I work in security, so I understand why people are nervous about critical infrastructure.
Energy systems are not ordinary commercial assets. If something goes wrong, the consequences are not limited to a delayed software release or a bad quarterly report. They can affect hospitals, transport, industry, households, public services, and national stability.
So, yes, Europe should take the security of its energy infrastructure seriously.
But seriousness is not the same thing as suspicion.
In recent years, I have become increasingly concerned by the way procurement debates in the energy sector are drifting away from technical evidence and toward political signalling. Vendor nationality is often discussed as if it were a security control. It is not.
At best, nationality is one factor in a broader risk assessment. Legal jurisdiction, supply chain dependency, data exposure, ownership structure, and strategic pressure can all matter. Pretending otherwise would be naive.
But reducing cybersecurity risk to a question of country of origin is also naive. It gives a simple answer to a complex problem, and simple answers are rarely what keep critical systems running.
The harder questions are the ones utilities actually live with.
Can this system be monitored properly? Can the operator control updates? Is remote access limited and auditable? Has the firmware been independently reviewed? What happens if the supplier is unavailable during an incident? Can the equipment be isolated without disrupting operations? Are vulnerabilities disclosed quickly and transparently? Does the product integrate safely into an OT environment that may already be fifteen or twenty years old?
Those are the questions that decide whether infrastructure is secure.
For grid operators, utilities, and infrastructure owners, procurement has always been about practical things: reliability, performance, lifecycle cost, service availability, standards compliance, spare parts, integration, and operational risk. Cybersecurity now sits at the centre of that list, as it should.
But cybersecurity has to be verified. It cannot be inferred from a flag, a press release, or the political mood of the moment.
A secure European energy system will not be built by assuming that some suppliers are automatically safe and others are automatically dangerous. It will be built by forcing every supplier to prove security under the same rules.
That is the debate Europe should be having.
Security Is an Engineering Problem Before It Is a Political Argument
Cybersecurity in critical infrastructure is often discussed in broad terms: sovereignty, influence, dependency, and strategic autonomy. These are legitimate topics. But they can also become vague very quickly.
In the field, security is less abstract.
It is access control, logging, segmentation, patch governance, incident response, secure remote maintenance. It is knowing who can connect to what, from where, under which conditions, and with which approval. It is being able to detect abnormal behaviour before it becomes operational disruption.
It is also the boring discipline of checking what vendors claim.
A supplier may say its product is secure. Fine, show the evidence.
Show the secure development lifecycle, the vulnerability disclosure process, the update mechanism, how firmware integrity is protected, how credentials are managed, how customer data is handled, what remote access exists, whether the operator can approve or delay updates, whether independent testing has been performed.
This is what serious procurement looks like.
Concentrating only on nationality-based could make this discipline weaker, not stronger. Once a supplier is placed in a politically comfortable category, people may ask fewer questions. Once a supplier is placed in a politically uncomfortable category, people may stop asking technical questions altogether.
Both reactions are bad security.
A trusted supplier can still ship vulnerable software. A European or allied supplier can still have poor development practices, weak defaults, insecure cloud dependencies, or an immature vulnerability response process. A supplier from a politically sensitive country may present risks that deserve close scrutiny, but those risks still need to be defined, tested, and governed.
The point is not that all suppliers are equal. They are not.
The point is that all suppliers should be measured.
If the concern is remote access, test remote access. If the concern is update control, require utility-controlled update governance. If the concern is hidden communication, inspect network behaviour. If the concern is dependency, assess spare parts, maintenance, and replacement options. If the concern is legal exposure, include it in the risk model and contract.
What does not help is turning procurement into a morality play where the technical controls become secondary.
Security should be based on proof.
The Risks Utilities Actually Face
One reason I am sceptical of politicized procurement is that it can distract from the risks European utilities already know they have.
Many energy operators are dealing with aging OT environments. Some have assets that were never designed for modern connectivity. Some still have incomplete visibility over what is connected to their networks. Some struggle with weak separation between IT and OT. Some depend on remote maintenance arrangements that made sense ten years ago but now look uncomfortable. And also, some have too many third parties with too much access and not enough monitoring.
These are not theoretical weaknesses.
In real incidents, the root cause is often painfully ordinary: a misconfiguration, a compromised credential, a flat network, an exposed remote access service, a delayed patch, unclear ownership between IT and OT teams, or a vendor account that nobody reviewed after a project ended.
That is not very dramatic, but it is how infrastructure gets hurt.
