EU move to phase out high-risk technology draws criticism from Huawei

BRUSSELS: The European Union has proposed phasing out components and equipment from so-called high-risk suppliers in critical sectors, a move that has drawn sharp criticism from China’s telecoms giant Huawei.

The proposal, outlined in revisions to the EU’s Cybersecurity Act released on Tuesday, aims to strengthen protection against rising cyber and ransomware attacks, as well as concerns over foreign interference, espionage and Europe’s dependence on non-EU technology suppliers.

While the European Commission did not name any specific companies or countries, the measures are expected to affect Chinese firms, including Huawei, as Europe tightens scrutiny of Chinese technology.

Germany has already banned the use of Chinese components in future 6G telecom networks and has set up an expert panel to reassess trade policy towards Beijing. The United States, which banned approvals of new telecom equipment from Huawei and ZTE in 2022, has urged European allies to take similar steps.

EU technology chief Henna Virkkunen said the new cybersecurity package would help better protect critical information and communications technology supply chains and strengthen the bloc’s ability to counter cyber threats.

Huawei rejected the proposal, echoing China’s earlier criticism. A company spokesperson said excluding suppliers based on country of origin rather than technical evidence violates EU legal principles of fairness, non-discrimination and proportionality, as well as World Trade Organization obligations. The spokesperson added that Huawei would closely monitor the legislative process and take steps to safeguard its interests.

The proposed measures would apply to 18 key sectors, including connected and automated vehicles, electricity and water supply systems, drones and counter-drone technologies. Cloud services, medical devices, surveillance equipment, space services and semiconductors are also classified as critical.

Under the proposal, mobile network operators would have 36 months to remove key components from suppliers designated as high risk. Timelines for fixed networks, fibre-optic and submarine cables, and satellite networks will be announced later.

Restrictions would only take effect after a formal cybersecurity risk assessment by the European Commission or at least three EU member states, based on market and impact studies.

Telecoms industry group Connect Europe warned the proposals could impose heavy financial burdens, with regulatory costs potentially reaching billions of euros.

The revised Cybersecurity Act will now be negotiated with EU governments and the European Parliament before it can become law.