The European Union is preparing to tighten restrictions on the use of equipment and components from so-called high-risk suppliers across critical sectors, a move that is widely expected to affect Huawei and ZTE and other Chinese technology companies.
According to a draft proposal released by the European Commission, the measures are part of planned revisions to the EU Cybersecurity Act. The initiative comes amid a rise in cyber and ransomware attacks, alongside growing concerns over foreign interference, espionage risks and Europe’s dependence on technology suppliers from outside the bloc.
While the Commission did not name specific companies or countries, Europe has steadily hardened its position on Chinese technology.
Germany has recently appointed an expert commission to reassess its trade policy towards China and has already banned the use of Chinese components in future 6G networks. The United States took a tougher stance earlier, banning approvals for new telecommunications equipment from Huawei and ZTE in 2022 and urging European allies to follow suit, Reuters news report said.
EU tech chief Henna Virkkunen said the proposed Cybersecurity Package would strengthen the bloc’s ability to protect critical information and communications technology supply chains and respond more effectively to cyber threats. The Commission framed the measures as a step towards greater safety and stronger European technological sovereignty.
Europe is facing daily cyber and hybrid attacks targeting essential services and democratic institutions, prompting the European Commission to propose a new cybersecurity package.
The package includes a revised Cybersecurity Act aimed at strengthening the security of the EU’s ICT supply chains and ensuring products are cyber-secure by design.
A trusted ICT supply chain security framework will be introduced, enabling the EU and Member States to jointly identify and mitigate risks across 18 critical sectors, including risks linked to high-risk third-country suppliers.
The revised Act allows mandatory derisking of European mobile telecom networks from high-risk suppliers, building on the existing 5G security toolbox.
The European Cybersecurity Certification Framework will be simplified and enhanced, with faster development of certification schemes, clearer procedures, and more transparent governance.
Cybersecurity certification will remain voluntary but become a practical tool for businesses to demonstrate compliance with EU rules, reduce costs, and improve market trust.
The package introduces measures to ease compliance with EU cybersecurity rules, including targeted amendments to the NIS2 Directive that reduce regulatory burden for tens of thousands of companies, including micro, small, and mid-cap firms.
New rules will improve legal clarity, streamline ransomware data collection, simplify jurisdictional requirements, and strengthen oversight of cross-border entities.
ENISA’s role will be significantly reinforced, enabling it to issue early cyber threat alerts, support ransomware response and recovery, improve vulnerability management, and operate a single-entry point for incident reporting across the EU.
China’s foreign ministry has criticised the plans, calling restrictions on Chinese firms without a clear legal basis “naked protectionism” and urging the EU to ensure a fair, transparent and non-discriminatory business environment.
The proposed rules would apply to 18 critical sectors identified by the Commission. These include detection equipment, connected and automated vehicles, electricity supply and storage systems, water supply infrastructure, drones and counter-drone systems. Other sectors covered are cloud computing services, medical devices, surveillance equipment, space services and semiconductors.
The Commission has already taken action in this area, having introduced a 5G security toolbox in 2020 aimed at limiting the use of high-risk vendors over concerns of potential sabotage or espionage. However, several EU countries have been slow to remove such equipment due to the high financial costs involved.
Under the new proposals, mobile telecom operators would have 36 months from the publication of an official list of high-risk suppliers to phase out key components from those vendors. Timelines for fixed networks, including fibre optic and submarine cables, as well as satellite networks, will be defined at a later stage.
Any restrictions on suppliers from countries deemed to pose cybersecurity risks would only be introduced following a formal risk assessment initiated by the Commission or by at least three EU member states. The draft also says decisions would be based on market analysis and impact assessments to evaluate economic and operational consequences.
The revised Cybersecurity Act must still be negotiated and approved by EU member states and the European Parliament in the coming months before it can become law, setting the stage for potentially far-reaching changes to Europe’s technology and cybersecurity landscape.
BABURAJAN KIZHAKEDATH