An attacker does not need a geopolitical theory if they can use a stolen password. They do not need to exploit national dependency if an engineering workstation is reachable from the wrong network segment. They do not need a sophisticated supply chain operation if a third-party VPN account has more access than it should.
This is where Europe can focus its energy.
Every utility should have an accurate asset inventory. Remote access should be restricted, logged, time-bound, and approved. IT and OT segmentation should be real, not just a diagram in a PowerPoint deck. Privileged access should be tightly controlled. Patching should be risk-based but not improvised. Incident response should be tested with operational teams, not only written in policy documents. Backup restoration should be rehearsed. Suppliers should be contractually required to support security, not just deliver equipment and disappear.
None of this is glamorous. It is also exactly what reduces risk.
If procurement debates become dominated by political categorisation, these operational issues can be pushed into the background. That would be a mistake. Europe could remove one supplier from a project and still deploy the replacement badly. It could be bought from a more politically acceptable vendor and still leave remote maintenance exposed. It could talk about sovereignty while running systems it cannot properly monitor.
The uncomfortable part is that bad architecture can defeat good intentions.
Politicized Procurement Can Create New Dependencies
There is another point that deserves more attention. Politicized procurement not only removes risk. It can also create risk.
Energy infrastructure depends on long planning cycles. Grid modernization, substations, renewable integration, battery storage, inverters, industrial control systems, communications equipment, and monitoring platforms are not purchased like laptops. They require financing, design, integration, certification, maintenance, spare parts, and long-term support.
If procurement rules change suddenly because of political pressure rather than transparent technical criteria, utilities and developers pay the price.
Projects become more expensive. Timelines stretch. Supplier options shrink. Financing becomes harder. Competition weakens. Spare parts and maintenance planning become more complicated. Renewable integration may slow down at the exact moment Europe needs it to accelerate.
That does not mean Europe should accept every supplier under every condition. Some risks may be unacceptable. Some suppliers may fail to provide the level of transparency or control required for critical infrastructure. Some deployment models may create dependencies Europe should not tolerate.
But if a supplier is restricted or rejected, the reason should be clear.
Not “we do not like where it comes from.”
Rather, the operator cannot control updates. The remote access model is unacceptable. The product lacks sufficient logging. The supplier will not support independent testing. The data flow is not transparent. The vulnerability disclosure process is weak. The lifecycle support is not credible. The legal and operational dependency is too high.
Those are defensible reasons. They are also useful reasons, because they tell the market what needs to improve.
Vague political exclusion does not improve the security level of the whole ecosystem. Clear technical requirements do.
Europe should avoid replacing one dependency with another. Over-concentration is still over-concentration, even when it feels politically comfortable. A resilient market needs diversity, interoperability, and standards that prevent any single supplier from becoming too important to replace.
The goal should not be to build a procurement wall. The goal should be to build a security gate.
A wall says: you are in or out based on category.
A gate says: here is the evidence required, here are the controls expected, here is the level of transparency needed, and here is how we verify it.
That is much healthier for European infrastructure.
What Europe Should Require From Every Supplier
A mature European approach should start with one principle: same risk, same requirements.
If a technology is going into critical energy infrastructure, the supplier should meet a high security bar regardless of nationality. That bar should be demanding, practical, and testable.
First, independent security validation should become normal. For sensitive systems, this can include architecture review, firmware analysis, penetration testing, secure development lifecycle assessment, cryptographic review, and verification of update mechanisms. Not every product needs the same depth of testing, but critical systems should not rely on marketing claims.
Second, operators must retain operational control. This is where sovereignty becomes real. Sovereignty is not only about the supplier’s address. It is about whether the utility can monitor the system, control access, approve updates, isolate components, preserve logs, and continue operating during an incident. If an operator cannot govern the technology once deployed, it does not have meaningful control.
Third, remote maintenance must be treated as a high-risk function. Vendor access should be least-privilege, time-limited, strongly authenticated, logged, and subject to approval. Permanent opaque remote access into energy infrastructure should be considered unacceptable by default. If a supplier needs access, the operator should know when, why, how, and to what.
Fourth, Europe should push harder on OT-specific security architecture. Traditional enterprise security models do not map perfectly to industrial environments. Availability matters. Safety matters. Legacy constraints matter. But the principles still apply: segmentation, least privilege, monitoring, anomaly detection, backup recovery, and tested incident response.
