The European Union has postponed the publication of its revised Cybersecurity Act (CSA) following internal disputes regarding the scope of new regulations. Initially expected in mid-January, the review is now anticipated on January 20. The delay stems from tensions over “digital sovereignty” provisions and potential restrictions on technology supply chains. For the solar industry, these changes could lead to a mandatory phaseout of Chinese-made solar inverters from critical infrastructure, as the EU aims to reduce its reliance on high-risk suppliers and secure its energy grid against cyber threats.
The ongoing review of the CSA, which was first established in 2019, comes in response to a surge in cyberattacks across the continent. While officials had hoped to finalize the update by January 14, disagreements between member states and EU officials regarding the stringency of the new rules have forced a brief extension. Central to the debate is how the bloc will manage its dependence on foreign technology, particularly in sectors deemed vital to national security.
The solar industry is particularly vulnerable to these legislative shifts due to the dominance of Chinese manufacturers in the solar inverter market. Companies such as Huawei, Sungrow, GoodWe, and Deye currently provide the bulk of the hardware used in European projects. However, the EU’s Economic Security Doctrine recently classified solar inverters as a “high-risk” dependency. If the revised CSA mandates a phaseout of technology from specific countries, existing utility-scale projects may be forced to replace their hardware, while new developments could be barred from using imported components.
A significant point of contention involves “digital sovereignty” requirements. These provisions would mandate that cloud services used for critical infrastructure be based within the EU to receive cybersecurity certification. This shift would move the regulatory focus beyond physical hardware to the data centers and servers that manage energy flows. Such a move has reportedly faced opposition not only from hardware manufacturers but also from major US technology firms like Amazon and Google, who provide much of the cloud infrastructure currently utilized in Europe.
The technical necessity for tighter security is highlighted by recent data showing that a vast majority of internet-connected solar devices—including solar inverters and dataloggers—are located in Europe. A report from cybersecurity firm Forescout identified that 76% of 35,000 surveyed remote-access solar devices globally were situated on the continent. This remote connectivity is viewed as a primary entry point for potential cyberattacks, as cloud-connected systems can be manipulated to disrupt power grids.
While domestic European inverter producers are likely to support stricter regulations to gain a competitive advantage, the political cost of a full-scale ban remains high. Industry experts suggest that the EU may land on a middle ground, such as a rigorous certification system rather than an outright ban. This would require all suppliers to meet high security standards and ensure that data management remains within European borders, effectively locking the “back door” to the region’s energy supply without completely dismantling existing supply chains.