On June 3, 2026, Germany's domestic intelligence service (BfV) and the Federal Office for Information Security (BSI) issued a joint security advisory warning that Russian state-sponsored cyber actors are actively conducting reconnaissance — Auskundschaftung — of poorly secured, internet-connected photovoltaic (PV) installations. According to the advisory, the attackers focus on monitoring systems that also permit operational control, many of which run badly outdated software and can in some cases be reached "ohne den Einsatz von Zugangsdaten" — without any credentials at all. The agencies stress they have no concrete evidence that systems have yet been compromised, but caution that the activity could represent pre-positioning for future sabotage.
What makes the warning notable is not the threat actor — Russian interest in European energy infrastructure is well documented — but who owns the exposed assets. The BSI/BfV notice is explicit that the affected operators are "überwiegend Privatpersonen oder Genossenschaften" — predominantly private individuals or cooperatives without energy-sector expertise. This is the soft underbelly of the energy transition: critical infrastructure owned by people who never signed up to be critical-infrastructure operators.
A surface that scaled faster than the security model
The scale is the story. By April 2025, Germany had passed five million PV installations representing roughly 104 GW of capacity, according to Clean Energy Wire, and the country added a further ~17.5 GW in 2025. The overwhelming majority of those installations are small rooftop and balcony systems, each shipped with an internet-connected inverter and monitoring portal so the owner can watch generation from a phone app.
Individually, a 9-kilowatt rooftop array is trivial. In aggregate, five million of them are a meaningful slice of the grid — and a distributed attack surface that no single operator is equipped to defend. A hostile actor does not need to breach one large utility; it can hunt for thousands of identical, unpatched inverter management interfaces exposed to the open internet, a pattern security researchers have flagged for years across vendor ecosystems.
The steelman: why broad mandatory supervision is tempting
The regulator's instinct here is defensible, and worth stating fairly. If distributed generation now performs a grid-stabilising function, then leaving its security entirely to consumer goodwill is a genuine systemic risk; a coordinated remote shutdown of aggregated capacity during a demand peak is a credible sabotage scenario. There is a real argument that anything load-bearing for the grid should carry enforceable baseline obligations rather than relying on whether a homeowner happened to change a default password. Germany's own BSI has separately warned that decentralisation and foreign-made inverters expand the attack surface in exactly this way.
But NIS2 cannot reach the assets that are actually exposed
Here is the structural problem. Germany's NIS2 Implementation Act entered into force on December 6, 2025, substantially revising the BSI Act and expanding supervision from roughly 4,500 designated critical-infrastructure operators to an estimated 29,500 "essential" and "important" entities. It is one of the most consequential cybersecurity expansions in Europe.
Yet NIS2 is an entity-based regime built on size and sector thresholds — typically headcount and turnover floors that capture medium and large organisations. A household with solar panels, or a five-member energy cooperative, sits far below any of those thresholds. The very operators the BfV says Russia is probing are, almost by definition, outside the scope of the law Germany just broadened to address energy-sector cyber risk. Dragging millions of private citizens into NIS2's registration, risk-management and incident-reporting machinery would be both legally incoherent and practically impossible.
The implementation data underlines how strained the model already is. When the registration window closed on March 6, 2026, only about 11,500 of the ~29,500 obligated entities had registered with the BSI — a 38.5% compliance rate, per analysis from Netguardia. If professionalised mid-market firms with compliance departments are missing the first deadline at that rate, no one should imagine that homeowners and volunteer-run cooperatives can be absorbed into the same framework.
Proportionate fix: push security down to the device, not up to the citizen
The answer is not to expand entity-based supervision until it swallows five million households — that would impose ruinous bureaucracy on exactly the small actors driving Germany's decarbonisation, the same overreach utility associations BDEW and VKU have warned could "slow the energy transition" through hundreds of thousands of administrative acts a year. The proportionate response is to fix the layer where the vulnerability actually lives: the product.
- Secure-by-default at the device level. The EU Cyber Resilience Act already mandates no-default-passwords, secure update mechanisms and vulnerability handling for connected products. Inverters and their monitoring gateways should be a priority enforcement category, so a system is shipped hardened rather than retrofitted by a non-expert owner.
- Make safe configuration the path of least resistance. Closed-by-default remote access, automatic firmware updates, and forced credential setup on installation would neutralise most of what the BfV describes — exposed, credential-free, outdated interfaces — without any homeowner reading a security manual.
- Target obligations at installers and aggregators, who are professional, finite in number, and genuinely fall within reach of regulation, rather than at the end consumer.
Germany's solar success and its security gap are the same phenomenon viewed from two angles. The policy that protects the grid should regulate the small population of vendors and installers who can actually deliver security — and leave the five million households free to keep building the clean-energy system.