On 1 May 2026, the European Commission communicated to financial institutions a decision that had been telegraphed for months but never publicly announced. EU funding instruments, including the European Investment Bank and the European Investment Fund, would no longer back solar, wind, or energy storage projects whose inverters came from suppliers in China, Russia, Iran, or North Korea. The decision applies to all such projects within the EU, and to projects in neighbouring regions such as the Western Balkans and North Africa that connect to the European grid. Energy storage power conversion systems are explicitly included. A grandfathering clause allows the most mature pipeline projects to be approved by 1 November 2026; everything earlier in development must choose a different supplier.

The Commission did not issue a press release; the decision became public when industry trade media saw the guidance and started reporting on it. A spokesperson confirmed the substance several days later, citing risk assessments that had identified the possibility of remote shutdown of member state networks leading to countrywide blackouts as the worst-case scenario the policy was meant to address. By that point the European Solar Manufacturing Council had welcomed the decision, the China Chamber of Commerce to the EU had rejected the premise, and Huawei had publicly denied that the company’s inverters posed any cybersecurity risk while accusing the Commission of origin-based discrimination.

This is the most concrete European industrial security decision of 2026, and it sits at the intersection of three larger conversations that are usually held separately. The first is the conversation about energy transition, where Europe has staked its economic future on electrification. The second is the conversation about supply chain dependency, where Europe has acknowledged that around 80 per cent of new photovoltaic systems in the bloc rely on Chinese inverters from a duopoly of suppliers. The third is the conversation about geopolitical positioning between the United States and China, which has been increasingly framed through the contrast between an American petrostate and a Chinese electrostate.

My aim in this article is specific: to take the electrostate-versus-petrostate framing seriously enough to test it against what is actually happening in European industrial security policy, identify where the framing illuminates the decision space and where it obscures it, and ask what the operational consequences of the framing are for organisations running critical infrastructure in Europe. The framing is useful, while also being asked to carry more weight than it can bear, and the inverter decision is a good place to see why.

The framing and where it came from

The contrast between petrostates and electrostates entered serious policy conversation through analysts at RMI and Carnegie Endowment, and it has since been picked up across the trade and energy press. The argument is straightforward. A petrostate is a polity whose economic, financial, and geopolitical power derives from the extraction, export, and political weaponisation of hydrocarbons. An electrostate, by contrast, is a polity that has electrified its economy, dominates the supply chains for the technologies that enable electrification, and accrues power through control of clean-energy infrastructure rather than fossil-fuel reserves.

The clean version of the story is that the twenty-first century will be defined by who manufactures the inverters, the batteries, the rare-earth magnets, the modules, and the grid hardware, rather than by who pumps the most oil. By this measure China is far ahead. The country invested $800 billion in energy transition in 2025, accounting for around 35 per cent of global energy transition spending, accounted for roughly two-thirds of global solar installations in the first half of 2025, and now commands the rare-earth supply chain, the battery supply chain, and the inverter market.

By the same measure the United States is, under the current administration, deliberately moving in the opposite direction. The strategic posture is petrostate by design. Expanded oil and gas leasing, rolled-back vehicle fuel-efficiency standards, executive orders prioritising fossil-fuel output, and the use of oil supply as a geopolitical lever (most recently with the seizure of Venezuelan oil assets in January 2026) form a chosen strategy rather than accidental positioning.

This is the version of the framing that has appeared in the FT, in Time’s Top 10 Global Risks for 2026, in Energy Intelligence, in Robeco’s research, and across the policy think tank world. Europe sits uncomfortably between the two poles: aspiring to be an electrostate, dependent on petrostates for its current fossil-fuel imports, and dependent on the leading electrostate for the technologies of electrification.

That is a clean story, and also, as Adam Tooze argued in an April 2026 Chartbook essay, one that needs to be handled with significant care.

Where the framing breaks down, and why that matters for security policy

Tooze’s critique, which I think is the most useful intervention in this debate, points out that the petrostate label has historically applied to economies that derive a large share of rents, GDP, export earnings, or government revenue from oil and gas. By that standard the United States does not qualify. The US is a major oil and gas producer, but oil and gas account for a small share of US GDP, employment, and government revenue. The deeper observation is that being an electrostate is a function of state capacity, economic rationality, and the ability to actually execute on the integration of distributed electrified infrastructure into a functioning grid, rather than a function of factor endowments.

This matters for European industrial security policy in a way that is not obvious at first glance.

