From 1 November 2026, a new financing condition applies to every energy project applying for EU support. Solar farms, wind installations and battery storage systems that rely on inverters or power conversion systems from suppliers in high-risk countries lose access to support from the European Investment Bank, the European Investment Fund and other EU instruments. On 4 May 2026 the Commission confirmed that the guidance extends to battery energy storage. The extension is what is new, and it is why the topic has been widely debated across European trade press.
What the assessment points to
The Commission's risk analysis points to three concrete scenarios: manipulation of production parameters, disruption of generation, and unauthorised access to operational data that could ultimately enable remote shutdown of parts of the grid. The assessment draws on material from several member states, including both open sources and classified intelligence.
The rule is not a ban on individual manufacturers and not a trade-policy measure. It is a financing condition. Project owners must be able to show who holds the control logic when thousands of batteries and inverters share the same grid.
Where the attack surface sits
A modern inverter is a connected computer with remote access. A battery with a power conversion system is the same thing, but with the ability to both consume and inject power. That bidirectional flow widens the attack surface compared with pure solar generation.
The first line of defence is not the hardware itself. It lies in who owns the dispatch logic, who signs the software updates and where the control traffic flows. Lithuania moved first in Europe in 2024 with national legislation, and since then the question has moved up to EU level. From May 2026 the union has a coordinated framework, with stricter requirements from April 2027.
Our model. Operator, not reseller.
Sourceful owns and operates battery storage behind the customer's meter. The model is an operational commitment, not a financing package wrapped in a service contract. We take responsibility for the full chain, from the battery on the property to the bids into Svenska kraftnät's ancillary services markets.
In practice that means we choose the hardware, run the Zap Gateway as a local control layer between the battery and the outside world, take responsibility for all software in the system, hold the agreement with the balance responsible party, and submit bids into the ancillary services markets. Security accountability sits in several layers on our side of the contract.
For the property owner, the value lands where it should. On the grid invoice, as a lower peak charge, and as monthly revenue from ancillary services. Without inheriting the risk of an inverter with opaque remote updates from a jurisdiction outside the EU.
Where the value sits
Our platform is not tied to a single hardware manufacturer. If a specific component falls outside the EU's future requirements, we can swap it out in an existing installation without disrupting operations or revenue.
The value in a battery storage system does not sit in the cells. It sits in how they are controlled, and the control is ours.
What it means for EU-funded projects
For commercial players seeking EU grants or EIB financing, compliance becomes an operational requirement from 1 November 2026. Anyone running a project in-house will need to document the full supply chain, maintain security patch routines and show that the control traffic comes from approved jurisdictions. From April 2027 the requirements tighten further.
For individual property owners this is a growing administrative load. For us it is routine in the operating environment we have already built.
Summary
The EU's tightening is more a market signal than a political event. Battery storage is on its way to becoming critical infrastructure on the same level as the transmission grid, and the requirements on control, transparency and supplier accountability follow naturally.
Sourceful is the Nordic operator that takes that responsibility. The software, the dispatch logic, the integration with the ancillary services markets and the security architecture around the battery are all built and run by us. The hardware is one component in a stack we own.
Read more about how we operate or book a qualification call.
