Cybersecurity management plans – WTH?

Cyber security-by-design, at both product and system level, is no longer optional for renewable energy assets investments. Everoze Partner Ragna Schmidt-Haupt argues it is becoming a condition of bankability, insurability and long-term value protection.

In Europe, this shift is being driven by two complementary frameworks: the NIS2 Directive, focused on the organisational cybersecurity and operational networks, and the Cyber Resilience Act (CRA), that targets the hardware and software products on which those organisations rely. Both matter for renewable assets, because wind, solar and storage systems increasingly depend on connected devices, remote-control capability, firmware updates, cloud-linked monitoring and third-party digital services.

Under NIS2, operators must implement risk-management measures, report incidents and bring management accountability into the boardroom. Together, these frameworks are shifting cybersecurity from an operational afterthought to a core component of asset integrity. Far from an abstract IT risk, non-compliance can impact valuation via legal exposure, retrofit costs, equipment replacement, constrained operations, delayed energisation, insurer concern and reputational damage.

And change can be extremely swift and far reaching. For instance, Germany’s implementation of NIS2 in December 2025, revising the BSI Act (BSIG), significantly increased the number of regulated organisations overnight.

So, how should investors approach this new reality? The answer is not to simply bolt a cyber checklist onto the end of technical due diligence. Instead, the key is integrating cybersecurity with technical, commercial and ESG due diligence from the outset.

Take inverter fleets and remote access as an example elaborated in my recent article in PV Magazine International and displayed at the SNEC in China this week.

A conventional diligence lens might ask whether the control functionality exists and whether the OEM has a support pathway.

An integrated lens asks more useful questions:

• Who controls remote access rights?
• How are credentials managed?
• Can software and firmware be updated without operational disruption?
• What happens if regulatory requirements tighten after acquisition?
• Are responsibilities for patching, incident response and compliance clearly defined in contracts and management plans?

If an investor is unable to receive clear and satisfactory answers to these questions, the issue is not merely technical. It points towards uncertainty around operating expenditure, downtime, contractual risk allocation and revenue resilience.

In other words, cyber security now behaves like any other infrastructure issue. It sits across design, procurement, operations and governance, creating both risks and opportunities for value creation.

The implication for renewables assets is clear: investors can no longer afford to separate cyber, ESG and technical issues from asset value creation or resilience. The best assets are no longer simply those with strong resource and attractive contracts. They are the ones designed, governed and operated to remain secure, compliant and investable over time.