EU Confirms Plans to Phase Out Chinese Infrastructure

Following the news that it plans to phase out Huawei and ZTE equipment, the European Commission outlined a proposal. The EC wants to kick out the equipment made by so-called high-risk suppliers in critical infrastructure, including mobile networks.

The EC proposed a fresh package, which includes revisions to its Cybersecurity Act, prompted by increased risks in the European Union’s ICT supply chain from third-party suppliers. It stated recent security incidents highlighted vulnerabilities, pointing to the current geopolitical landscape, which made supply chain security no longer just about technical product or service security, but also about risks related to a supplier, particular dependencies, and foreign interference.

Without naming any countries or companies, the EC added that the revised Cybersecurity Act would enable the mandatory de-risking of European mobile telecommunications networks from high-risk third-country suppliers. The EC stated the directive builds on its 5G security toolbox, measures unveiled in 2020, calling for a coordinated approach to building out the network technology. Those measures also recommend restrictions be placed on high-risk vendors, but there was not a mandate to do so, and several countries continue to use kits from Huawei and ZTE.

In response to the proposal, a Huawei representative said that the legislative process to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU’s basic legal principles as well as its World Trade Organisation obligations. “As a legally operating company in Europe, Huawei will continue to provide secure and trusted products and services. We will closely monitor the subsequent development of the legislative process and reserve all rights to safeguard our legitimate interests.”

On behalf of European mobile operators, industry association the GSMA said it shares the EC’s objective of reinforcing cybersecurity, but added measures must be strictly risk-based and operationally workable. “The proposed Cybersecurity Act revisions make this challenging and may ultimately undermine European operators’ ability to upgrade networks at pace and meet the continent’s connectivity ambitions.”

The EC’s proposal will be immediately applicable if it is approved by the European Parliament and the EU Council. Member states will then have one year to implement the directive into national law.