Integrated ESG – cybersecurity

As published in PV Magazine May 2026 edition. Case Study for inverters see below.

For years, due diligence in solar and battery energy storage systems (BESS) focused on a familiar set of technical and commercial risks: resources, the grid, permitting, contracts, equipment reliability, and financial assumptions. Environmental, social and governance (ESG) factors, despite their obvious influence on asset behaviour and value, were often treated as a separate workstream. But that distinction no longer reflects how projects actually perform, argues Ragna Schmidt-Haupt, partner at Everoze.

Across solar and BESS markets, investors increasingly recognise that environmental, social and governance factors shape project value in profound ways. Environmental and social issues affect the design, construction and operation of a project as well as its resilience to external shocks. Governance determines whether commitments are credible and enforceable. Like it or not, ESG is now a major part of how investors protect value in a market shaped by supply-chain disruption, geopolitical risk and ever tighter regulation.

Cybersecurity regulation

Cybersecurity risk in grid-connected solar inverters provides a clear example. Recent proposals to revise the EU Cybersecurity Act have highlighted the cybersecurity risks associated with solar equipment and wider ICT supply chains. The proposals would give the European Commission greater powers to identify cybersecurity risks, designate certain suppliers as “high risk”, and require mitigation measures or certification in critical sectors of the European economy, including energy.

For investors, this is not just a policy topic to keep the Euro-wonks busy. Inverter-related cybersecurity risk has implications for equipment selection, digital architecture, supply-chain management and contractual protections. If regulatory restrictions limit remote access, impose certification requirements, or create uncertainty around supplier eligibility, the consequences can flow through operating costs and compliance risks into long-term asset value. This kind of knock-on risk to value is precisely why integrated ESG due diligence matters.

Due Diligence

An integrated view of project risk helps investors test how an asset is likely to perform under real-world conditions, not just under base-case assumptions. It allows risks that are often reviewed separately to be assessed together and to understand how they interact and possibly magnify each other. Experience shows that problems rarely occur in isolation. A supply-chain problem can become a technical problem. A governance weakness can become a financeability problem. And a cybersecurity regulatory issue can become an operational and commercial problem very quickly.

Although cybersecurity is an especially clear example of how a seemingly manageable issue can spiral through a project until it becomes a major problem, it can happen in plenty of other areas, too. Permitting delays, biodiversity constraints, community opposition, labour issues and changing environmental requirements can all trigger cascading impacts that affect schedule, cost and asset performance. In isolation, such risks can appear small, even trivial. In combination, though, they can interact in potentially damaging ways. Integrated ESG due diligence helps identify these interactions early, when mitigations such as design changes, procurement choices and contractual protections are still available.

In practice, integrated diligence means more than identifying ESG issues and listing them in a glossy report. It means linking them directly to investment-relevant outcomes such as cost, revenue and resilience to shocks. In the case of emerging cybersecurity regulation, that may mean adapting equipment strategy, reconsidering monitoring and control arrangements, strengthening contractual provisions, or testing whether governance is robust enough to deal with future regulatory change.

Years of working on these topics has shown us that investors do not expect perfection. But they should be able to expect evidence that material risks and their interactions are understood and appropriately allocated.

For solar and BESS infrastructure investment, then, the value of ESG integration is no longer primarily reputational, if it ever was. The way environmental, social and governance factors are addressed early increasingly determines whether assets perform as promised, remain financeable and retain value over time.

Case Study: Inverters

As of March 2026, solar inverters are explicitly referenced in the EU Cybersecurity Act amendment proposals. Inverters are network-connected digital components which, if designated high-risk dependency at system level, will trigger risk-management obligations. These obligations must be met by organizations (such as transmission systems operators) designated as operators of essential services by the EU’s Network and Information Security Directives 1 and 2. As a result, EU countries are likely to update grid or network rules to introduce remote-access constraints and/or certification constraints and other measures within the next five years. Emerging European Union cybersecurity regulations that could restrict the future use of certain equipment are a major supply chain risk. The potential fallout should be addressed early during development to smooth the procurement process, avoid complex contractual mitigations around remote access rights, and reduce compliance, replacement or finance costs.