France’s New Requirements for Solar Tenders: Cybersecurity and Sustainability

France adds security and supply chain tests to solar auctions

France has launched a 12 GW renewable energy tender round that includes cybersecurity checks and sustainability criteria for solar projects. The move marks a departure from traditional price-only procurement. It reflects growing concerns about grid security and supply chain concentration in the European renewables sector.

The tender comes after a two-year delay caused by political disputes over renewable financing. It covers 1.2 GW of solar capacity, 0.8 GW of onshore wind, and 10 GW of offshore wind across seven separate projects. Solar bidders now face additional requirements covering the sourcing of photovoltaic cells and modules.

This approach aligns with the EU’s Net-Zero Industry Act, which took effect in June 2025. The legislation requires member states to apply non-price criteria to at least 30% of auctioned renewable capacity each year, or 6 GW, whichever is lower. Criteria include sustainability, supply chain resilience, and cybersecurity standards.

For UK businesses involved in European energy markets, these changes signal a shift in how renewable projects are evaluated. Companies tendering for solar contracts in France will need to demonstrate compliance with component sourcing rules. They must also show how their technology meets emerging cybersecurity standards for grid-connected equipment.

Component limits target Chinese supply chain exposure

The French solar tender imposes restrictions on components from China. Offshore wind projects face a cap of four Chinese-sourced parts from a list of nine strategic components. There is also a 50% limit on permanent magnets sourced from China.

These restrictions address concerns about supply chain vulnerability. The EU identified photovoltaic cells and modules as areas of high dependency in its June 2025 implementing regulation. Solar panel manufacturing remains concentrated in China, which controls much of the global production capacity for key materials like polysilicon.

The approach mirrors earlier EU restrictions on 5G suppliers considered high-risk, including Huawei. However, the renewable energy measures focus on diversification rather than outright bans. They aim to encourage European manufacturing while reducing single-country dependencies that could affect grid stability or project delivery.

Future French tender rounds will incorporate stricter sustainability and cybersecurity criteria. The government has indicated these requirements will tighten governance standards for critical energy infrastructure. Consequently, project developers will need to provide more detailed documentation about their supply chains.

Revised EU Cybersecurity Act targets solar inverters

Separately, the EU’s revised Cybersecurity Act identifies solar inverters as high-risk components. The regulation gives the European Commission authority to identify cybersecurity risks and mandate mitigation measures. It may extend to systems under 1 MW, which would affect residential solar installations.

Solar inverters convert DC power from panels into AC power for the grid. They also provide communication and control functions. Security researchers have raised concerns about vulnerabilities that could allow remote tampering. In extreme scenarios, coordinated attacks could disrupt grid stability.

SolarPower Europe has emphasised the need for formal risk assessments as part of the regulatory process. Meanwhile, manufacturers like Sungrow have published guidance on cybersecurity design, advocating for compliance with standards such as EN 18031. This standard covers security requirements for industrial automation and control systems.

For businesses installing solar arrays, these developments mean additional compliance steps. Inverter manufacturers may need to provide cybersecurity documentation as part of procurement processes. Installers could face requirements to configure systems according to specific security protocols, including network isolation and firmware update procedures.

What changes mean for project economics and timelines

The new criteria add complexity to renewable project development. Developers must now assess not only equipment cost and performance but also component origin and cybersecurity features. This requires more detailed supply chain transparency from manufacturers.

Projects relying heavily on Chinese components may face scoring penalties in tender evaluations. As a result, some developers may need to identify alternative suppliers or redesign projects to meet sourcing requirements. This could affect project timelines and increase procurement costs, particularly during the transition period as European supply chains develop.

However, the requirements also create opportunities. Manufacturers with European production facilities may gain competitive advantages in tender processes. Companies offering cybersecurity-certified equipment could differentiate their products in a market where these features become mandatory rather than optional.

France’s nuclear-dominated electricity system keeps household power prices roughly 30-35% lower than Italy’s. The country is now diversifying into renewables to reduce fossil fuel imports while maintaining energy independence. The tender programme supports offshore wind targets for 2035 while complementing existing nuclear baseload capacity.

Key details for businesses tracking the policy

• France’s current renewable tender covers 12 GW total capacity, with 1.2 GW allocated to solar projects requiring enhanced sustainability and resilience criteria.
• The EU Net-Zero Industry Act mandates non-price criteria for at least 30% of renewable auction volumes annually, or 6 GW minimum per member state.
• Offshore wind projects in France face limits of four Chinese-sourced components from nine strategic categories, plus a 50% cap on Chinese permanent magnets.
• The EU’s revised Cybersecurity Act may extend to solar systems under 1 MW, potentially affecting residential installations from manufacturers including Enphase and SolarEdge.
• The EU implementing regulation took effect on 18 June 2025, with a related Commission Communication on supply chain dependencies published on 23 May 2025.
• Future French tender rounds will apply stricter sustainability and cybersecurity standards to critical energy infrastructure projects.

