Published on 20 May 2026
Overview
WindEurope welcomes the revision of the Cybersecurity Act and supports strengthening ENISA’s mandate, EU-wide certification schemes, and a harmonised approach to ICT supply chain risks. We call for scope definitions that recognise wind turbines as integrated cyber-physical systems, with enhanced scrutiny limited to seven critical functionalities such as control systems, SCADA, and remote access. We urge at least a 36-month phase-out period for high-risk suppliers, reflecting the 20–30-year lifecycles of wind assets and the operational complexity of offshore replacements. We also call for mandatory industry consultation before any supplier restrictions and for greater alignment between the CSA, NIS2, CRA, DORA, and other overlapping frameworks to reduce duplication and compliance burden.