Authors: Roland Atoui & Isaac Dangana

Introduction

The photovoltaic (PV) sector is rapidly becoming “digital infrastructure,” not just power electronics. Modern PV and storage deployments increasingly rely on networked inverters, gateways, and cloud-connected monitoring/control functions, which expands both the attack surface and the potential impact of a successful compromise. The U.S. Department of Energy (DOE) notes that solar energy technologies can be vulnerable to cyberattack through inverters and control devices used to help manage the electric grid, and that Internet-connected operational-technology devices (such as PV inverters) are at higher risk than stand-alone devices; DOE also highlights that grid-device attacks can have physical consequences such as loss of power and fires.

This is why, while security certification and labelling schemes, once predominantly focused on classic consumer IoT (cameras, routers, etc), have now increased attention towards the “energy IoT” products, especially where fleet management or third party integrations exist. SolarPower Europe, in a new report produced on their behalf by DNV similarly frames Photo Voltaic (PV) systems as “..increasingly digitized and connected to the internet via inverters, with potential grid instability implications and a need for sector specific remedies.” Furthermore, “PV cybersecurity” has attracted the attention of NIST via its smart inverter guidance that explicitly ties inverter cybersecurity to grid stability and performance considerations in real-world vulnerability analysis and testing.

Against this backdrop, certification must be seen as more than just a marketing label. It is increasingly becoming a market access condition (Cyber Resilience Act in Europe), a procurement differentiator (JC-STAR in Japan). The era of treating them as nice-to-have consumer information tools is over. Cybersecurity certification labels now sit at the intersection of consumer protection, digital trade, product liability and industrial policy.

Cyber Resilience Act: A view through Certification lens

The EU Cyber Resilience Act is an EU law that sets horizontal cybersecurity requirements for “products with digital elements” placed on the EU market, including components sold separately. The CRA matters because it is a legal framework that will be enforced through the EU product compliance architecture that comprises: conformity assessment, technical documentation, CE marking, market surveillance, etc. Thus without compliance to the CRA, it becomes impossible to have the CE marking and hence, access the single market.

CRA Timelines

Having entered into force on the 10th of December 2024, Article 14, reporting obligations for product manufacturers apply from 11th September 2026, while the other articles of the CRA become fully applicable on 11th December 2027. These dates imply that engineers cannot wait until 2027 to retrofit security by design controls without a huge cost burden.

Risk Tiered conformity assessment

The CRA explicitly differentiates conformity assessment expectations by risk tier and by product category. The Commission summary explains that products whose core functionality matches categories in Annexes III and IV are treated as “important” or “critical” and are subject to corresponding conformity assessment procedures. It is worth noting that for most products, the conformity assessment route is via manufacturer self-assessment (also known as the default product class), while a smaller subset requires third-party involvement via notified bodies. Harmonised standards are the CRA’s “compliance accelerators”

In CRA terms, harmonized standards translate high-level essential requirements into implementable technical requirements that manufacturers can follow. Using these standards bestows a presumption of conformity on a product and thus accelerates conformity assessment process for the manufacturer. The EU’s harmonized standard framework defines such standards as European standards developed by CEN, CENELEC, or ETSI, following a commission request. Importantly, the Commission has already adopted a CRA standardisation request (Mandate M/606) listing 41 standards (horizontal and vertical/product-specific) intended to support implementation of the CRA’s essential requirements. CEN-CENELEC also confirms the CRA standardisation request was accepted and that the ESOs aim to deliver harmonised standards ahead of CRA application. The ETSI EN 303 645 and IEC 62443 standards shine as some of the core standards upon which the CRA harmonized standards are being built.

Mutual Recognition

While the CRA is EU law, it is not conceived to be “EU only”. The law envisages the legal concept of mutual recognition agreements with third countries as a trade facilitation mechanism in line with Article 218 of TFEU. In practice, this is a game changer because it signals a pathway for formal mutual recognition agreements which is a more potent driver for efficiency (due to eliminating the cost of going through multiple certifications) compared to evidence reuse. Thus, a CRA-aligned approach is not just “compliance work,” it is also “positioning work” for cross-border acceptance.

JC-STAR essentials that matter for mutual recognition discussions

METI (Ministry of Economy Trade and Industry) and IPA (Information technology Promotion Agency) launched JC-STAR in march 2025 as a way to evaluate and visualize product security, helping buyers select products that align to their desired security levels.

JC-STAR is described by METI as a voluntary multi-level scheme with STAR-1 as a unified baseline across IoT products then STAR-2, STAR-3 and STAR-4 being product-category conformance criteria. For STAR-1 and STAR-2, labels are granted by IPA based on self-declarations of conformity; for STAR-3 and STAR-4, labels rely on third-party evaluations by independent test laboratories to achieve higher reliability (notably for government agencies and critical infrastructure procurement). In terms of scope, the label targets IoT products capable of communicating with the internet, aiming to conduct evaluation/assessment and visualization of the security functions equipped with the products using a common standard.