If you accept the clean version of the framing, Europe’s task is straightforward. Pick a side, accelerate electrification, build up the domestic clean-tech industry, and reduce dependence on Chinese components. The inverter decision fits cleanly into this narrative. Europe is asserting electrostate ambition by removing Chinese inverters from publicly funded projects, supporting a domestic inverter manufacturing base that already has over 100 GW of annual capacity and 45 GW of planned expansion by 2027, and treating the security risk as the justification for an industrial policy that would otherwise be politically harder to defend.

If you take Tooze’s critique seriously, the picture gets more complicated. Becoming an electrostate is primarily a question of whether your grid can absorb distributed generation at scale, whether your interconnection processes work, whether your electrification rates are actually climbing, whether your industrial heat is decarbonising, whether your data centres can be powered by the electrons your renewables are generating, rather than a question of which inverter you buy. By these measures Europe has been stagnating. Industrial electricity prices in Germany are running between 12 and 18 euro cents per kilowatt hour and only being cut to five cents for energy-intensive industries through a temporary subsidy. Industrial competitiveness against Chinese electrostate-driven manufacturing is, as the Draghi report stated bluntly, in slow agony.

Why does this matter for security policy? Because the inverter decision, viewed through the clean framing, looks like an industrial security win, while viewed through Tooze’s framing it looks more like a security policy that buys time at the cost of accelerating electrification. The Commission has explicitly framed the decision as economic security rather than industrial policy. Companies from Japan and South Korea remain eligible. The official line is that the choice is about trust and resilience rather than Buy European. The industry response from ESMC has been to welcome the decision while pushing for a stronger Made in Europe stance that would amount to industrial policy in the harder sense.

Both readings are partially true. The decision is a security measure, and also, downstream, a constraint on how quickly Europe can deploy the renewable generation it needs to electrify. The two effects do not cancel out; they co-exist, and the resolution depends on factors that are not yet clear.

What the inverter actually does and why it is a control surface

To understand why the inverter is the specific component the Commission chose to act on, rather than the panel itself or the battery cell, it helps to be specific about what an inverter does and what its security properties are.

An inverter converts the direct current generated by a solar panel into the alternating current used by the grid. In a modern grid-connected installation it does considerably more than that. It manages reactive power, controls power factor, responds to grid frequency, executes anti-islanding behaviour during grid disturbances, and increasingly participates in distributed energy resource management. It is, in operational terms, the active electrical interface between the panel and the grid. The European Solar Manufacturing Council has called it the brain of the installation, which is an accurate description of the role rather than marketing language.

For the inverter to do all this, it needs network connectivity. Modern inverters communicate with manufacturer cloud platforms for remote monitoring, with grid operator systems for dispatch and curtailment, and with site-level energy management systems for optimisation. Some models support firmware updates pushed from the manufacturer cloud. Almost all of them log operational data continuously to the manufacturer’s infrastructure, partly for the customer’s benefit and partly because the data is genuinely useful for fleet-level performance optimisation.

This is the property that makes inverters a cybersecurity risk surface. A connected device that can be remotely reconfigured, that has the ability to modify its electrical behaviour on the grid, and whose firmware comes from a single foreign manufacturer with regulatory obligations to share product information with state authorities is, by the standard logic of critical infrastructure protection, a control surface. The same logic that produced the global pushback against Huawei 5G equipment applies to Huawei inverters, with a sharpened technical specificity. Last year US engineers discovered undocumented communication components in some Chinese-made inverters that, according to Reuters’ reporting at the time, could allow remote circumvention of firewalls with potentially catastrophic consequences.

The EU Institute for Security Studies report from January 2026 made the technical case in some detail, and the risk it describes is anything but theoretical. Rooftop solar accounts for 15 to 16 per cent of total electricity generation capacity in the Netherlands. NIS 2 cybersecurity protocols, which apply to utilities, do not currently apply to smaller generators including rooftop solar. The result is that a significant share of electricity generation in some member states sits behind devices that are connected, foreign-controlled, and outside the cybersecurity regulatory perimeter.

The Commission’s risk assessment, according to spokesperson Siobhan McGarry, identified scenarios including manipulation of electricity production parameters, disruption of electricity generation, unauthorised access to operational data, and remote shutdown of member state networks leading to countrywide blackouts. The framing was deliberately at the upper end of the severity scale. Whether such an attack is likely is a different question from whether it is possible.

Loom’s advisors, including Michael Collins, the former UK deputy head of national security strategy, made the point precisely in their analysis. China’s cyber actors are highly capable and have long sought persistent access to Western critical infrastructure, with the capability itself being well established. A large-scale disruptive attack is unlikely, but smaller-scale demonstrations of capability are within China’s lower threshold for action, and serve a strategic communications purpose that does not require a full attack to be effective. Holding infrastructure at risk is itself a strategic asset.

