The European Commission introduced proposed changes to the Cybersecurity Act on Tuesday, aiming to address vulnerabilities in the EU’s information and communication technology supply chains. These revisions target the risks associated with so-called high-risk vendors and carry implications for ICT providers across telecommunications, data centers, cloud computing, and social media platforms.
According to the Commission, the updated measures are part of a broader strategy to counter the increasing threat from cyberattacks, ransomware incidents, and foreign interference. Although specific companies are not identified in the official proposal, EU representatives note that concerns have centered on Chinese vendors such as Huawei and ZTE, particularly regarding mobile network infrastructure.
The framework outlined by the Commission would require mobile network operators to remove essential components supplied by entities designated as high-risk within 36 months of the official publication of the supplier list. Timeframes for withdrawing such equipment from fixed networks—including fiber-optic, submarine cable, and satellite networks—will be determined at a later stage.
These legislative proposals are intended to replace the current voluntary arrangements set out in the EU’s 5G Security Toolbox, which has led to disparate implementation among member states since 2020.
A representative for Huawei criticized the plan, arguing that restricting or banning providers based on country of origin rather than technical criteria would run counter to EU legal standards of fairness and non-discrimination, as well as commitments under World Trade Organization rules.
The next phase will see the proposal enter negotiations between EU lawmakers and national governments. Some member states are expected to push back on these rules, citing concerns over expanded EU authority in matters of national security.
