According to a draft proposal released by Brussels on Tuesday, a move criticized by China’s Huawei, which is planned to be among the companies affected, the EU intends to phase out components and equipment from high-risk suppliers in critical sectors.
This shift is proposed by the European Commission to the EU in revisions to the Cybersecurity Act, which are based on the increased number of cyber- and ransomware attacks and mounting fears of foreign intrusion, espionage, and European dependence on non-EU technology suppliers.
The Commission, the 27-nation bloc’s executive arm, did not specify any companies or countries. Europe has been putting more scrutiny on Chinese technology.
Germany has just appointed a special commission to review trade policy with Beijing and has prohibited the use of Chinese components in future 6G telecoms networks.
The U.S. prohibited the authorization of new telecommunication equipment in 2022 by Huawei and Chinese competitor ZTE and encouraged European allies to do the same.
EU tech chief Henna Virkkunen said in a statement, “With the new Cybersecurity Package, we will have the means in place to better protect our critical (information and communications technology) supply chains but also to combat cyber attacks decisively.” Therefore, Huawei had followed previous criticism by the foreign ministry of China.
A Huawei spokesperson stated, “A legislative proposal to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU’s basic legal principles of fairness, non-discrimination, and proportionality, as well as its WTO (World Trade Organization) obligations.”
She added, “We will closely monitor the subsequent development of the legislative process and reserve all rights to safeguard our legitimate interests.”
These new measures will apply to 18 sectors that have been identified by the Commission, such as detection equipment, connected and automated vehicles, electricity supply and storage systems, water supply systems, and drones and counter-drone systems.
However, the Cloud services, medical equipment, surveillance equipment, space services, and semiconductors are considered to be critical as well.
The EU proposed a 5G security “toolbox” in 2020 that limits the use of perceived high-risk vendors, including Huawei, due to the fear of sabotage or espionage. Some countries have yet to remove such equipment due to its high replacement cost.
Using the proposals of Tuesday, the mobile operators will be allowed to use 36 months following the release of the high-risk supplier list to eliminate key components. Fixed networks, such as fiber-optic and submarine cables, and satellite networks, will be announced at a later stage as having a phase-out period.
Virkkunen reported, “This is an important step in securing our European technological sovereignty and ensuring greater safety for all.”
The restrictions against suppliers located in the countries that present cybersecurity risks would only come into effect when a formal risk assessment is initiated by the Commission or at least three EU countries. Any action would be made relative to market analysis and impact assessments.
Telecoms lobby group Connect Europe warned that the proposals would place even greater burdens on the industry, with extra regulatory expenses in the billions of euros.
The revised Cybersecurity Act will have to be negotiated with EU governments and the European Parliament over the next few months before it is enacted into law.
