The European Union is looking to ban foreign wind turbines on the grounds of cybersecurity concerns, echoing similar recommendations that saw EU countries bar China’s Huawei from 5G networks.
Brussels is busy putting measures in place to shield Europe’s wind turbine producers from Chinese competitors. Amid talk of “made in Europe” requirements and considerations of anti-dumping tariffs, one consideration is quietly gaining traction: cybersecurity.
When a Chinese wind turbine manufacturer won a Serbian tender in late 2023, the European wind industry sounded the alarm, with WindEurope CEO Giles Dickson highlighting “wider security interests”. He also cited economic considerations, concluding that “to install non-European wind turbines … on our continent is not in Europe’s interest.”
Weeks later, the European Commission presented a toolbox of policy proposals termed the “European Wind Power Package.” A key component was empowering EU countries to potentially exclude foreign companies based on “pre-qualification” criteria, including cybersecurity.
That means wind turbines that do not meet certain – currently undefined – cybersecurity criteria will be excluded from the regular public auctions that award support to wind farms.
The Huawei experience
Huawei is a large Chinese technology corporation. Several Western governments were concerned that the Chinese government would use this equipment to gather sensitive information about the public and private sectors.
As a result, ten EU countries have excluded the Chinese company, following a recommendation from Brussels, benefitting indigenous firms like Sweden’s Ericsson or Finland’s Nokia.
European turbine manufacturers are hoping for a similar payoff. EU rules should “ensure that secure equipment” is being installed in Europe, Juan Virgilio Marquez of the Spanish wind energy association AEE told the industry’s annual jamboree in Bilbao.
The industry talks up two scenarios: Sensitive data from wind turbine sensors being sent to third countries via a satellite connection and China being able to press a “red button”, turning off thousands of turbines and sending power markets into a tailspin.
Eye in the sky
Wind turbine sensors gather terabytes of data daily, and Europe would not be the first region to express concerns about where this data could be sent.
“We are being audited [on] whether technical components are made in China,” explained Edward Zakrajsek, a vice president at DeTect Global, speaking of a project to erect wind turbines off the coast of Taiwan
However, not all within the industry share this perspective.
Rafael Mateo of Acciona Energia says that aside from regular operating metrics like wind speeds, power outputs, and blade angles, there is “nothing” sensitive to be gleaned from having access to a turbine.
Turning off the lights
Wind turbines can typically be managed remotely. Therefore, compromised electronic equipment could allow third parties to take control.
“In a weaker grid, if you remove 2 GW of turbines, you can create a subfrequency event”, explained Rafael Mateo, CEO of Spanish renewables developer Acciona Energia. Subfrequency events occur when there is insufficient electricity to meet demand, risking targeted or widespread power cuts.
However, he added that an attacker would usually need to “control all wind farms” to threaten the grid seriously.
New Brussels rules are imminent
On 23 April, the EU’s new industrial policy law, the Net Zero Industry Act (NZIA), will be adopted by EU lawmakers and rubber-stamped by EU countries shortly after.
Once it enters into force, the crackdown could begin: From 2026, public auctions offering support for renewable energy will have to include requirements concerning cybersecurity. This will be optional for public procurement of renewable energy.
However, the specific requirements concerning cybersecurity have yet to be defined. The Commission will present an act within the year to provide more details.
Todd Davis of turbine maker Vestas said that European manufacturers are “actively lobbying shoulder to shoulder” to make sure cybersecurity criteria are “process-based and risk-assessment-centric” instead of a “checkbox list” to reflect the quickly changing landscape of threats.
Lukasz Kolinski, head of the renewables unit at the European Commission’s energy department, said Brussels aims to find a delicate balance between “being concrete” and leaving “flexibility for the member states.”
WIndEurope’s Dickson remains confident. He said these pre-qualifications are not a silver bullet for the beleaguered industry, but they “will help.”
And he is thinking bigger: “You need them not just for the auction projects but for the non-auction projects as well.”
Increasingly, wind power projects are developing without state support—they would not be subject to industrial policy rules.
Another fight is already brewing.
[Edited by Donagh Cagney]