Netherlands increasing vigilance on solar inverter-related cybersecurity risks

The Dutch government said it remains vigilant on potential cybersecurity threats coming from solar inverters. It minimized, however, the risk of hidden hardware components in inverters and said these devices would be "easily detectable" by the Dutch authorities.

The Netherlands' Minister of Climate Policy and Green Growth, Sophie Hermans, has announced during a parliamentary debate that the Dutch government intends to increase vigilance on inverters used in PV systems across the country.

The statement came as an answer to a parliamentary question submitted by Henri Bontenbal from the Christian Democratic Appeal (CDA) conservative party, which raised concerns about hidden communication equipment in Chinese inverters, as recently reported by Reuters. “This report is based on anonymous sources and does not specify who conducted the investigation or how,” Hermans said. “Furthermore, it does not specify which products or suppliers were involved.”

However, the minister also said that solar inverters may fall under the scope of the AIVD, a government-run agency responsible for combating domestic and foreign threats to national security, especially if inverters are found capable of substantially disrupting the transmission, distribution, and production of electricity.

“The potential risks of undocumented components in inverters depend on several factors, including the total available power of affected parties and the resilience of the electricity grid during a potential outage,” she added, noting that the risk of hidden hardware components in inverters is highly unlikely and “easily detectable” by the Dutch authorities. “Nevertheless, the government takes such signals very seriously. National and European legislation has been tightened precisely because of increasing digitalization and the use of smart equipment, such as inverters.”

Hermans also recalled that the RED 3.3 clauses of the EU Radio Equipment Directive (RED) will come into effect in August 2025, with restrictive requirements for all wirelessly connected devices, including solar inverters.

On the European market, on the other hand, it is already prohibited to secretly incorporate functionalities, for both software and hardware, that are not described in the technical documentation. “It is prohibited to offer products that contain ‘hidden' functionalities for remotely switching devices on or off,” the minister explained. “These requirements also apply to products originating from a manufacturer established outside the EU, once these products are offered on the European market.”

Commenting on Lithuania's recent legislation blocking Chinese manufacturers from remotely accessing the country’s solar, wind, and storage facilities, Hermans said the government will work with its EU partners to assess whether such regulations offer “added value” for the European market.