Fifth, vulnerability disclosure must be contractual. Suppliers should be required to receive, triage, communicate, and remediate vulnerabilities within defined timelines. Coordinated vulnerability disclosure should not be treated as a favour from the vendor. It should be part of doing business in critical infrastructure.
Finally, standards should be applied consistently. IEC 62443 is highly relevant for industrial automation and control systems.1 ISO 27001 remains useful for information security management. 2NIS2 raises expectations for essential and important entities across Europe, including risk management and reporting.3 ENISA guidance and certification efforts can help align practices across member states.4
The important word is “consistently.”
If firmware transparency is required, require it broadly. If secure development practices matter, assess them broadly. If update governance is critical, make it critical for everyone. If remote access is dangerous, control it for every supplier, not only the politically inconvenient ones.
That is how Europe gets stronger.
Europe Needs a Shared Energy Security Standard
This is why I believe Europe would benefit from a dedicated security standard or framework for energy procurement, developed with the people who actually have to use it.
It should involve utilities, energy customers, infrastructure developers, vendors, cybersecurity experts, testing laboratories, regulators, and European institutions. If the standard is written only from the policy side, it may miss operational reality. If it is written only by vendors, it may lack independence. If customers are not involved, it may fail where it matters most: deployment and operation.
The purpose should not be to disguise political exclusion as technical language. That would defeat the point.
The purpose should be to create a common evidence model.
A good framework would define baseline requirements for product security, secure development, firmware integrity, data handling, remote access, update control, logging, vulnerability disclosure, incident cooperation, lifecycle support, and emergency isolation. It would also define how evidence is submitted, how independent validation is performed, and how reassessment happens when products change.
This would help everyone.
Customers would have a clearer way to compare suppliers. Vendors would know what evidence they must provide. Regulators would have a more consistent basis for oversight. Testing laboratories would have clearer evaluation criteria. The market would become more predictable, not less.
Most importantly, it would move the discussion away from slogans.
Instead of asking whether a supplier is politically acceptable in general, procurement teams could ask whether a specific product, in a specific deployment model, under specific operational controls, meets the required security level.
That is a much better question.
It is also a more European answer: rules-based, evidence-driven, open to competition, but strict about security.
There is an opportunity here to make a constructive announcement to energy customers, and partners: a security standard is being developed, and participation is welcome. The message should be clear. Europe’s energy security will not be built by one actor alone. It requires customers, suppliers, regulators, and security experts to work together on a shared ecosystem of trust.
Not trust as a slogan. But trust as something tested.
Conclusion: Verification Is Stronger Than Suspicion5
Europe has every reason to protect its energy infrastructure. The sector is strategic, the threat landscape is serious, and the consequences of failure are too high for complacency.
But procurement policy should not confuse suspicion with security.
Vendor nationality may be relevant in some cases, especially when it creates legal, operational, or strategic exposure. But it should never replace a technical assessment. If Europe wants resilient infrastructure, it needs procurement decisions based on verifiable controls, independent validation, operational visibility, and enforceable governance.
The strongest security model is not blind trust. It is also not a blanket suspicion.
It is a disciplined verification.
Every supplier should be tested. Every system should be monitored. Every remote access path should be controlled. Every update process should be governed. Every critical dependency should be understood before it becomes a crisis.
A politicized procurement environment may feel decisive, but it can easily distract from the work that actually improves resilience. Worse, it can reduce competition, increase costs, slow deployment, and create new dependencies while leaving old security weaknesses untouched.
Europe should aim higher than that.
A resilient energy system is not built on assumptions about where technology comes from. It is built on confidence in how securely that technology can be verified, governed, and operated.
- International Society of Automation, “ISA/IEC 62443 Series of Standards,” ISA, accessed June 9, 2026, https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards. ↩︎
- Technology Blocks, “IEC 62443 Standards,” Technology Blocks, accessed June 9, 2026, https://tblocks.com/articles/iec-62443-standards/. ↩︎
- European Union Agency for Cybersecurity, “The NIS2 Directive,” ENISA, accessed June 9, 2026, https://www.enisa.europa.eu/topics/state-of-cybersecurity-in-the-eu/cybersecurity-policies/nis-directive-2.
↩︎ - European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022,” EUR-Lex, Official Journal of the European Union, December 27, 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/oj. ↩︎
- European Union Agency for Cybersecurity, “ENISA Threat Landscape,” ENISA, accessed June 9, 2026, https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape. ↩︎
Leave a Reply