President Macron’s government unveiled the timeline for its solar procurement plan over the weekend, months after the release of the 10-year energy transition roadmap dubbed PP3, which envisages an additional 1.2 GW of solar capacity. Companies will bid for small and ground-mounted solar projects in July and other industrial installations in the fall. France’s consistent approach is that French companies have a strong preference (see: France’s latest EU country to abandon US technology). “In the face of the climate emergency, and the consequences of the Iran conflict once again revealing the cost of our dependence, PPE3 sets a clear direction: to produce more low-cost, decarbonised energy while strengthening sovereignty,” said Energy Minister Maud Bregan.
The government stated that its main goal through small solar installations is to encourage citizens to adopt electricity as much as possible, and this change in electricity production should also protect them from violent fluctuations in energy prices. For larger projects, the goal is more clearly onshore panel production, away from China’s control of the market. The government says more than 80 percent of key PV modules now come from China.
In the short term, this will involve the “resilience standard” in the upcoming tender announcement, requiring diversified sources of supply. The government said it would also “strengthen durability and cybersecurity requirements” in the medium term “.
All of this is in line with the EU’s Net Zero Industry Act, which aims to produce 40% of the equipment needed for energy transition deployment in member states by 2030. The law is more like a regulation than a directive-meaning it is not subject to national interpretation flexibility-and requires EU countries to include cybersecurity in pre-qualification criteria for renewable energy deployment tenders.
Ironically, one of the reasons China has been able to successfully develop the photovoltaic equipment industry is that China has simultaneously implemented domestic cyber security restrictions and promoted self-reliance, effectively excluding foreign suppliers. Its dominance has raised cybersecurity concerns around the world. Many people are particularly worried about the inverters of solar panels, which convert the collected energy into current for the grid-if remotely reconfigured or paralyzed on a large scale, it may cause the grid to be hacked or unstable.
“The risks are very serious,” said Tobias Gerke, senior policy fellow at the European Council on Foreign Relations. He referred to severe power outages in Spain and Portugal a year ago due to cascading power grid failures. While there was no cybersecurity-related cause, Gelke said the incident showed “how disruptive this can be”.
Lithuania effectively banned Chinese inverters from entering its solar and wind installations in 2024 due to concerns about remote access. Reuters reported in May 2025 that U.S. energy experts had found undisclosed communication devices in some Chinese-made inverters that could communicate with the country in a way that bypassed the utility company’s firewall.
Beijing dismissed the reported concerns as “distorting and discrediting China’s infrastructure achievements”. But a few months later, EU lawmakers urged the European Commission to block Chinese photovoltaic module manufacturers such as Huawei and Sungrow from entering critical European infrastructure. The EU’s executive body said it was listening in a December communication on “Strengthening the EU’s economic security” and highlighted solar inverters as a prime example of critical infrastructure risk. The report suggests that these devices could become vehicles for “manipulating power production parameters, blocking power production, and accessing operational data. Earlier this year, the European Commission proposed amendments to the EU Cybersecurity Law 2019, focusing on protecting Europe’s critical ICT supply chain by excluding certain suppliers. The EU executive body made the proposal with a focus on telecoms networks, but the text makes it clear that the same rules could be used to block suppliers from high-risk third countries-mainly China, although not explicitly written-from entering a variety of supply chains, including solar (see: Europe prepares legislation to expel Chinese equipment from telecoms). In an interview with the Information Security Media Group on Wednesday, Gerk said he doubted that large Chinese vendors really wanted to attack European infrastructure, but that Chinese cybersecurity laws required them to share critical information and generally cooperate with local governments.
He suggested that the best and “cleanest” way for France to deal with this issue is to directly exclude companies such as Huawei and Sungrow from participating in the upcoming solar tender.
Alternatively, Paris can allow these companies to provide hardware, but prohibit them from remotely operating the control system. “You need to give control to European companies,” Gelke said.” But he said it would still give up some of the benefits that France is trying to achieve, namely to strengthen the advantage of European competitors against Chinese giants.
China supports its champions through direct subsidies and supply chain subsidies, but also by excluding foreign competition. Gelke warned that if nothing is done, European solar manufacturers may fail within a few years, leaving countries with no choice but to buy Chinese equipment. This in itself creates a secondary cybersecurity risk. “You lose an entire industry’s expertise in how to design a safe inverter,” he said.
Gelk pointed out that given Beijing’s restrictions on non-Chinese equipment, there is a strong case for restricting China’s access to the European solar market based on reciprocity. “If the Chinese authorities think there is a cybersecurity threat, maybe it does make sense,” he quipped.
