IEC 63349-2:2026 Adds Mandatory Cybersecurity for PCS

On 1 May 2026, the International Electrotechnical Commission (IEC) published IEC 63349-2:2026, the first edition of Storage Inverters – Safety and Electromagnetic Compatibility Requirements – Part 2: Cybersecurity. This standard introduces mandatory cybersecurity requirements for power conversion systems (PCS), directly impacting manufacturers exporting to regulated markets including the EU, Australia, and South Korea.

Event Overview

The IEC officially released IEC 63349-2:2026 on 1 May 2026. The standard specifies mandatory testing for operational technology (OT) cybersecurity capabilities in PCS, including firmware signature verification, encrypted remote firmware updates, and abnormal communication traffic blocking. It applies to all PCS integrated into energy storage systems intended for global export. Chinese leading PCS manufacturers have initiated certification processes with TÜV Rheinland;首批 certificates are expected to be issued in October 2026. Products without this certification will be excluded from large-scale photovoltaic-plus-storage tenders overseas starting in 2027.

Impact on Specific Industry Segments

Direct Exporters of PCS and Integrated ESS

Exporters supplying PCS to IEC-regulated markets must comply with IEC 63349-2:2026 to maintain market access. Non-compliance directly affects tender eligibility, especially for utility-scale projects in Europe, Australia, and South Korea where certification is increasingly required in procurement specifications.

PCS Manufacturing Firms (OEM/ODM)

Manufacturers—particularly those based in China supplying global system integrators or EPC contractors—face a six-month window to complete TÜV Rheinland certification. Delays risk production scheduling disruptions, contract renegotiations, and loss of competitive positioning in upcoming bid cycles.

Energy Storage System Integrators and EPC Contractors

Integrators sourcing PCS for turnkey projects must verify supplier certification status before design finalization. Uncertified PCS may trigger compliance rework, project delays, or rejection during third-party audit phases common in EU and Australian grid interconnection procedures.

Supply Chain and Certification Support Providers

Testing laboratories, certification consultants, and firmware security validation service providers are seeing increased demand for OT-specific assessments aligned with IEC 63349-2:2026. Capacity constraints at major notified bodies (e.g., TÜV Rheinland) may extend lead times beyond typical certification cycles.

What Relevant Enterprises or Practitioners Should Focus On Now

Monitor official interpretations and national adoption timelines

While IEC 63349-2:2026 is an international standard, its enforceability depends on national transposition—for example, as a harmonized standard under the EU’s Low Voltage Directive or as a referenced requirement in Australian AS/NZS 5139:2021 amendments. Stakeholders should track updates from national standards bodies (e.g., DIN, BSI, SAI Global) and regulatory authorities (e.g., ENTSO-E, AEMO).

Prioritize certification for PCS models destined for high-regulation markets

Not all PCS variants require immediate certification. Analysis shows that only models intended for grid-connected, utility-scale, or critical infrastructure applications face near-term enforcement pressure. Manufacturers should triage product lines by target market, application class, and tender pipeline—not apply blanket certification across portfolios.

Distinguish between policy signal and operational readiness

The May 2026 publication marks formal standard release—not immediate legal enforcement. Observably, full market exclusion begins only in 2027 for large tenders. However, procurement documents issued from Q3 2026 onward may already reference IEC 63349-2:2026 as a prequalification criterion. Early alignment avoids last-minute disqualification.

Initiate internal firmware and communication architecture review now

Certification requires demonstrable implementation of firmware signing, TLS-secured OTA updates, and stateful packet inspection for Modbus/TCP or IEC 61850 traffic. Current more suitable understanding is that technical readiness—not just paperwork—drives successful assessment. Engineering teams should audit existing communication protocols and update mechanisms against Clause 6 and Annex A of IEC 63349-2:2026 before engaging a certification body.

Editor Perspective / Industry Observation

This development is better understood as a formalized escalation of long-emerging expectations—not a sudden regulatory shock. From an industry perspective, IEC 63349-2:2026 codifies practices already adopted by Tier-1 OEMs in response to cyber incident disclosures and insurer requirements. Its significance lies less in introducing entirely new concepts and more in establishing a globally recognized, testable benchmark for PCS cybersecurity. Analysis shows it functions primarily as a market gatekeeper mechanism: compliance is becoming a prerequisite for participation, not merely a differentiator. Continued attention is warranted because national regulators may accelerate adoption timelines, and downstream standards (e.g., UL 1741 SB, IEEE 1547-2018 Annex H) are likely to align with its technical scope in future revisions.

Conclusion

IEC 63349-2:2026 signals a structural shift in how PCS cybersecurity is governed across international energy markets. It does not represent a one-time compliance checkpoint but rather the institutionalization of OT security as a baseline requirement for hardware eligibility. For affected stakeholders, the current phase is best interpreted as a defined preparation window—not a completed transition. Proactive technical alignment, selective certification prioritization, and close tracking of national implementation schedules remain the most rational responses.

Information Source

Main source: International Electrotechnical Commission (IEC), official publication notice for IEC 63349-2:2026, dated 1 May 2026.
Points requiring ongoing observation: National transposition status in key markets (EU, Australia, South Korea); exact timing of enforcement in public tenders; potential updates to related standards such as IEC 62443-3-3 or UL 62368-1 Annex HA.