EU’s delayed cybersecurity review could have big implications for solar

The biggest flashpoints for the solar industry will likely come over the rumoured restrictions on digital technology supply chains. Europe’s solar inverter market is dominated by Chinese firms, led by Huawei, Sungrow, GoodWe and Deye, and harsher restrictions on component supply could bar some of these companies from critical infrastructure projects. Huawei is already heavily restricted in the telecoms sector.

In November, Henna Virkunnen, executive vice president of the Commission for technology and security, said that the CSA review would address “the security and resilience of ICT supply chains and infrastructure”, and solar industry sources have suggested to PV Tech that the review could include a mandatory phaseout of Chinese technology from critical infrastructure, including solar projects.

The European Parliament has also said that the potential inclusion of digital “sovereignty” provisions in cybersecurity certifications provoked opposition from certain industrial stakeholders and member states during the review process. This would require that cloud services for European infrastructure must be based in the EU in order to gain cybersecurity certification, which could potentially shift the focus from actual component supply to the servers and data centres that power them.

Europe’s energy vulnerability

The EU already designated solar inverters as a “high-risk” supply dependency in its Economic Security Doctrine, released in December, due to the combination of cybersecurity concerns and the industry’s “reliance on a single supplier” – China. And parts of the Industry and some EU officials have been calling for greater restrictions around solar inverters for some time; trade body SolarPower Europe called for an “action plan” to support domestic inverter producers back in November 2024, citing the risk that Europe would lose control of “critical” digital infrastructure if the sector folded.

If the EU rules that Chinese technology must be phased out of critical infrastructure, many solar PV and energy storage projects could face the removal and replacement of their inverters. Or any new projects could be barred from using imported tech. This may only apply to large utility-scale projects, as the EU’s definition of critical infrastructure specifies infrastructure which is “essential for the maintenance of vital societal functions… and the disruption or destruction of which would have a significant impact on at least two Member States”, and putting strict and onerous restrictions on domestic inverter supply would likely cause a much bigger political headache.

Restrictions on solar inverters and digital infrastructure products won’t be a uniquely European phenomenon; China already doesn’t allow any remote influence on devices in its power grid under its Multi-Level Protection Scheme (MLPS) 2.0 law, and hasn’t done since 2019, the same year Europe’s CSA was passed.

The CSA review is assessing non-technical supply chain restrictions that could be imposed by the European Cybersecurity Agency (ENISA). These could take the form of mandatory cybersecurity certifications, restrictions on single suppliers or countries dominating inverter supply, similar to restrictions on Huawei’s 5G infrastructure, or attempts to fully recall and replace certain products.

Last year, PV Tech Premium heard that more extreme moves to replace inverters or ban suppliers would face “a lot of political opposition”, an assessment which might be proving true behind the scenes of the delayed CSA review.

A June 2025 report from cybersecurity firm Forescout said that of 35,000 solar devices (inverters, dataloggers etc.) that it surveyed from around the world, which had remote internet access, 76% were in Europe. This remote access is the fundamental problem for energy cybersecurity, as the cloud infrastructure and servers connected to inverters can be vulnerable to manipulation or attack.

The technical-based “sovereignty” proposals for basing essential cloud infrastructure in the EU could put restrictions on remote access, potentially meaning solar projects over a certain critical threshold can’t be linked to any cloud infrastructure or data centre elsewhere in the world.

The European Parliament said the digital sovereignty plan has received particular pushback from big US tech firms like Amazon, Google and Microsoft, who are integrated with much of the EU’s cloud infrastructure and want to avoid mandatory regulations and ceding influence. But it could prove important for the solar and storage industries, where digital control tends to skew east rather than west. Instead of outright supply bans, we could be looking at a certification system which requires that essential EU cloud infrastructure is kept in-house, which would have technical implications for solar projects.

Whether or not there are active digital threats to Europe’s renewable energy infrastructure is hard to know, but experts who have previously spoken to PV Tech agreed that the current legislation and regulations aren’t secure enough. Whether based on the risk of potential bad actors, be they Russian, Chinese or hackers-for-hire, or from the principle of keeping the back door to Europe’s energy supply locked, there seems broad acceptance that the CSA review needs to produce something robust. European inverter producers will probably be in favour of the harshest restrictions, as many of their products will become more desirable overnight, while big players from China – who have deep roots in Europe’s solar industry and infrastructure – will look for something closer to a set of standards or guidelines.