The real cybersecurity debate around chinese inverters is only just beginning

The European Commission has announced restrictions on funding for energy projects that use Chinese-made inverters, marking a significant policy move aimed at reducing perceived cybersecurity risks. While this step aims to support Europe’s strategic energy independence, experts warn that the underlying cybersecurity challenges extend beyond the origin of inverter components and are far more systemic.

Earlier this year, the European Commission signaled that solar energy infrastructure, including inverters, would be subject to increased scrutiny under the draft Cyber Security Act 2. The recent decision to restrict EU funding for projects utilizing high-risk vendors, including Chinese inverter manufacturers, is expected to impact 10-20% of solar project financing in Europe. Policymakers argue that such measures could reduce potential foreign interference, especially amid rising geopolitical tensions.

However, cybersecurity specialists like Uri Sadot, founder of SolarDefend, emphasize that banning Chinese inverters will not eliminate systemic vulnerabilities. Over 300 gigawatts of Chinese-made inverter capacity are already installed across Europe and will remain operational for years. Furthermore, many Western inverters rely on Chinese components like modems and CPUs, blurring the lines between ‘Chinese’ and ‘Western’ technology. Supply chain dependencies and embedded vulnerabilities mean that simply replacing suppliers may be ineffective and prohibitively expensive.

Recent cyberattacks on European solar plants illustrate that adversaries exploit a range of entry points beyond hardware origin. Incidents in Poland and Denmark involved compromising VPNs and network gateways from Western vendors, demonstrating that attackers target the weakest links—often human factors and network security—rather than hardware origin alone.

Implications for Europe’s Energy Security Strategy

This policy shift underscores Europe’s desire to reduce reliance on foreign energy technology vendors perceived as high risk. While it may support industrial independence and align with broader geopolitical aims, experts warn that it does not address the core cybersecurity vulnerabilities of the energy grid. The systemic nature of these vulnerabilities means that hardware bans alone are unlikely to prevent cyberattacks, which can exploit software, human error, and network weaknesses.

Adopting a comprehensive approach—including technical standards, asset visibility, and practical implementation of regulations like NIS2—is critical to truly enhancing grid security. Without this, the risk of cyber incidents remains significant, regardless of inverter origin.

European Policy Shift and Growing Cybersecurity Concerns

Earlier this year, the European Commission published the draft Cyber Security Act 2, explicitly identifying solar energy as a key sector for cybersecurity assessment. The EU has already begun restricting funding for projects using high-risk vendors, focusing initially on Chinese inverter manufacturers. This move aligns with broader efforts to diversify supply chains and bolster energy independence amid geopolitical tensions.

Despite the policy momentum, the solar industry faces complex supply chain realities. Over 300 GW of Chinese inverters are already installed across Europe, and many Western manufacturers depend on Chinese components. These interconnected dependencies complicate efforts to isolate or replace high-risk vendors. Industry experts warn that these measures are only the beginning of a broader debate about systemic vulnerabilities in energy infrastructure.

“Banning Chinese inverters alone won’t solve the cybersecurity problem; the real risks lie in systemic vulnerabilities and supply chain dependencies.”

— Uri Sadot, SolarDefend founder

Unresolved Questions About Effectiveness of Hardware Bans

It remains unclear whether restricting funding for high-risk vendors will significantly improve cybersecurity or merely shift risks elsewhere. The extent to which existing supply chains and embedded vulnerabilities will be addressed through policy measures is still under debate. Additionally, the timeline for implementing replacement strategies and the actual impact on grid security are uncertain, as the infrastructure is already deeply embedded and complex.

Next Steps in European Cybersecurity Policy for Energy

Policymakers and industry stakeholders are expected to continue discussions in Brussels regarding the scope of cybersecurity regulations, including standards for hardware and software. The European Commission is likely to expand restrictions to other sectors like wind and battery storage systems. Meanwhile, industry players are exploring technical solutions, such as improved asset visibility and cybersecurity standards, to mitigate systemic risks. The debate over hardware bans versus systemic cybersecurity measures will intensify in the coming months.

Key Questions

Will banning Chinese inverters completely secure Europe’s energy infrastructure?

No, experts warn that systemic vulnerabilities—such as supply chain dependencies, network security, and human factors—must also be addressed to achieve meaningful security improvements.

How many Chinese-made inverters are already installed in Europe?

Over 300 gigawatts of Chinese-made inverter capacity are currently operational across Europe and are expected to remain in service for years.

Are Western inverters free from cybersecurity risks?

No, many Western inverters rely on Chinese components and are part of interconnected supply chains, which also pose cybersecurity challenges.

What are the main challenges in improving grid cybersecurity?

Challenges include managing complex supply chains, securing connected devices beyond inverters, and implementing effective standards and regulations across the energy sector.

Source: PV Magazine