How China could crash Europe’s energy grid and what the EU can do about it

At 12:33pm on April 28th, the Iberian peninsula went dark. Within seconds, a few local energy outages cascaded into a regional blackout. The loss of just 2.2 gigawatts (about two nuclear plants) triggered automatic disconnections, severed power links with France, and left more than 50 million people without electricity for 12 hours. It cost Spain an estimated €4bn.

The Iberian energy grid is unusually exposed compared to European peers because it has fewer cross-border interconnections relative to its size, which limits power imports or exports during disruptions. But blackouts or coercion events are possible across Europe, even from smaller outages of only a few hundred megawatts. Chinese researchers (and likely the state apparatus) have studied Western grid failures: which nodes are most vulnerable and how to optimise disruption.

The next high-risk dependence

Today, Chinese companies control more than 220 gigawatts of Europe’s installed solar capacity via inverters—the digital brains that convert direct current into grid-usable alternating current. These (usually) remotely programmable computers generate data, receive software and firmware updates, adjust voltage and frequency, and can be switched on and off as needed—or tampered with. Huawei (deemed “high risk” for many European telecoms networks) has become Europe’s largest supplier of inverters.

In normal times, inverters maintain grid stability and facilitate the integration of renewable energy. In a world where technology can be weaponised, they also offer a handful of operators potential levers inside Europe’s critical infrastructure. The irony is that clean technologies disperse energy generation across countless sites, but the digital centralisation of their data and control on cloud platforms makes them more vulnerable to attack.

In effect, while European dependence on solar panels from China may not be the most risky of dependencies, the EU’s energy grid backbone increasingly runs on Chinese hardware, software and data access. European countries need to spend hundreds of billions of euros over the coming years to upgrade their ageing grid, and China is well placed to extend this dominant inverter supplier position into other power equipment, including transmission lines, distribution transformers and software for managing grid integration. Beijing has already shown that it will use dependencies as geoeconomic weapons, from rare earths to automotive chips. Europe’s grid could be next.

There’s no shortage of ways inverters can be turned into weapons

Anatomy of a fall

There is no shortage of ways inverters can be turned into weapons. State-linked actors could deploy malware that cripples the power system and knocks out critical services. Espionage teams might map the grid to help pinpoint the best places to disconnect for maximum impact. Cyber attacks on operating systems could plunge wide areas into darkness for weeks.

There are also geoeconomic threats. Imagine China restricted the sale of components and maintenance services to its grid technologies. European countries would not be able to simply switch to a different supplier, because switching often requires replacing large parts of the network, leaving operators unable to patch known flaws and thereby inviting more cyber attacks or extortion.

Europe did not hand this vital piece of its energy grid to China because Chinese technology is uniquely superior; rather, European inverter makers lost market share because Chinese rivals offer units 20–30% cheaper, owing to economies of scale, government subsidies and, crucially, a protected home market. The Chinese government has sweeping cybersecurity rules that serve as a de facto trade barrier, locking Western internet-connected inverters out of China.

China generally has a tight grip on its home market. Its 2022 Cybersecurity Review Measures require critical infrastructure operators (including energy) to submit for review any network products or services with potential national-security implications. This year’s rules on electricity monitoring systems obligate grid operators and related actors to prioritise “secure and trustworthy” technologies. The National Energy Administration now instructs utilities to build self-reliant, safe and controllable systems across the entire value chain. While China’s market is effectively sealed off and set on a course of self-reliance, Europe is on course not only to erode its energy equipment industry but also to wholesale outsource its grid to Chinese companies.

On top of this glaring asymmetry in market access, China’s 2017 National Intelligence Law obliges all organisations to assist state intelligence. Cyber vulnerability disclosure rules further tighten control: firms must report weaknesses to Chinese authorities and are barred from sharing them with foreign partners. It would be difficult for any company to meaningfully resist a direct request from security forces or law enforcement to share intelligence.

A question of trust and economic security

During the deployment of fifth-generation (5G) mobile network technology in 2019, the EU concluded that technical reliability is not the same as political trust. The EU developed a toolbox for 5G security,  guiding member states to factor “trust” into their decisions on critical infrastructure providers, based on a vendor’s independence from foreign interests. Europe’s energy grid must confront the same question of trust, but it should also consider economic security factors.

For example, European policymakers should evaluate whether a company headquartered in a country that conducts extensive cyber attacks against their domestic energy and critical infrastructure should be considered trustworthy. They ought to consider whether they can trust a company from a country with no clear legal or judicial limits on government power, or one in a country willing to withhold materials and maintenance for coercive leverage. Ultimately, the question arises whether Europeans ought to trust a country that does not allow reciprocal investment in its own critical infrastructure.

Policymakers must also weigh the long-term consequences of industrial decline. The loss of EU solar inverter manufacturers could jeopardise critical know-how and technology capabilities. Beyond that, it risks triggering cascading effects in the supply chains of other strategic sectors. For instance, Europe still has a leading industry in power-electronics semiconductors, which inverters need. If Europe loses inverter manufacturing, it will also shrink its power electronics market.

How to secure the European grid

While the EU and national authorities have undertaken cyber assessments and are debating countless technical fixes, Europe needs urgent and comprehensive action. It must prevent untrustworthy, high-risk manufacturers from connecting control-capable systems to the grid. This effort should be further anchored in a robust economic security toolbox that addresses the broader strategic vulnerabilities.

Exclude high-risk vendors from the EU

A first step could be for the EU to quickly conclude a risk assessment and make high-risk suppliers of energy grid hardware or software ineligible for grid connection. But the EU still lacks binding legislation, and member states’ lacklustre and patchy implementation of common cybersecurity rules does not inspire confidence in quick action, as demonstrated by the 5G toolbox.

The revision of the Cybersecurity Act, as well as the Cyber Resilience Act, could therefore offer the European Commission another pathway to enforce union-wide bans on risky products and services.

Condition funding on exclusions

The commission can also condition EU funding for renewable energy projects and auctions on the exclusion of hardware and software from high-risk suppliers. The Net Zero Industry Act introduced criteria that make it harder for projects to use risky foreign equipment, but it stops short of an outright ban. The proposal for a European Competitiveness Fund goes further, allowing the exclusion of high-risk vendors. Member states should back and implement conditional financing, and extend it to the EU Horizon Europe funding as well.

Tighten economic security measures

Simultaneously, the commission must protect domestic manufacturers by launching trade defence investigations (anti-dumping) into imported inverters and other power grid equipment.

Financial institutions could also play a role. The European Investment Bank and other public institutions could deny financing for EU energy operators that purchase equipment from high-risk vendors, which would affect their credit rating and indirectly increase their borrowing from commercial banks (as happened with 5G equipment).

Prevent circumvention and strengthen oversight

Member states should ensure that high-risk firms do not bypass EU regulations. For example, some high-risk companies may try to outsource operational control functions of inverters to (shell) companies. European authorities can screen foreign investments in EU solar monitoring system companies to prevent indirect control by high-risk vendors.

All firmware and software updates of larger installations should pass through EU-based servers under independent supervision and corporate structures to safeguard operational integrity and cybersecurity.

Promote trust standards among allies

The EU should also encourage its partners to adopt similar trust standards for their energy grid. The G7 is an important coordination platform, but the EU should also link its bilateral economic deals, such as Global Gateway funding or Clean Trade and Investment Partnerships, to the adoption of trust standards.

*

Europe has been slowly building a common framework for trust and economic security, but the clock is ticking. If the EU does not move quickly, its energy grid will become its next geoeconomic Achilles heel.