Brussels proposes new regulations that could sideline Chinese vendors without explicitly naming them
- New EU cybersecurity rules could force member states to bar equipment from so-called “high-risk” suppliers in critical networks.
- Telecoms industry warns of costs and delays, while critics question legal fairness and geopolitical motives.
What happened: A new EU cybersecurity package edges closer to a de-facto Huawei ban.
The European Commission has unveiled a revised Cybersecurity Act as part of a broader cybersecurity package aimed at tightening protections for critical information and communications technology (ICT) supply chains. Although the proposal stops short of an outright ban on specific companies, its language would make compliance with EU security standards compulsory for all member states, effectively pushing them to remove equipment from suppliers deemed “high-risk” — a designation widely understood to target Chinese firms such as Huawei and ZTE.
Under the draft legislation, mobile telecom operators would have roughly 36 months to phase out high-risk components from core network infrastructure once a final list of such vendors is adopted. While the act’s text does not name Huawei or any other company directly, the risk-based framework is seen as a de-facto mechanism to reduce reliance on non-EU suppliers long criticised by US and EU policymakers for potential ties to foreign governments.
Huawei has strongly objected, arguing that excluding suppliers on the basis of “country of origin” rather than technical evidence and risk assessments could violate EU principles of non-discrimination and international trade obligations. Industry bodies like GSMA have echoed concerns that overly stringent rules may impede network upgrades and innovation.
Why it’s important
Cybersecurity across key sectors — from telecoms and cloud services to medical devices and energy grids — has become a strategic priority as geopolitical tensions rise and state-linked cyber threats grow. The EU’s move signals a significant shift from voluntary guidelines towards mandatory regulation, potentially harmonising security standards across the bloc and reducing fragmentation in national approaches.
However, the package raises legal and practical questions: can Brussels enforce supplier exclusions without explicit bans? Might the requirements slow down 5G/6G deployments or increase costs for operators already stretched thin? Some critics argue that the EU’s insistence on so-called “tech sovereignty” risks protectionism and retaliation from China, which has condemned such efforts as discriminatory.
With the European Parliament and member states set to debate the proposal, the final shape of Europe’s cybersecurity regime — and its impact on global technology supply chains — remains uncertain.
Also read: Telenor invests $1.3B to support Europe’s cybersecurity strategy
Also read: Huawei and the growing threat to regional technology autonomy
