The European Commission’s recent decision to limit EU funding for projects using inverters and other energy technologies from “risky” suppliers marks an important moment for the solar industry.
Few in the sector expected Brussels to take action so quickly. The financing restrictions are expected to impact an estimated 10-20% of financing flowing into the European solar market and have already been announced as a policy direction that will extend to wind and battery energy storage systems (BESS).
The European Commission has only just started
As dramatic as the funding cut may be, the real story is still ahead of us. Earlier this year, the European Commission published the draft Cyber Security Act 2 (CSA 2), which explicitly identified solar energy as a sector under investigation. The draft noted that solar energy remains a priority area for further assessment and recommended the mandatory phase-out of high-risk suppliers in 5G infrastructure, another area where cybersecurity controversies have occurred. Active discussions are now taking place in Brussels between policymakers, trade associations, manufacturers, investors and asset owners.
If these measures move forward, they will have a significant impact on the solar energy sector. Restrictions on foreign suppliers can benefit Western producers and support Europe’s strategic energy independence goals, but they will also pose challenges for investors, IPPs and project developers. The question is not whether such a policy will reshape the industry, but whether it will address the cybersecurity problem it is intended to solve.
Why a ban doesn’t work
The rapid integration of wind, solar and battery energy storage systems has transformed Europe’s electricity grid. These assets are often managed remotely and in many cases fall outside the reach of traditional cybersecurity regulations, exposing critical infrastructure to remote digital interference. As the installed base of renewable energy technologies produced in China has surpassed critical thresholds, restrictions on Chinese inverters have become a primary policy response.
A ban on Chinese inverters would undoubtedly promote greater supply chain diversification within the electricity sector. It is easy to see why long-term dependence on a single country for critical energy technologies could pose a strategic risk. Moreover, imposing restrictions on foreign imports would also be in line with the broader objectives of European industrial policy.
However, as a cybersecurity measure, a ban will be much less effective than many think. Think of it this way: even if an immediate import ban is introduced tomorrow, Europe’s electricity grid will remain just as vulnerable. More than 300 GW of Chinese-made inverter capacity has already been installed and will continue to operate across the continent for years to come.
At the same time, the proposal ignores a deeper reality of the supply chain: Even many Western-made inverters have historically relied heavily on Chinese-made subcomponents, including modems and CPUs that can themselves serve as attack vectors.
In addition to sourcing components, some Western manufacturers also maintain facilities, partnerships or supply chain relationships in China. This further blurs the distinction between “Chinese” and “non-Chinese” technologies, making the issue significantly more complex than simply replacing one inverter supplier with another.
The financial costs of replacing the entire installed inverter base in Europe would be enormous. And even if such a replacement program were feasible, it would do little to eliminate cybersecurity risks. Inverters are not the only part of a solar power plant.
Renewable energy sources rely on a vast ecosystem of connected technologies that extend far beyond the inverter itself. Data loggers, network gateways, CCTV systems, irradiation sensors, pollution sensors and other communications equipment are all potential entry points into operational networks.
Although inverters are often described as the “brain” of a solar power plant, attackers don’t necessarily have to compromise the brain to compromise the broader system. Any connected device could potentially provide a route to critical infrastructure if not properly secured.
Lessons from real-world attacks
Complicating matters further, supply chain manipulation is just one form of cyberattack. By focusing too much on the origins of hardware, we risk ignoring the actual threat landscape of recent years.
The prevailing debate often emphasizes the hypothetical risk of state-sponsored disruption via Chinese-made inverters. While the likelihood of such an event is still hotly debated, documented real-world incidents show that adversaries do not have to rely on inverters to launch an attack. Instead, they exploit human vulnerabilities, stolen credentials, VPN connections, and zero-day vulnerabilities in network equipment.
The December 2025 compromise of 30 solar power plants in Poland exploited VPN vulnerabilities. A disruption in Denmark in 2023 depended on the compromise of Zyxel gateways. In both cases, adversaries successfully leveraged off-the-shelf networking and security platforms from established, Western-facing vendors. These incidents demonstrate an important reality. Attackers target the weakest route available. Once an adversary gains access to a solar power plant, battery facility or substation control environment, the country of origin of the inverter or data logger becomes functionally irrelevant.
State-sponsored groups, including China-linked actors such as Volt Typhoon, or Russia-linked actors, have repeatedly demonstrated the ability to compromise networks, supply chains and remote access platforms regardless of the origin of the hardware. The priority should therefore be to prevent breaches from escalating by implementing robust intrusion detection systems, maintaining forensic logs and promoting cross-sector information sharing.
Banning inverters provides limited cybersecurity benefits while distracting from more pressing, systemic issues that can actually be addressed.
Applying cybersecurity to operational reality
The cyber risk for a power plant is not limited to the inverters. Rather, it arises from a wide range of potential vectors. Addressing these risks requires technical standards, operational insight and enforceable security requirements.
The good news is that Europe already has much of the necessary legal framework in place through the Cyber Resilience Act, NIS2 and the Network Code on Cyber Security. The challenge is not a lack of authority, but applying these frameworks to the operational realities of modern renewable energy infrastructure.
What the industry should do next
If Europe’s goal is to improve cybersecurity for all generation equipment connected to the public electricity grid, the focus should be on clear technical standards rooted in zero-trust principles and applied consistently across the sector.
Asset owners need visibility into what exists in their portfolios, who has access to those assets, and how activity is monitored. Operators need stronger intrusion detection capabilities, better logging, better asset inventories, and more control over remote access paths. Proven strategies for prevention, detection and recovery already exist and have been successfully deployed in sectors such as ICT, healthcare and transport, so we can learn lessons from other sectors.
Rather than waiting for regulators to define these requirements individually, the solar industry has an opportunity to lead the way. A practical next step would be the formation of an industry-led task force that brings together asset owners, operators, manufacturers and cybersecurity specialists to develop a technical NIS2 implementation guidance specific to the solar energy sector. Such a framework could provide a practical foundation for policymakers while helping the industry set consistent cybersecurity expectations before regulations become increasingly prescriptive.
The Commission’s funding restrictions have shown that Brussels means business. The debate surrounding CSA 2 suggests that further intervention is likely. But if Europe’s goal is truly to secure its energy infrastructure, the conversation must go beyond where the equipment is produced and focus on how critical infrastructure is actually protected. That’s where the real challenge in cybersecurity lies, and it’s where the industry’s attention needs to be focused now.
