The European Commission (EC) wants a revised Cybersecurity Act to address any threats posed by IT and telecoms kit from third-country sources, potentially forcing member states to confront the thorny issue of suppliers such Huawei in their national networks.
Europe faces increasingly sophisticated hybrid attacks on every area of its infrastructure, the EC claims. The revised Cybersecurity Act looks to address this with union-level risk assessments, combined with targeted mitigation measures that will include bans on IT components from “high-risk suppliers.”
The suggested timeframe for this could leave member states with as little as three years to remove non-compliant kit.
This is seen as the Commission finally cracking down on member states that have for years declined to take any kind of action against suppliers deemed to be a potential security risk, and imposing Europe-wide rules regarding which companies and products should not be trusted.
In mid-2023, former European Commissioner Thierry Breton said telecoms equipment from firms including Huawei and ZTE should be banned throughout the EU amid fears the tech could contain backdors, allowing Beijing to remotely access it for espionage purposes or to disrupt networks. Plan were announced to remove the gear from the Commission’s internal networks.
In the same year it emerged that Huawei had supplied nearly 60 percent of the telco equipment used in Germany’s 5G networks. The megacorp hit back after EU officials labelled it as a “high-risk supplier.”
Huawei has always strongly denied its products represent a security threat, although critics counter that Chinese law requires its citizens and organizations to serve as covert operatives on behalf of the state if ordered to do so.
The EC wants several key things baked into the revised Cybersecurity Act: a framework to address the supply chain security challenges in critical infrastructure, and to simplify the Europe-wide cybersecurity certification framework.
It also wants to strengthen the European Union Agency for Cybersecurity (ENISA), and reduce “unnecessary administrative burdens” relating to implementation of the NIS2 cybersecurity directive (only two member states met the deadline to transpose it into national law.)
As for 5G networks, the EC says the legislation “provides for a phase-out of high-risk suppliers from mobile networks,” and will mean that conformity assessment bodies will not be allowed to certify products or services from these suppliers.
This isn’t just about telecoms, the new Cybersecurity Act along with the upcoming Cloud and AI development act (CADA) will address sovereignty aspects and non-technical risks, according to the EC.
The proposed legislation makes no mention of specific companies such as Huawei, but the China-based tech biz has supplied infrastructure to telecoms networks in pretty much every EU country because it was an early investor in 5G technology and standards.
A spokesperson for Huawei told The Register: “A legislative proposal to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU’s basic legal principles of fairness, non-discrimination, and proportionality, as well as its WTO obligations.
“We will closely monitor the subsequent development of the legislative process and reserve all rights to safeguard our legitimate interests.”
Huawei said it will continue to provide products and services as a legally operating company in Europe.
The proposed Cybersecurity Act says that a timeframe for phasing out components provided by high-risk suppliers from communications networks “shall not exceed 36 months from the publication of the list of high-risk suppliers.”
This seems ambitious and compliance is not certain. The UK, for example, mandated in 2020 for the removal of Huawei technology from the country’s 5G networks by the end of 2027. BT, the former state-owned telecoms giant, admitted in 2024 it had missed the 2023 deadline for removing Huawei kit from its network core.
Britain’s decision to rip and replace Huawei kit was also cited as a factor in why UK mobile networks are ranked among the worst in Europe for quality of service, as this diverted cash from being spent on expanding and improving the country’s 5G networks.
Gary Barlet, Public Sector CTO at cybersecurity biz Illumio, warned the EC’s latest move could also lead to fragmentation in the global telecoms ecosystem.
“While efforts to achieve tech sovereignty and protect critical environments are understandable, an overly isolationist approach could create challenges,” Barlet told The Register. “Fragmentation often limits collaboration and slows innovation, making it harder to build robust, future-ready networks.” ®