JC-STAR Timelines & Conformity Model

METI states that Japan’s government cybersecurity procurement guidance (FY2023 edition, revised July 2024) plans to include a “STAR-1-or-above” acquisition in procurement criteria by end of FY2025, with progression to higher levels as categories expand. This is a different paradigm compared to the CRA’s market restriction approach, yet it remains a powerful driver for manufacturers to comply because even if JC-STAR begins “voluntary,” procurement policies make it commercially mandatory in practice.

Mutual Recognition

JC-STAR clearly asserts its overall security requirements are structured based on relationships among domestic/international requirements “such as ETSI EN 303645, NISTIR 8425 and EU-CRA, with a view to achieving mutual recognition in the future”. The Japanese government clearly positions JC-STAR, not as an isolated, national label, but rather as a compliance convergence mechanism.

State of Play: Mutual Recognition Today

JC-STAR – EU CRA: Ongoing effort towards Mutual Recognition

Achieving full mutual recognition is a task that requires delicate alignment on the technical level but also governance, legal and political considerations. For the JC-STAR – EU CRA mutual recognition efforts are already underway but some key questions still remain open as of now. Notably how to reconcile the CRA, which requires a risk based approach to lifecycle obligations, and JC-STAR’s approach is from the perspective of tiered security levels that cover a defined set of risks.

In the last experts technical meeting on Tuesday 27 January 2026, the EU and Japanese representatives studied the mapping between the EU Cyber Resilience Act (CRA) and Japan’s JC-STAR cybersecurity conformity assessment scheme. “During the workshop, preliminary mapping results comparing JC-STAR requirements with CRA essential requirements, shows a high level of conceptual alignment but also structural differences, such as risk-based lifecycle obligations under the CRA versus tiered security levels under JC-STAR”. The next meeting is scheduled to extend the mapping to include the harmonised standards currently being developed by ETSI and CEN-CENELEC.

Achieving Alignment: Scaling Global Trust Governance

Mutual Acceptance of Evidence

Mutual recognition can be scaled if we adopt a “one test, many acceptances” logic. Taking a cue from the IECEE CB scheme for product safety, a single, primary set of test evidence would be generated and mapped to a shared baseline of international standards, allowing that evidence to be accepted across multiple national and regional schemes through mutual recognition or streamlined procedures. Today, the IECEE CB Scheme represents one of the world’s successful multilateral agreements for the mutual recognition of product certifications. Managed by the International Electrotechnical Commission (IEC), it currently encompasses over 50 member countries and boasts a network of over 500 testing laboratories (CBTLs) that provide services to product manufacturers.

Thus, a manufacturer can have a product tested in a single member country and receive a CB Test Certificate, which is then legally recognized by National Certification Bodies (NCBs) in all other member nations without the need for redundant testing. This infrastructure governs electrical safety and EMC, effectively eliminating technical barriers to trade for billions of dollars in hardware.

Applying the IECEE “engine” to product cybersecurity labelling would be a paradigm shift, transitioning from the current “siloed” national schemes to a Global Trust Governance model. While initiatives like the 2025 Global Cybersecurity Labelling Initiative (GCLI) establish the political intent for mutual recognition, the IECEE approach demonstrates a proven method of implementing it. By integrating cybersecurity standards (such as the IEC 62443 series or ETSI EN 303 645 ) into the CB Scheme, countries can leverage existing, legally-binding frameworks for laboratory accreditation and peer assessment. This prevents the “certification fatigue” currently plaguing industries like medical devices and renewable energy, where a single product may otherwise require separate, nearly identical security audits for every market it enters.

The benefits of this alignment extend beyond mere administrative ease; it creates a standardized minimum security for the global supply chain. For emerging economies, aligning with the IECEE framework allows them to adopt world-class security benchmarks instantly without building a testing infrastructure from scratch. For established markets, it ensures that imported high-risk components like the string inverters in a PV system or other connected devices, meet a verified “technical truth” before they cross borders. Scaling global trust through the IECEE mechanism would reduce time-to-market by an estimated 30-50%, lower compliance costs, and ensure that “Security-by-Design” becomes a universal market requirement rather than a regional luxury.

Achieving Alignment: Evidence preparation

In cross-border compliance, the most expensive failure mode is not paying two application fees; it is doing two parallel compliance builds i.e separate requirement interpretations, engineering work packages, documentation sets, test plans and labs, separate vulnerability handling processes, and audit cycles. If manufacturers adopt CRA-style secure-by-design controls and evidence structures (“CRA-first”), they can reuse a large portion of the same artifacts for JC-STAR and other labelling schemes, thereby reducing the probability of a costly re-certification project later.

