The European Commission’s move to restrict funding for projects using high-risk inverter vendors marks a turning point for solar cybersecurity. In this opinionated article, Uri Sadot, founder and CEO of SolarDefend and a longtime renewable energy cybersecurity specialist, explains why banning Chinese inverters may support Europe’s strategic independence, but will not solve the sector’s cybersecurity challenge. The road to greater security must include clear technical standards, stronger asset visibility and practical implementation of NIS2.

Archived version

The European Commission’s recent decision to restrict EU funding for projects using inverters and other energy technologies from “high-risk” vendors marks a significant moment for the solar industry.

...

As dramatic as the funding restriction may be, the real story is still ahead of us. Earlier this year, the European Commission published the draft Cyber Security Act 2 (CSA 2), which explicitly identified solar as a sector under examination. The draft noted that solar remains a priority area for further assessment and recommended the mandatory phase-out of high-risk vendors in 5G infrastructure, another area that has seen cybersecurity controversy. Discussions are now actively taking place in Brussels between policymakers, industry associations, manufacturers, investors and asset owners.

...

The question is not whether such policies will reshape the industry, but whether they will address the cybersecurity problem they are intended to solve.

...

A ban on Chinese inverters would undoubtedly advance greater supply chain diversification within the electricity sector. It is easy to see why long-term dependence on any single country for critical energy technologies can present a strategic risk. Moreover, imposing restrictions on foreign imports would also align with broader European industrial policy objectives.

However, as a cybersecurity measure, a ban will be far less effective than many assume. Think of it this way: even if an immediate import ban were introduced tomorrow, Europe’s grid will remain just as exposed. More than 300 GW of Chinese-made inverter capacity is already installed and would continue operating across the continent for years to come.

...

The cyber risk to a power plant is not limited to its inverters. Rather, it stems from a wide array of potential vectors. Addressing these risks requires technical standards, operational visibility and enforceable security requirements.

The good news is that Europe already possesses much of the necessary legal framework through the Cyber Resilience Act, NIS2 and the Network Code on Cyber Security. The challenge is not a lack of authority, but applying these frameworks to the operational realities of modern renewable energy infrastructure.

...

What the industry should do next

• Asset owners need visibility into what exists within their portfolios, who has access to those assets and how activity is monitored. Operators need stronger intrusion detection capabilities, better logging, improved asset inventories and greater control over remote access pathways. Proven strategies for prevention, detection and recovery already exist and have been successfully deployed across sectors such as ICT, healthcare and transportation, so can take learnings from other sectors.

• Rather than waiting for regulators to define these requirements in isolation, the solar industry has an opportunity to take the lead. A practical next step would be the formation of an industry-led task force bringing together asset owners, operators, manufacturers and cybersecurity specialists to develop a technical NIS2 implementation guideline specifically for the solar sector. Such a framework could provide policymakers with a practical baseline while helping the industry establish consistent cybersecurity expectations before regulation becomes more prescriptive.

...

The Commission’s funding restrictions have shown that Brussels is serious. The debate around CSA 2 suggests further intervention is likely. But, if Europe’s objective is truly to secure its energy infrastructure, the conversation must move beyond where equipment is manufactured and focus on how critical infrastructure is actually protected. That is where the real cybersecurity challenge lies, and it is where the industry’s attention should now be focused.