The real cybersecurity debate around chinese inverters is only just beginning

The European Commission’s recent decision to restrict EU funding for projects using inverters and other energy technologies from “high-risk” vendors marks a significant moment for the solar industry.

Few in the sector expected Brussels to move this quickly. The financing restrictions are expected to affect an estimated 10-20% of financing flowing into Europe’s solar market and have already been signalled as a policy direction that will expand into wind and battery energy storage systems (BESS).

The EU Commission is just getting started

As dramatic as the funding restriction may be, the real story is still ahead of us. Earlier this year, the European Commission published the draft Cyber Security Act 2 (CSA 2), which explicitly identified solar as a sector under examination. The draft noted that solar remains a priority area for further assessment and recommended the mandatory phase-out of high-risk vendors in 5G infrastructure, another area that has seen cybersecurity controversy. Discussions are now actively taking place in Brussels between policymakers, industry associations, manufacturers, investors and asset owners.

If these measures progress, they will have a significant impact on the solar sector. Restrictions on foreign suppliers may benefit Western manufacturers and support Europe’s strategic energy independence objectives, but they will also create challenges for investors, IPPs and project developers. The question is not whether such policies will reshape the industry, but whether they will address the cybersecurity problem they are intended to solve.

Why a ban won’t work

The rapid integration of wind, solar and battery energy storage systems has transformed Europe’s grid. These assets are often remotely operated and, in many cases, fall outside the scope of traditional cybersecurity regulations, leaving critical infrastructure exposed to remote digital interference. As the installed base of Chinese-made renewable energy technologies has grown beyond critical thresholds, restrictions on Chinese inverters have emerged as a primary policy response.

A ban on Chinese inverters would undoubtedly advance greater supply chain diversification within the electricity sector. It is easy to see why long-term dependence on any single country for critical energy technologies can present a strategic risk. Moreover, imposing restrictions on foreign imports would also align with broader European industrial policy objectives.

However, as a cybersecurity measure, a ban will be far less effective than many assume. Think of it this way: even if an immediate import ban were introduced tomorrow, Europe’s grid will remain just as exposed. More than 300 GW of Chinese-made inverter capacity is already installed and would continue operating across the continent for years to come.

At the same time, the proposal overlooks a deeper supply chain reality: even many Western-manufactured inverters have historically relied heavily on Chinese-made sub-components, including modems and CPUs that can themselves serve as attack vectors.

Beyond component sourcing, some Western manufacturers also maintain facilities, partnerships or supply chain relationships within China. This further blurs the distinction between “Chinese” and “non-Chinese” technologies, making the issue significantly more complex than simply replacing one inverter supplier with another.

The financial cost of replacing Europe’s entire installed inverter base would be enormous. And even if such a replacement programme were feasible, it would do little to eliminate cybersecurity risk. Inverters are not the only piece of equipment in a solar plant.

Renewable energy assets depend on a vast ecosystem of connected technologies that extend far beyond the inverter itself. Data loggers, network gateways, CCTV systems, irradiance sensors, soiling sensors and other communications devices are all potential entry points into operational networks.

While inverters are often described as the “brains” of a solar plant, attackers do not necessarily need to compromise the brain to compromise the wider system. Any connected device can potentially provide a route into critical infrastructure if it is not properly secured.

Lessons from real-world attacks

Complicating matters further, supply chain manipulation is only one form of cyberattack. By overly focusing on hardware origin, we risk ignoring the actual threat landscape of recent years.

The prevailing debate frequently highlights the hypothetical risk of state-sponsored disruption via Chinese-manufactured inverters. While the probability of such an event remains hotly debated, documented real-world incidents demonstrate that adversaries don’t need to rely on inverters to launch an attack. Instead, they exploit human vulnerabilities, stolen credentials, VPN connections and zero-day vulnerabilities in networking equipment.

The December 2025 compromise of 30 solar plants in Poland exploited VPN vulnerabilities. A 2023 disruption in Denmark relied on the compromise of Zyxel gateways. In both cases, adversaries successfully used standard networking and security platforms from established Western-aligned vendors. These incidents demonstrate an important reality. Attackers target the weakest available pathway. Once an adversary gains access to a solar plant, battery facility or substation control environment, the country of origin of the inverter or data logger becomes functionally irrelevant.

State-sponsored groups, including Chinese-affiliated actors such as Volt Typhoon, or Russian-affiliated ones have repeatedly demonstrated the ability to compromise networks, supply chains and remote access platforms irrespective of hardware origin. The priority therefore should be preventing breaches from escalating by implementing robust intrusion detection systems, maintaining forensic logs and fostering cross-sector information sharing.

A ban on inverters offers limited cybersecurity benefits while distracting from more urgent, systemic issues that can actually be addressed.

Applying cybersecurity to operational reality

The cyber risk to a power plant is not limited to its inverters. Rather, it stems from a wide array of potential vectors. Addressing these risks requires technical standards, operational visibility and enforceable security requirements.

The good news is that Europe already possesses much of the necessary legal framework through the Cyber Resilience Act, NIS2 and the Network Code on Cyber Security. The challenge is not a lack of authority, but applying these frameworks to the operational realities of modern renewable energy infrastructure.

What the industry should do next

If Europe’s goal is to improve cybersecurity across generation assets connected to the public grid, the focus should be on clear technical standards rooted in zero-trust principles and applied consistently across the sector.

Asset owners need visibility into what exists within their portfolios, who has access to those assets and how activity is monitored. Operators need stronger intrusion detection capabilities, better logging, improved asset inventories and greater control over remote access pathways. Proven strategies for prevention, detection and recovery already exist and have been successfully deployed across sectors such as ICT, healthcare and transportation, so can take learnings from other sectors.

Rather than waiting for regulators to define these requirements in isolation, the solar industry has an opportunity to take the lead. A practical next step would be the formation of an industry-led task force bringing together asset owners, operators, manufacturers and cybersecurity specialists to develop a technical NIS2 implementation guideline specifically for the solar sector. Such a framework could provide policymakers with a practical baseline while helping the industry establish consistent cybersecurity expectations before regulation becomes more prescriptive.

The Commission’s funding restrictions have shown that Brussels is serious. The debate around CSA 2 suggests further intervention is likely. But, if Europe’s objective is truly to secure its energy infrastructure, the conversation must move beyond where equipment is manufactured and focus on how critical infrastructure is actually protected. That is where the real cybersecurity challenge lies, and it is where the industry’s attention should now be focused.