A CRA-first evidence package that also maps well to JC-STAR

A practical way to operationalize mutual recognition (even before formal agreements) is to build one master evidence package that maps to: 

• CRA essential requirements (Annex I and Annex II concepts, plus conformity assessment expectations), and 
• JC-STAR STAR-1 baseline and the targeted STAR-2/3/4 product-category tracks, and 
• EN 303 645, IEC 62443, or any PV sector relevant extensions.

The reusable package should include a product cybersecurity risk assessment, secure-by-design and secure-by-default design decisions, software update and support-period commitments, etc. This is where the cost-saving argument becomes tangible because once these artifacts exist in a CRA-shaped structure, adapting to JC-STAR becomes an exercise in mapping and formatting, not reinvention.

Practical implications for PV inverters, storage, and EMS devices in a Japan–Europe strategy

Procurement strategies

Energy Management System (EMS) devices represent a critical node in the energy infrastructure, where the primary cyber risk involves attacks on grid stability and data integrity. Under the EU Cyber Resilience Act (CRA), these devices may be classified as “Important” (Class I or II) or even “Critical” products due to their role in managing power flows and the scale of impact that disrupting such systems may cause. This classification mandates rigorous conformity assessments and, for higher-risk tiers, mandatory third-party audits to ensure “Security-by-Design”. In contrast, the Japanese JC-STAR scheme specifically targets IP-connected IoT products that communicate over the internet.

Consequently, a strategic delta exists: while a local EMS device – without external communication capabilities, may fall outside the JC-STAR labeling scope, it remains a regulated Product with Digital Elements (PDE) under the CRA, requiring full documentation of its internal security posture and risk assessment and depending on their core functionality, may be placed at stricter CRA categories (Important or Critical). Thus, manufacturers will need to build the development process so that both connected and local EMS devices can demonstrate CRA essential requirements, because CRA is a market-access regime and has broad applicability beyond internet connected devices. Subsequently manufacturers can prioritize certification and higher-assurance testing & certification for the internet connected products that fall under the scope of JC-STAR.

Strategically, the convergence of these frameworks offers a path to securing national critical infrastructure through a “Trusted EMS + Managed Energy Equipment” model. By mandating that only EMS devices with third-party verified security labels such as those reaching JC-STAR STAR-3/4 or CRA-compliant Notified Body certification are procured for remote grid management, while less sophisticated local EMS devices only maintain compliance to CRA, governments can establish a hardened perimeter against external cyber threats. This aligns with the “one test, many acceptances” logic; for instance, a PV inverter or storage unit verified against international baselines like ETSI EN 303 645 can use that single set of evidence to achieve both a JC-STAR label for the Japanese market and a CE mark for the EU. Such a streamlined procedure ensures that the energy management backbone is composed exclusively of relatively cheaper, trusted, industrialized components that are resilient to the evolving threat landscape.

Recommended positioning for clients selling PV/EMS across Japan and Europe

The shifting regulatory landscape for IoT and energy infrastructure demands a transition from localized compliance “checkboxes” to a unified, global cybersecurity architecture. For manufacturers of PV inverters, energy storage, and Energy Management Systems (EMS) operating across the European and Japanese markets, the path forward is clear: standardization is the engine, and the EU Cyber Resilience Act (CRA) being broader in scope is the entry point.

The “CRA-First” Strategic Positioning

Our core recommendation for multi-market success is to build products and technical documentation within a CRA-oriented structure immediately. Rather than treating the EU CRA and Japan’s JC-STAR as separate compliance hurdles, organizations should treat JC-STAR acquisition as a formatted output of an underlying CRA-compliant system.

Efficiency Through Alignment: Building to the CRA’s mandatory requirements ensures that the majority of technical evidence such as risk assessments, SBOMs, and vulnerability handling processes is already in place for other schemes.

Leveraging Global Momentum: This strategy aligns with the Global Cyber-Security Labeling Initiative (GCLI) and the EU’s ongoing work to operationalize the CRA through harmonized standards (M/606). By following these standards, manufacturers gain a “presumption of conformity” that transcends regional borders.

Final Verdict: The Trusted Ecosystem

For the energy sector, this strategy does more than reduce administrative overhead. By industrializing compliance, PV and EMS providers can ensure their devices are exclusively procured for critical national infrastructure, turning regulatory pressure into a definitive competitive edge.

In a world where cyber resilience is a prerequisite for market entry, the goal is to stop “doing compliance” as a manual, repetitive task and start shipping products that are secure by design and compliant by default.