WeVote

Bill

Bill

HB 6011

Businesses: other; cybersecurity requirements for large-scale solar energy facilities; provide for. Amends 2008 PA 295 (MCL 460.1001 - 460.1232) by adding sec. 112a.

2025-2026 Regular Session Introduced by Morgan Foreman and 4 co-sponsors

Michigan requires large-scale solar facilities (50 MW+) to implement a risk-based cybersecurity and resilience program protecting safety-critical systems, with incident reporting t

bill electronically reproduced 05/21/2026
0
WeVote Research Nonpartisan
Bill Summary · HB 6011

Overview

HB 6011, introduced in the Michigan 2025-2026 session, adds a new Section 112a to the Clean and Renewable Energy and Energy Waste Reduction Act (2008 PA 295). The bill creates a targeted, risk-based cybersecurity and resilience framework applicable to operators of large-scale solar energy facilities (50 MW nameplate capacity or more), with particular attention to inverter-based control systems and colocated energy storage. It emphasizes safety-critical cyber-physical safety risks and is designed to complement, not duplicate, applicable federal cybersecurity standards.

Purpose and intent

  • Aims to address public health, safety, and emergency-response risks arising from cyber threats to large-scale solar facilities.
  • Establishes scalable, risk-based cybersecurity obligations tailored to facility size, complexity, and foreseeable safety risks.
  • Declares that the section does not regulate siting, permitting, or the creation of a new state regulatory program, and does not broaden state agency oversight beyond the described obligations.

Key provisions and requirements

  • Scope: Applies to operators of large-scale solar energy facilities, including those with energy storage, and focuses on safety-critical cyber-physical systems. It does not cover data centers or general cybersecurity outside this context.
  • Framework alignment: Requires the operator to implement a risk-based cybersecurity and resilience program aligned with nationally recognized frameworks (e.g., NIST, CISA), without mandating a single framework or technology.
  • Tailored program: The program must be appropriate to the facility’s size, complexity, and foreseeable safety risks. It may address:
    • Cyber risk identification
    • Access controls
    • System segmentation
    • Supply chain risk management
    • Periodic review and testing
  • Safeguards: Permits use of safeguards appropriate for the facility (redundant systems, manual overrides, continuity planning). Compliance can leverage existing employees and workforce structures.
  • Incident response: Requires an incident response plan coordinating with emergency responders. Notifications to responders are informational and do not impose new duties on responders.
  • Material cybersecurity incident reporting:
    • Within 24 hours of discovery: notify Michigan State Police and local emergency management coordinator.
    • Within 72 hours: provide a written, high-level incident summary.
  • Enforcement and confidentiality:
    • The Attorney General may request documentation related to material incidents or enforcement, not for routine audits.
    • Sensitive security measures, vulnerabilities, and incident details are exempt from disclosure under the state FOIA.
    • Civil fines: Violations may incur up to $25,000 per day per violation, with a cure period of up to 30 days before enforcement action.
  • Limitations and protections:
    • No new duties on local governments; no changes to workforce levels or bargaining agreements required.
    • Ordinary mechanical failure or routine operational errors do not constitute a cybersecurity incident unless they involve unauthorized access/manipulation of safety-critical systems.

Definitions (selected)

  • Large-scale solar energy facility: Solar generation facility with 50 MW nameplate capacity or more, including on-site equipment, control systems, and colocated energy storage.
  • Cyber compromise: Loss of confidentiality, integrity, or availability of a safety-critical system that impairs safe operation.
  • Material cybersecurity incident: Event likely to result in a cyber compromise of safety-critical systems.
  • Safety-critical systems: Systems essential to safe operation, including battery storage that supports operations.

Affected parties

  • Operators of large-scale solar energy facilities in Michigan (≥50 MW).
  • Emergency responders and local emergency management coordinators (for notification coordination, though notices are informational).
  • Michigan Attorney General and state authorities tasked with enforcement and incident review.

Timelines and process

  • Incident notification requirements begin at discovery with 24-hour and 72-hour reporting windows.
  • 30-day cure period available before enforcement actions for alleged violations.
  • Provisions defer to federal cybersecurity standards where applicable, to avoid duplicative compliance.

Practical impact

  • Introduces a state-specific, risk-based cybersecurity expectation for large solar facilities, potentially improving resilience against cyber incidents that could disrupt safe operations.
  • Balances security with operational flexibility, permitting existing staffing and workflows to satisfy requirements.
  • Enhances transparency and coordination with emergency services during cyber incidents, while shielding sensitive security information from public disclosure.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.