Who controls your inverter controls your energy

Recently, the European Commission gathered EU directorates-general and industry associations on a video call and told them something significant. Those present were asked to keep it quiet. The decision, communicated without a press release or public announcement, was that EU funding would stop flowing to energy projects using inverters from China, Russia, Iran, and North Korea.

The decision will reshape how billions in energy investment flows across Europe. It also raises a harder question that the regulation itself doesn't answer: does replacing Chinese hardware actually make your energy system more secure or does it just change who built it?

What was decided and what it covers

According to reporting by Der Spiegel, the ban covers all major EU financing instruments, including the European Investment Bank (EIB) and the European Investment Fund. The EIB funded around one fifth of all solar projects in the EU in 2025 and according to industry insiders, the majority of those used Chinese inverters. Financial institutions were required to report their existing project pipelines by early May 2026 and urged to replace inverters wherever possible. Only the most advanced projects may still qualify under transitional rules.

Virtually every inverter installed across the EU comes from China, primarily from Huawei and Sungrow. The ban also extends to inverters made by companies headquartered outside China but owned or controlled by actors from the four listed countries, closing what would otherwise be an obvious workaround.

However, as PV Tech reported, the ban applies specifically to projects funded through EU financing instruments. Privately financed projects are not directly covered, at least for now. In Germany, industry observers expect the framework to inform future national subsidy rules under the Renewable Energy Sources Act and several other European countries are likely to follow with measures of their own.

Why inverters became a security concern

An inverter controls when and how much electricity a solar installation or battery storage system feeds into the grid. To most people running a business, it’s not something on top of their mind. Nevertheless, it did draw the Commission's attention in a sense that almost all inverters are permanently connected to the internet for software updates, remote diagnostics and control. A connected device sitting between an energy source and the grid can, in principle, be accessed, manipulated, or shut down remotely. Across millions of internet-linked inverters on rooftops, depots, and industrial sites.That persistent connection is what makes them a meaningful access point in critical energy infrastructure.

Erika Langerova, head of the energy systems department at the Technical University of Prague, told PV Tech: "Inverters sit at the heart of grid control, and allowing high-risk vendors into that layer is an avoidable vulnerability. Given persistent concerns around state-linked cyber activity, treating Chinese suppliers and operators as high risk in critical infrastructure is simply basic risk management, not protectionism."

What this means for businesses running their own energy systems

The Commission's decision targets large-scale infrastructure, but the underlying concern applies equally to businesses with on-site energy systems. Take a logistics company running a large depot with solar panels and battery storage. That system keeps charging infrastructure, temperature-controlled warehousing and security systems operational. A threat actor with access to the inverters and energy management hardware could limit energy output, force a disconnection from the grid, or simply introduce enough uncertainty during a critical operational window that it affects operational continuity.

Ryan Davidson, principal consultant for grid digitalisation and cybersecurity at DNV, told PV Tech that the EU funding ban "helps energy sovereignty but does very little to address the cybersecurity of the infrastructure, as it does not address critical cybersecurity controls needed for all distributed energy infrastructure." In other words: swapping out Chinese hardware for European hardware is a start. But if the security architecture around that hardware is not built properly, the risk does not disappear; it just changes address.

The most likely way into an energy system is not the hardware itself, it is the permanent internet connection that keeps it running: software updates, remote diagnostics, live control. iwell controls the communication on that connection. No supplier or third party has default access to the system. The question businesses should be asking their energy partners is not just where the hardware came from, but who controls how it communicates, who can access it, and what happens when something goes wrong.

What matters even more than the origin of the hardware, is who controls the intelligence. That’s the question businesses should be asking their energy partners and it is the question iwell has been designing around since the beginning.

No energy security without cyber security

Reducing grid dependence, managing your own generation and storage, optimising costs; none of that means much if the systems doing that work can be accessed from outside.

Like much of the industry, iwell's hardware – including battery systems – is sourced from suppliers in China. However, the entire intelligence layer is built and maintained by iwell in the Netherlands.

In practice, this is how our security architecture looks like:

• Full in-house control. iwell's EMS – covering the Site EMS, Battery EMS, and Control Box – is fully developed and maintained in the Netherlands. How the system communicates, how energy flows are managed and what decisions get made is built and deployed locally, not handed off to a third party.
• No external data sharing. All communication between battery systems and our cloud infrastructure is encrypted and managed exclusively by iwell. No data is shared with China or any party outside iwell's control.
• Suppliers have no standing access. Where temporary access is required for firmware updates or troubleshooting, iwell grants it explicitly, sets a time limit, and revokes it immediately after use.
• Inbound and outbound traffic blocked by default. Battery systems (DC-blocks) cannot communicate with external networks unless explicitly permitted by iwell. Communication protocols between the Battery Management System and the power conversion system are isolated.
• Data stored in the EU. All iwell data sits in European data centres, primarily in the Netherlands and Germany.
• Certified and continuously tested. Our systems meet ISO 27001, ISO 9001, and NIS2 standards. We run 24/7 monitoring and regular external penetration testing, backed by a dedicated Incident Response Plan covering escalation, root cause analysis, and direct customer communication.

Who controls the intelligence layer controls the system. At iwell, that control sits entirely with us.

The questions worth asking before your next energy investment

The Commission's decision makes the conversation about control unavoidable for EU-funded projects. For privately financed ones, the same logic holds regardless of regulatory pressure. When assessing an energy system, the hardware manufacturer is one data point among many. More important is who controls the data flows, who manages access, where data is stored, and what the response looks like when something goes wrong.

The Commission's decision reflects something that responsible operators have known for a while: a connected energy system with weak security controls is a liability, regardless of where the hardware came from. If you have not yet asked your energy partner how they handle access, data, and incident response, that conversation is overdue.

For businesses investing in on-site energy now, cyber security is not a feature to add later. If you want to understand how iwell's approach to cyber security works in practice, or what questions to put to your current or prospective energy partner, get in touch with our team.