’s Network and Information Security 2 Directive (NIS2). The implementation of NIS2 in Lithuania is characterized by a centralized model intended to raise the bar for cybersecurity compliance across a broad range of organizations, extending beyond the energy sector to include manufacturing and healthcare.
The new requirements focus on the control systems of electricity devices, specifically addressing vulnerabilities in remotely controllable photovoltaic (PV) inverters and other renewable energy systems. The legislation aims to mitigate risks associated with potential cyberattacks that could disrupt energy supply or compromise critical infrastructure. The concern stems from the increasing sophistication of cyber threats and the potential for malicious actors to exploit vulnerabilities in interconnected energy systems.
The legislation’s focus on preventing access by entities deemed national security threats reflects a broader trend of heightened geopolitical tensions and concerns about foreign interference in critical infrastructure. Lithuania has been a vocal advocate for a tougher stance against perceived threats from countries like China and Russia, and this legislation is seen as part of a wider effort to bolster national security.
The low number of completed certifications raises questions about the preparedness of renewable energy operators and the effectiveness of the certification process. Potential challenges include the cost of implementing the necessary security measures, the complexity of the certification process, and a lack of awareness among operators about the requirements. The limited information released by ESO further complicates the assessment of the situation.
The implications of non-compliance could be significant. Facilities that fail to meet the security standards by the , deadline risk being disconnected from the electricity grid, potentially disrupting energy supply and impacting businesses and consumers. The legislation also underscores the growing importance of cybersecurity in the renewable energy sector, as countries around the world seek to protect their critical infrastructure from cyberattacks.
While the current activity level is described as low, ESO has not indicated whether it anticipates any difficulties in meeting the deadline or whether it plans to take any additional steps to encourage compliance. The situation will likely require close monitoring in the coming months to assess the extent of the potential shortfall and the impact on Lithuania’s energy security. The implementation of NIS2 across the EU, and Lithuania’s proactive approach to renewable energy security, signals a broader shift towards prioritizing cybersecurity in critical infrastructure sectors.
