Europe is tightening the screws on who gets to build the digital backbone of its economy, and this time Brussels is doing it with a much broader net.
A draft proposal released Tuesday shows the European Union plans to phase out components and equipment from so-called “high-risk suppliers” across critical sectors — a move that immediately drew sharp criticism from China’s Huawei, one of the companies most likely to feel the impact.
The proposal lands at a moment when cyber threats are no longer abstract policy concerns but daily headlines. Ransomware attacks are rising, foreign interference fears are deepening, and European policymakers are increasingly uneasy about how dependent the bloc has become on non-EU technology.
What Brussels is proposing — and why now
The measures are part of revisions to the EU’s Cybersecurity Act, unveiled by the European Commission, the executive arm of the 27-nation bloc. While the Commission carefully avoided naming specific countries or companies, the intent was clear enough.
“With the new Cybersecurity Package, we will have the means in place to better protect our critical ICT supply chains but also to combat cyber attacks decisively,” said EU tech chief Henna Virkkunen.
At the core of the proposal is a phased removal of components from suppliers deemed high risk, once they are formally identified. The Commission argues that Europe’s exposure to cyber and ransomware attacks — combined with concerns over espionage and geopolitical leverage — makes stricter oversight unavoidable.
Details of the existing Cybersecurity Act and its scope are available on the Commission’s official site at https://digital-strategy.ec.europa.eu, which has increasingly emphasized “technological sovereignty” as a policy goal.
Huawei in the crosshairs — again
Although unnamed in the draft, Huawei is widely expected to be among the companies affected. Europe has been steadily tightening scrutiny of Chinese technology firms for years, especially in telecoms.
Germany recently went a step further, appointing an expert commission to reassess its trade policy toward Beijing and banning Chinese components from future 6G telecoms networks. That move echoed pressure from Washington, where the U.S. banned approvals of new telecom equipment from Huawei and ZTE in 2022 and has repeatedly urged European allies to follow suit.
China’s response was swift. “Chinese companies have long operated in Europe in compliance with laws and regulations and have never endangered Europe’s national security,” said Guo Jiakun, a spokesperson for China’s foreign ministry, warning the EU against “going further down the wrong path of protectionism.”
Huawei itself struck a similar tone, but with legal teeth.
“A legislative proposal to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU’s basic legal principles of fairness, non-discrimination, and proportionality, as well as its WTO obligations,” a Huawei spokesperson said, adding that the company would “reserve all rights” to protect its interests.
The World Trade Organization’s rules on non-discrimination, referenced by Huawei, are outlined at https://www.wto.org, a framework Beijing has increasingly leaned on in disputes with Western governments.
Which sectors are affected
The scope of the proposal goes far beyond mobile networks. The Commission identified 18 sectors as critical, reflecting how deeply digital systems are now embedded in everyday infrastructure.
Here’s a snapshot of what’s on the list:
| Category | Examples of Affected Areas |
|---|---|
| Transport | Connected and automated vehicles |
| Energy | Electricity supply and storage systems |
| Utilities | Water supply systems |
| Security | Drones and counter-drone systems |
| Digital | Cloud services, semiconductors |
| Health | Medical devices |
| Surveillance | Monitoring and detection equipment |
| Space | Satellite and space services |
Telecoms are just one piece of a much larger puzzle. By extending restrictions to areas like medical devices and cloud services, Brussels is signaling that cybersecurity is now inseparable from economic and physical security.
Timelines and what operators must do
Under the draft rules, mobile network operators would have 36 months from the publication of an official high-risk supplier list to phase out key components. That’s a significant grace period, reflecting the reality that ripping out existing equipment is expensive and technically complex.
Phase-out timelines for fixed networks — including fibre-optic cables, submarine cables, and satellite networks — will be announced later. That uncertainty alone is making parts of the industry nervous.
Europe already has experience with this problem. The EU adopted a 5G security “toolbox” in 2020 to curb reliance on perceived high-risk vendors such as Huawei. Several countries have struggled to fully implement it, largely because replacing existing gear can cost billions.
Industry backlash: “billions in extra costs”
Telecoms lobby group Connect Europe didn’t mince words, warning that the updated rules would pile new regulatory and financial burdens onto operators already grappling with thin margins.
According to the group, additional compliance and replacement costs could run into the billions of euros — expenses that may ultimately be passed on to consumers or slow network upgrades.
That concern isn’t theoretical. Public filings and policy documents from national regulators, accessible via https://www.berec.europa.eu, show that infrastructure investment is already under strain across several EU markets.
Safeguards and political brakes
The Commission has tried to build in procedural guardrails. Restrictions on suppliers from countries deemed cybersecurity risks would only kick in after a formal risk assessment, initiated either by the Commission itself or by at least three EU member states.
Any final measures would be based on market analysis and impact assessments, a nod to criticism that earlier security policies were too blunt. In other words, Brussels wants this to look evidence-based, not ideological.
Still, politics will play a role. The updated Cybersecurity Act must be negotiated with EU governments and the European Parliament before becoming law — a process that could stretch for months and invite heavy lobbying from both industry and foreign governments. Legislative procedures for EU tech laws are detailed at https://www.europarl.europa.eu.
At its heart, this proposal reflects a choice Europe is increasingly willing to make: prioritizing security and sovereignty over cost and speed. That trade-off won’t be painless, and Brussels knows it.
“This is an important step in securing our European technological sovereignty and ensuring greater safety for all,” Virkkunen said.
For Huawei and other non-EU suppliers, the message is uncomfortable but unmistakable. Market access in Europe will increasingly depend not just on price or performance, but on geopolitics and trust.
FAQs
Q. What is the EU proposing under the revised Cybersecurity Act?
The EU plans to phase out components and equipment from high-risk suppliers in critical sectors after formal risk assessments.
Q. Is Huawei explicitly named in the proposal?
No, but Huawei is widely expected to be affected based on existing EU and national security policies.
Q. Which sectors are considered critical?
They include telecoms, cloud services, energy systems, medical devices, transport, surveillance, space services, and semiconductors.
Q. How long do companies have to comply?
Mobile operators would have 36 months from the publication of a high-risk supplier list to phase out key components.
Q. Does the proposal take effect immediately?
No. It must still be negotiated with EU governments and the European Parliament before becoming law.
