Time is ticking: solar and wind farms are threatened with disconnection from the grid from June 1

For some renewable energy projects in Lithuania, there is very little time left to prepare for changes that may still seem like a mere formality in the market. However, that is not the case.

From June 1, 2026, all previously installed solar and wind power plants, as well as electricity storage facilities with a capacity exceeding 100 kW, will be required to comply with cybersecurity requirements and have an audit conclusion confirming such compliance.

Otherwise, the electricity distribution operator ESO and the transmission system operator Litgrid will have the right to disconnect such facilities from the electricity grid.

Why cybersecurity has become a priority

“These requirements did not emerge by accident. They are a direct response to real risks already affecting the energy sector. A large share of the equipment in use, especially inverters and control systems, is still not sufficiently protected. As a result, they become an easy target for hackers. If control is taken over, equipment can be switched on or off remotely. This is no longer just a problem for an individual project — such actions can also affect the stability of the entire grid.

In recent years, Lithuania has recorded a growing number of cybersecurity incidents. Similar risks are also visible abroad — cases have been identified where solar power plant control systems were accessible via the internet and could have been taken over remotely,” says Dr. Šarūnas Stanaitis, CEO of Inion Software.

The expert continues that another major risk is geopolitics. Equipment from third countries dominates the renewable energy market, which means that part of the infrastructure is technically dependent on external manufacturers.

This means that, under certain scenarios, a significant share of the equipment could be affected at the same time.

According to Stanaitis, last year’s electricity disruptions in Spain and Portugal showed how sensitive infrastructure can be to sudden imbalances or external disruptions. Although their causes were technical, such events highlight the overall vulnerability of the system.

What is changing in the management of power plants and storage facilities

At first glance, the cybersecurity requirements may seem complex, but their essence is simple — to ensure that the control systems of power plants and storage facilities are not accessible from outside and are protected against unauthorized access.

“One of the key changes is stricter restrictions on the equipment used. It is prohibited to use monitoring and control systems from hostile countries, and such equipment may not be connected to the open internet. For some projects, this will mean the need to review or even replace previously installed solutions.

Communication security is also very important. Sites must have firewalls installed with licensed antivirus software and data traffic inspection functions. It will not be allowed to use unsecured communication technologies such as open Wi-Fi. Communication with ESO must also be secure and must not take place through direct internet access,” says the CEO of Inion Software.

Physical security requirements are also changing. Control system cabinets will have to be locked, and the issuance of keys must be recorded.

After these measures are implemented, a cybersecurity audit is carried out. This is not a one-off action, as the security solutions will need to be continuously maintained and the audit repeated regularly.

How much it will cost and what mistakes businesses make

According to Stanaitis, the biggest challenge for renewable energy businesses today is not only to prepare for cybersecurity requirements, but to do so in the right sequence. The entire process — from the first contact with control system installers to the audit — usually takes about two months.

In the expert’s view, some companies are still making the same mistake. They first invite an auditor, even though the audit should be the final step. In such cases, deficiencies are identified, and the business has to pay twice: first for identifying the shortcomings, and later for a repeat assessment after they have been corrected.

The correct sequence is the opposite. First, the existing infrastructure is assessed, then technical security measures are implemented, and only then is the audit carried out. It is precisely this order that determines whether the process will be smooth or whether there will be additional costs.

“When it comes to budget, the audit itself costs around EUR 1,000–1,500 for a standard site. However, most of the costs are related to technical solutions. Depending on the situation, these may range from a few hundred to several thousand euros.

One thing is important to understand: most renewable energy facilities already in operation today do not meet the new requirements. This means that investments are unavoidable,” says Š. Stanaitis.