Sweden is racing toward 100 % renewable electricity, yet many of the rooftop and utility-scale projects powering that vision rely on inverters supplied by a handful of Chinese brands per Elpris Idag. Recent technical probes have flagged hidden radios, undocumented firmware and poor electromagnetic shielding in several models, prompting the question: Is Sweden’s current legal toolbox strong enough to keep a hostile actor—or a faulty device—from destabilising the grid?
Electrical-safety and radio rules.
Under the Electrical Safety Act (2016:732) and its implementing regulations, any imported inverter must display the CE-mark and comply with the Low-Voltage and EMC Directives. The National Electrical Safety Board has the power to recall or ban non-conforming models; it has already done so for several Asian inverters on electromagnetic-emission grounds. Yet neither the Act nor the EU directives oblige a cyber-security review. If an inverter lands on Swedish soil today with an undocumented 4G modem on its PCB, the importer has not broken any rule—so long as the radio meets spectrum limits and the device will not electrocute anyone.
Radio Equipment Directive (RED).
The RED does contain new cyber-security clauses, but they enter into force only on 1 August 2025. Until then, most Wi-Fi or LTE-enabled inverters can be sold legally without a penetration test or a disclosure of their software bill of materials.
Product liability and tort law.
The Product Liability Act (1992:18) imposes strict liability for injury or property damage caused by a defective product, yet “pure economic loss” (for example, a nationwide blackout that forces factories offline) is recoverable only if a contract says so. Utilities would struggle to claim damages from thousands of homeowners who installed the same compromised inverter.
Protective Security Act (2018:585).
Operators of “security-sensitive activities” must analyse supply-chain risk and can be ordered to divest high-risk technology. At present, rooftop-solar owners are not classified as security-sensitive—even though a coordinated command to thousands of cloud-connected inverters could dump hundreds of megawatts off the grid in seconds.
NIS-2 Directive: Member States must transpose by October 2024. Energy distributors and large solar farms will have to implement cyber-risk management and incident reporting or face fines up to 2 % of turnover. Sweden has not yet tabled its transposition bill.govinfosecurity.com
Cyber Resilience Act (CRA): Political agreement reached in 2024; once the text is finalised, manufacturers of “critical products with digital elements” (very likely to include inverters) will need secure-by-design processes and SBOMs, backed by market-surveillance powers. Full application is expected 2027.
RED Cybersecurity Delegated Act: Mandatory conformity assessment for radio-equipped devices placed on the EU market after 1 Aug 2025. Inverters with hidden or undocumented radios will fail the new test.
The catch: most of Sweden’s PV build-out is happening now, under legacy rules.
Coordinated remote shutdown
If thousands of cloud-connected inverters from a single vendor simultaneously switch to “fault” mode, Svenska kraftnät could face frequency collapse within seconds. Current statutes would leave home-owners liable only up to their insurance limits; systemic loss recovery would likely fall on the state.
Privacy breaches via monitoring portals
Chinese OEM back-ends often sit outside the EEA. Continuous export of consumption data without explicit user consent would violate GDPR, exposing installers and asset owners—not the foreign OEM—to fines.
Supply-chain blacklisting
A future government order (under the Protective Security Act) could force utilities to disconnect equipment from “high-risk” countries, mirroring the 5G Huawei ban. Without clear depreciation rules, asset owners could be left with stranded devices and no compensation.
Fast-track Sweden’s NIS-2 transposition to make all DSOs and >1 MWp PV parks “important entities” with audit duties by Q4 2025.
Table a ministerial regulation under the Electrical Safety Act obliging any inverter sold after 1 Jan 2026 to pass an accredited cyber-test—leveraging the RED delegated act as legal cover.
Amend the Protective Security Ordinance to deem inverter fleets above 100 kWp “security-sensitive” infrastructure, triggering mandatory risk analysis and supplier-screening.
Insert a grid-stability clause into the Product Liability Act, explicitly covering economic loss from mass-scale inverter failure, thereby shifting liability signals upstream to manufacturers and importers.
Create a sunset list: equipment that fails the new rules must be phased out within five years, financed half by OEMs (polluter-pays principle) and half by a government green-transition fund.
Chinese inverters are not illegal in Sweden, but the legal framework supervising them is frozen in a pre-cyber era. While the EU’s upcoming RED cybersecurity act and the Cyber Resilience Act will close many gaps, Sweden can—and should—act sooner through national electrical-safety, grid-code and protective-security law. Otherwise the country’s ambitious solar rollout may bake a systemic vulnerability into the grid faster than the legislators can unpick it.
Protocol.ua є власником авторських прав на інформацію, розміщену на веб - сторінках даного ресурсу, якщо не вказано інше. Під інформацією розуміються тексти, коментарі, статті, фотозображення, малюнки, ящик-шота, скани, відео, аудіо, інші матеріали. При використанні матеріалів, розміщених на веб - сторінках «Протокол» наявність гіперпосилання відкритого для індексації пошуковими системами на protocol.ua обов`язкове. Під використанням розуміється копіювання, адаптація, рерайтинг, модифікація тощо.
Повний текстПриймаємо до оплати
Copyright © 2014-2025 «Протокол». Всі права захищені.