Why the framing pushes European decisions in directions that may not match the underlying risk

This brings me to the part of the analysis I find most uncomfortable, and I want to spend some time on it because it has practical consequences.

The electrostate-versus-petrostate framing, when imported uncritically into European industrial security policy, pushes decisions in a particular direction. It encourages a binary view in which Europe must align with one side or the other, in which Chinese components are a strategic vulnerability per se, and in which the response is some combination of reshoring, friend-shoring, and supplier exclusion. The inverter decision fits this template. The framing makes the decision easier to justify politically because it can be framed as Europe defending its electrostate aspirations from electrostate-aligned dependencies.

What the framing obscures is that the underlying security risk lies in the connected, cloud-dependent, foreign-controlled nature of the device rather than in the country of origin. As the EU Institute for Security Studies report observed, some of the risks associated with Chinese inverters (internet connectivity, reliance on cloud servers) apply equally to European-made inverters. Country of origin is a proxy for the trust model, not the trust model itself.

If the underlying issue is the trust model, the right response is a cybersecurity regulation that applies to all inverters regardless of origin, with technical requirements around firmware integrity, command authentication, local override capability, and isolation of grid-control functions from cloud-management functions. That is a harder regulation to write and a slower one to enforce. The country-of-origin response is faster, more politically saleable, and addresses the immediate political pressure, while leaving the underlying technical risk in place if a European-made inverter has similar architectural properties.

None of this is to argue that the Commission’s decision is wrong. The decision is defensible on multiple grounds. Supplier concentration is itself a risk, regardless of country. The Chinese state’s legal authority over Chinese suppliers under article 7 of the 2017 National Intelligence Law creates a specific risk that does not apply to suppliers based in jurisdictions without comparable provisions. The political signal that critical electrical infrastructure will not be allowed to depend on adversarial supply chains is itself an important signal.

I am arguing that the electrostate-versus-petrostate framing makes it easier to stop the analysis at the country-of-origin level, when the deeper structural risk is the architectural pattern of connected, remotely managed, cloud-dependent grid components. Europe will need both the country-of-origin response and the architectural response. The framing tends to deliver the first and obscure the need for the second.

This matters because the same architectural pattern applies to a much wider set of components than inverters: smart meters, EV chargers, building energy management systems, heat pumps, battery storage controllers, industrial control systems. Each of these is a connected, foreign-controlled, cloud-dependent device with the ability to modify physical behaviour, deployed at scale across Europe, and each will eventually face a version of the inverter question. The country-of-origin response, applied serially to each category, is going to be politically exhausting and operationally incomplete.

What this means for organisations operating European critical infrastructure

For executives running utilities, telecoms, transportation, water, healthcare, or any of the other sectors that count as critical infrastructure under NIS 2, the practical consequence of the inverter decision is that the regulatory and political environment for connected foreign-controlled equipment has changed in a way that will keep changing.

The first practical implication is that supplier diversity by country of origin is becoming a regulatory expectation rather than just a procurement preference. The Commission’s decision is the first cleanly enforced version of this principle in the renewable energy space, and there will be more. Organisations that have rationalised single-vendor or single-country-of-origin supplier relationships on cost or performance grounds should expect to be asked why, and the cost of single-supplier dependence is going up.

The second practical implication is that the cybersecurity properties of connected industrial equipment are becoming due-diligence questions for board-level discussions about supplier choice, rather than questions reserved for the security team. The trust model questions (where does the firmware come from, who has remote access, what is the local override capability, how is the cloud connection authenticated) will need to be answered by procurement as much as by the OT security team.

The third practical implication is the most important and the least well-publicised. The standard separation between IT security and OT security is breaking down in the European context not because of any specific threat actor but because the regulatory perimeter is moving. NIS 2 already covers a wider scope than its predecessor, and the proposed Cybersecurity Act revisions will extend the perimeter further. The inverter decision is a preview of how those frameworks will be enforced, and the enforcement will require organisations to have integrated visibility across IT, OT, and the increasingly connected industrial layer in between.

I have written elsewhere about operational substrate as the layer beneath governance and policy. The inverter decision is a substrate decision, in the sense that it is about what physically sits inside the European grid. The choices made over the next two years about which substrate components are acceptable will define what the European energy security architecture actually looks like for the next two decades.

The electrostate-versus-petrostate framing is useful for political communication, less useful as a guide to operational decisions, because it tends to encourage country-of-origin thinking when the underlying risks are architectural. For organisations operating in this environment, the more productive question is which architectural patterns Europe is willing to defend, and how the organisations that depend on European critical infrastructure are going to make the necessary changes to their own systems while the regulatory environment moves underneath them.

