The European Commission proposes mandatory phase-out of telecom equipment from designated high-risk suppliers in sectors like energy and transport, drawing criticism from Huawei over market access concerns.
The European Commission has unveiled draft revisions to the EU Cybersecurity Act that would systematically remove equipment from designated "high-risk suppliers" from critical infrastructure sectors. The proposal, published this week, mandates that operators in telecommunications, energy, transport, and financial services replace existing equipment from these vendors within established timelines while banning new deployments.
What's claimed: The EC frames this as a necessary security upgrade, citing threats to essential services. Internal market commissioner Thierry Breton stated the rules would "avoid critical dependencies on high-risk suppliers." The proposal establishes a formal risk assessment process where member states identify vendors subject to restrictions based on factors including third-country legal frameworks and cybersecurity practices.
What's actually new: Unlike previous voluntary guidelines, these rules would be legally binding. The draft specifies phased implementation: operators must submit removal plans within 12 months of a vendor's high-risk designation, complete removal within five years for core networks, and eight years for peripheral systems. Critical sectors covered include:
- Public electronic communications networks
- Energy production/distribution
- Air/rail/water transport networks
- Banking/financial market infrastructure
- Water supply systems
- Healthcare infrastructure
- Digital infrastructure providers
Limitations and criticisms: Huawei immediately challenged the proposal as "discriminatory" and lacking technical justification. A spokesperson argued it "ignores the company's 20-year clean security record in Europe" and warned of supply chain disruptions. The draft provides minimal technical criteria for defining "high-risk" vendors beyond governmental influence concerns, leaving significant interpretation to member states. Implementation costs remain unquantified, particularly for operators with deeply embedded legacy systems. Equipment swaps in operational power grids or rail signaling systems carry significant reliability risks during transition periods.
Technical feasibility questions persist about replacement timelines given complex system integrations and specialized hardware dependencies. The proposal also lacks provisions for verifying equipment integrity through code audits as an alternative to wholesale replacement. Observers note parallels with US FCC actions against Chinese vendors but emphasize Europe's broader sectoral scope beyond 5G networks.
The draft enters a negotiation phase with EU member states and the European Parliament, where technical specifications and implementation timelines face likely revisions. Industry associations have requested clearer definitions of critical components and transition support mechanisms before final adoption, expected in late 2026.
Comments
Please log in or register to join the discussion