On Tuesday, the European Commission released a revised draft of the EU’s Cybersecurity Act, which explicitly requires the gradual phase-out of components from “high-risk suppliers” in critical areas. This move is seen as a significant shift in the EU’s stance on Chinese technology companies such as Huawei and ZTE.
The core change in this amendment is elevating the previous “voluntary guidelines” to “mandatory law.” According to the proposal, once a supplier is listed as high-risk, EU telecom operators must complete the replacement of critical components within 36 months (3 years).
The scope of impact has expanded from the existing 5G networks to 18 key strategic areas, including:
Infrastructure:
Power supply and storage, water supply systems, space services, satellite networks, and undersea cables.
Cutting-edge technologies:
Semiconductors, cloud computing services, internet-connected and autonomous vehicles, drones, and counter-drone systems.
Security monitoring:
Surveillance equipment, detection devices, and medical devices.
European Commission’s tech chief, Henna Virkkunen, emphasized to Reuters that this new initiative aims to protect critical Information and Communication Technology (ICT) supply chains.
She stated, “This is an important step to ensure European technological sovereignty and provide higher security for everyone.”
While the Commission did not directly name China in the draft, its goal of preventing “foreign interference and espionage activities” clearly targets Beijing. Previously, Germany had taken the lead in establishing an expert committee to re-examine its policies towards China and has banned the use of Chinese components in future 6G networks.
The United States had already banned the approval of new telecommunications equipment from Huawei and ZTE in 2022, urging Europe to take action.
In 2020, the European Commission passed a 5G network security “toolbox” to restrict the use of “high-risk vendors” like Huawei, citing concerns over potential sabotage or espionage activities. However, due to the high cost of replacement, some countries have not entirely removed these high-risk equipments yet.
In response to the EU’s strict amendment, the Chinese Ministry of Foreign Affairs stated that such restrictions lack legal basis, accusing the EU of disrupting a fair business environment. However, EU officials pointed out that with the rise in cyber attacks and ransomware incidents, Europe can no longer afford to risk entrusting its vital systems to “authoritarian regime suppliers.”
The proposal states that restrictions on suppliers from specific countries will be triggered by a risk assessment initiated by the Commission or at least three member states. This updated version of the Cybersecurity Act is expected to be discussed in the European Parliament and member states in the coming months.