This is going to be uncomfortable for several years. The inverter decision is the first clearly enforced sign of how uncomfortable it is going to be, and the wider category of decisions it foreshadows is the work that European industrial security will be doing for the rest of the decade.

Sources and references

1. European Commission. Guidance on restrictions for EU funding of renewable energy projects using inverters from high-risk suppliers. Communicated to financial institutions from 1 May 2026.

2. Tristan Rayner. “EU funding ban on high-risk inverters, including Chinese suppliers, extends to BESS PCS.” Energy Storage News, 4 May 2026. https://www.ess-news.com/2026/05/04/eu-funding-ban-on-high-risk-inverters-including-chinese-suppliers-extends-to-bess-pcs/

3. Will Norman. “EU bans funding for energy projects using Chinese inverters — will it move the needle on cybersecurity?” PV Tech, 28 April 2026. https://www.pv-tech.org/eu-bans-funding-for-chinese-inverters-solar-cybersecurity/

4. David Meyer. “Europe Cuts Off Funding for Chinese Solar Inverters.” Information Security Media Group, 4 May 2026. https://www.cuinfosecurity.com/europe-cuts-off-funding-for-chinese-solar-inverters-a-31584

5. Sergio Matalucci. “EU moves to ban high-risk inverters from China over cybersecurity threats.” Euronews, 4 May 2026. https://www.euronews.com/my-europe/2026/05/04/eu-moves-to-ban-high-risk-inverters-from-china-over-cybersecurity-threats

6. Emiliano Bellini. “EU moves to restrict funding for projects using inverters from high-risk suppliers.” PV Magazine International, 23 April 2026. https://www.pv-magazine.com/2026/04/23/eu-moves-to-restrict-funding-for-projects-using-inverters-from-high-risk-suppliers/

7. European Solar Manufacturing Council. “ESMC Welcomes EU Commission Decision: Inverters from High-Risk Countries Excluded from EU Funding.” 24 April 2026. https://esmc.solar/esmc-welcomes-eu-commission-decision-inverters-from-high-risk-countries-excluded-from-eu-funding/

8. European Solar Manufacturing Council. “New EU Economic Security Doctrine flags dependence on solar inverters from China as high-risk.” 16 December 2025. https://esmc.solar/new-eu-economic-security-doctrine-flags-dependence-on-solar-inverters-from-china-as-high-risk/

9. European Union Institute for Security Studies. “The Dragon in the Grid: Limiting China’s Influence in Europe’s Energy System.” 16 January 2026. https://www.iss.europa.eu/publications/briefs/dragon-grid-limiting-chinas-influence-europes-energy-system

10. Adam Tooze. “Chartbook 439: Electrostates v. petrostates. Clarifying a tricky distinction.” Substack, April 2026. https://adamtooze.substack.com/p/chartbook-439-electrostates-v-petrostates

11. Robeco. “China: In pole position to be the globe’s first electrostate.” Insight, 27 March 2026. https://www.robeco.com/en-int/insights/2026/03/china-in-pole-position-to-be-the-globe-s-first-electrostate

12. Energy Intelligence. “Strategy Battle: US as Petrostate, China as Electrostate.” 23 January 2026. https://www.energyintel.com/

13. Noah J. Gordon and Daevan Mangalmurti. “How to Be an Electrostate.” Carnegie Endowment Emissary blog, 16 September 2025. https://carnegieendowment.org/emissary/2025/09/electrostate-what-is-it-china-solar-manufacturing

14. The National Interest. “The EU in a Petrostates and Electrostates World.” 19 December 2025. https://nationalinterest.org/blog/energy-world/the-eu-in-a-petrostates-and-electrostates-world

15. Eurasia Group. Top Risks of 2026. https://www.eurasiagroup.net/issues/top-risks-2026

16. Ian Bremmer et al. “The Top 10 Global Risks for 2026.” Time, 11 March 2026. https://time.com/7343169/top-10-global-risks-2026/

17. World Economic Forum. Global Risks Report 2026. https://www.weforum.org/publications/global-risks-report-2026/

18. Mario Draghi. The Future of European Competitiveness. European Commission, 2024.

19. Christian K. Caruzo. “Green-Frenzied EU to ban Cybersecurity Risk Chinese Solar Equipment.” Breitbart, 6 May 2026.

20. Marco Brondani. “The Compound Vulnerability” series and “The Valley of False Signals” series. marcobrondani.com.