EU moves to restrict EU-backed financing for projects using high-risk inverters

The European Commission has reportedly moved to restrict EU-backed financing for renewable energy projects using inverters from “high-risk” suppliers. 

The measure addresses cybersecurity risks in clean energy infrastructure and is particularly relevant for photovoltaic (PV), wind and battery energy storage system (BESS) projects connected or intended to be connected to the EU electricity grid.

Although the Commission’s interim guidance has not yet been published in full, the new approach is reportedly being applied to projects financed through EU implementing partners, including the European Investment Bank (EIB) and other EU-backed financing channels. The Commission has linked the measure to concerns that connected inverter technology could be used to manipulate electricity production, access operational data, disrupt generation or remotely interfere with grid operations.

For new projects connected or intended to be connected to the EU grid, EU-backed financing is expected to be unavailable if the project uses inverters or BESS power conversion systems supplied by high-risk vendors, including suppliers ultimately owned or controlled by entities in high-risk jurisdictions. Current projects appear to benefit only from a limited transitional regime. 

Only projects with high-risk inverters contracted or likely to be contracted (or where there was doubt) had to be notified by 1 May 2026 and must be ripe for Commission approval by 1 November 2026 to benefit from grandfathering. Grandfathering does not exempt from cybersecurity measures. Notifications should identify the project, cost, technology, location and supplier if known. Projects outside the EU and not connected or scheduled to be connected to the EU grid are expected to be subject to a later phase-out date of 15 April 2027, subject to limited derogations.

Projects that have already been financed and signed do not appear to be automatically required to replace existing inverters, but may be affected if the financing is later amended, refinanced, extended or supplemented by direct or indirect EU-backed funding. Sponsors and lenders should check existing finance documents and future financing plans, and review whether the project’s inverter, battery power conversion equipment and remote monitoring arrangements could raise eligibility or cybersecurity concerns.

For Hungarian PV developers and project owners, the choice of inverter or BESS should now be assessed at the financing-planning stage, not just during technical procurement. Public reporting indicates that the restriction applies to both direct and indirect EU funding instruments, which means that it may affect commercial bank facilities relying on EU-backed funds, guarantees or blended finance structures, as well as projects financed directly by the EIB, EU programmes or development finance institutions. For intermediated financing, new or amended arrangements may require financial intermediaries not to support projects using high-risk inverters; existing arrangements are generally unaffected until amended. The Commission may also withhold support where it has voting rights, including for own-risk funds, and encourages EU Member States to align funding programmes. Projects seeking or potentially relying on EU-linked financing should review whether any inverter, power conversion system, monitoring platform or remote service provider is connected to a high-risk supplier. This review should go beyond the equipment brand and cover ownership and control, remote-access arrangements, cloud-based monitoring, data hosting, firmware update processes and relevant third-party service providers.

Lenders should also update their due diligence and finance documents. Inverter eligibility and cybersecurity compliance should be addressed before credit approval and reflected in conditions precedent, representations, undertakings, information covenants and events of default. Facility agreements should allocate the risk that a supplier becomes ineligible after signing but before procurement, commissioning or utilisation.

Sponsors should review EPC, supply and O&M contracts to ensure that they include appropriate substitution rights, cybersecurity specifications, remote-access controls, data and firmware update provisions, audit rights and liability for non-compliance. 

Where supplier replacement is required, the parties should also revisit project timetables, commissioning deadlines, grid-connection milestones, liquidated damages and warranty assumptions.

Cybersecurity evidence will become increasingly important for project financing. Sponsors should be prepared to demonstrate robust IT/OT separation, controlled and auditable remote access, supplier risk management, secure patching, network monitoring and incident response arrangements.

In practical terms, affected stakeholders should now map their project portfolios, screen inverter and power conversion system suppliers, confirm whether any pipeline project falls within the transitional window, update procurement and finance documentation, and monitor further EU developments, including the proposed revision of the EU Cybersecurity Act. 

While the current measure appears to be a funding restriction rather than a general Hungarian statutory ban, its practical effect may be significant for any project relying on EU-backed financing.

The article was co-authored by Marton Lazar. 

For more information on the restrictions on EU-back financing and how this may impact your business, contact your CMS client partner or the CMS experts who contributed to this article.