The European Commission is advancing a revised Cybersecurity Act that would mandate member states phase out IT and telecom components from 'high-risk suppliers'—a move widely seen as targeting Chinese firms like Huawei and ZTE—within three years of a supplier list being published. This marks a significant escalation in the EU's approach to supply chain security, shifting from voluntary guidelines to a potential legislative mandate with a tight compliance timeline.
The European Commission (EC) is preparing to introduce a revised Cybersecurity Act that could force EU member states to remove IT and telecom equipment from certain third-country suppliers within a three-year timeframe. This proposed legislation directly addresses long-standing security concerns about vendors like Huawei and ZTE, aiming to establish a unified, Europe-wide rulebook for excluding products deemed to pose a high risk to critical infrastructure.
Regulatory Action: The Revised Cybersecurity Act The EC's proposal seeks to amend the existing Cybersecurity Act to create a more robust framework for managing supply chain risks. Key objectives include:
- Union-Level Risk Assessments: Establishing a standardized process for evaluating the security risks posed by IT and telecom equipment from non-EU sources.
- Targeted Mitigation Measures: The legislation explicitly provides for a "phase-out of high-risk suppliers from mobile networks." This would include bans on IT components from these suppliers.
- Certification Restrictions: Conformity assessment bodies would be prohibited from certifying products or services from high-risk suppliers, effectively barring them from the market.
- Strengthening ENISA: The proposal aims to bolster the European Union Agency for Cybersecurity (ENISA) and reduce administrative burdens related to the implementation of the NIS2 directive.
The Act is part of a broader strategy that also includes the upcoming Cloud and AI Development Act (CADA), focusing on digital sovereignty and mitigating non-technical risks.
What It Requires: The Supplier Phase-Out The core requirement is the removal of equipment from designated "high-risk suppliers" from critical networks. While the proposal does not name specific companies, the context makes it clear that Chinese vendors are the primary target. The EC has previously labeled Huawei and ZTE as high-risk suppliers, citing fears of backdoors that could enable espionage or network disruption by the Chinese state. Huawei has consistently denied these allegations, stating that its products are secure and that the proposed legislation violates EU legal principles and WTO obligations.
The EC's stance is informed by reports of sophisticated hybrid attacks on European infrastructure. The Commission argues that a fragmented approach, where some member states have been reluctant to act, leaves the entire Union vulnerable. For example, in 2023, it was reported that Huawei supplied nearly 60% of the telecom equipment used in Germany's 5G networks.
Compliance Timeline: A Three-Year Window The proposed legislation sets a strict timeline for compliance. The phase-out period "shall not exceed 36 months from the publication of the list of high-risk suppliers." This means member states would have a maximum of three years to identify, plan, and execute the removal of non-compliant kit from their networks.
This timeline is considered ambitious. The experience of the United Kingdom serves as a cautionary example. The UK mandated the removal of Huawei technology from its 5G networks by the end of 2027. However, major telecom operator BT admitted in 2024 that it had missed its 2023 deadline for removing Huawei kit from its network core. The UK's "rip and replace" effort has also been cited as a factor in the country's subpar mobile network quality, as resources were diverted from network expansion and improvement to equipment replacement.
Industry and Expert Reaction The proposed mandate has drawn concern from industry experts about potential unintended consequences. Gary Barlet, Public Sector CTO at cybersecurity firm Illumio, warned that an "overly isolationist approach could create challenges." He noted that "Fragmentation often limits collaboration and slows innovation, making it harder to build robust, future-ready networks."
Huawei, for its part, has stated it will "closely monitor the subsequent development of the legislative process and reserve all rights to safeguard our legitimate interests." The company emphasized it will continue to operate as a legally compliant entity in Europe.
Broader Implications This move by the EC represents a significant shift from previous, more voluntary guidelines to a potential legislative mandate with a fixed deadline. It underscores the growing priority of digital sovereignty and supply chain security within the EU. The outcome of this proposal will have profound implications for the global telecom ecosystem, the competitive landscape for equipment vendors, and the pace of 5G and future network deployment across Europe. Member states will now need to prepare for a complex and costly logistical undertaking, balancing security mandates with the need to maintain and expand their critical digital infrastructure.
Comments
Please log in or register to join the discussion