Grid security concerns drive inverter scrutiny

Cybersecurity requirements reflect genuine technical risks in solar infrastructure. Inverters connect to communication networks for monitoring and control. This connectivity creates potential attack vectors. Security experts have demonstrated theoretical scenarios where compromised inverters could be manipulated to destabilise grid frequency.

The risk increases as solar capacity grows. Large numbers of distributed inverters acting in coordination could affect grid stability if simultaneously disconnected or manipulated. Therefore, regulators are treating inverters as critical infrastructure components requiring security standards comparable to other grid equipment.

Sungrow’s technical guidance links cybersecurity to environmental goals. The company notes that availability-focused security measures support energy efficiency and emission reduction targets. Equipment that remains operational and secure contributes more reliably to decarbonisation objectives.

Industry specialists acknowledge that even untrusted components can be managed through network architecture. As one expert noted, stronger firewalls and network segmentation can compensate for equipment with uncertain security credentials. Nevertheless, regulators prefer security designed into equipment rather than relying solely on external controls.

UK firms face European compliance requirements

UK businesses operating in European energy markets will need to track these regulatory developments. Companies manufacturing solar equipment for EU markets should review component sourcing and cybersecurity features. Those developing renewable projects in France or other EU countries must factor new criteria into bid preparations.

The requirements could affect UK-EU trade in solar components. British manufacturers may need to demonstrate compliance with EU sustainability and security standards to remain competitive in European tenders. Conversely, UK developers might adopt similar criteria for domestic projects as best practice or in response to future UK regulations.

Supply chain documentation will become more important. Businesses should be prepared to provide evidence of component origins and security certifications. This may require closer collaboration with suppliers to obtain necessary documentation and maintain audit trails.

The policy shift also affects risk assessment for renewable investments. Projects heavily dependent on single-source suppliers face greater regulatory uncertainty. Diversified supply chains with documented compliance may offer more secure returns, particularly for institutional investors with long-term horizons.

Standards still developing for retrofits and existing systems

Enforcement challenges remain, particularly for installed solar capacity. Retrofitting cybersecurity controls to existing inverters is technically complex and costly. Regulators have not yet clarified how requirements will apply to operational projects versus new installations.

The timeline for implementing security standards also remains uncertain. Equipment manufacturers need time to redesign products, obtain certifications, and scale production. Meanwhile, project developers face pressure to deliver capacity quickly to meet climate targets. Balancing security requirements with deployment speed presents a genuine policy challenge.

European manufacturing capacity for solar components is growing but remains limited compared to Asian production. The EU’s industrial strategy includes support for domestic PV manufacturing. However, building competitive European supply chains will take years and require sustained investment.

Businesses should monitor how these requirements evolve. Early adopters of compliant technology may gain advantages as standards tighten. Those waiting for regulatory clarity risk being caught by requirements that arrive faster than anticipated. Therefore, tracking EU working groups and national implementing regulations is advisable for any business active in European renewable markets.

Where to find official guidance and updates

The European Commission publishes detailed guidance on the Net-Zero Industry Act through its energy and industrial policy directorate. The implementing regulation adopted in June 2025 provides specific criteria for renewable energy auctions. These documents are available through the official EUR-Lex database at https://eur-lex.europa.eu.

For cybersecurity requirements, the EU Agency for Cybersecurity (ENISA) provides technical guidance and risk assessments. Their publications cover critical infrastructure protection, including energy systems. Access their resources at https://www.enisa.europa.eu.

SolarPower Europe, the industry association, publishes position papers and technical briefings on regulatory developments affecting the solar sector. Their analysis includes practical guidance for manufacturers and project developers navigating new requirements. Visit https://www.solarpowereurope.org for industry perspectives.

UK businesses should also monitor the Department for Energy Security and Net Zero for any corresponding UK policy developments. As European standards evolve, UK regulations may adopt similar approaches for grid security and supply chain resilience. The department’s publications are available at https://www.gov.uk/government/organisations/department-for-energy-security-and-net-zero.

For businesses working with sustainability compliance more broadly, our ESG compliance support helps UK companies navigate environmental and governance requirements. As renewable procurement becomes more complex, understanding how sustainability criteria affect tender evaluations will be increasingly important for businesses across the supply chain.