The EU Commission intends to ban Chinese manufacturers such as Huawei and ZTE from European mobile networks to enhance cybersecurity.
The EU Commission seeks the authority to prohibit controversial network technology providers in Germany and other EU member states. This proposal primarily targets Chinese technology firms like Huawei and ZTE, driven by concerns over sabotage and espionage by third-party nations.
A proposed legal framework would grant the EU Commission the ultimate power to forbid the use of technology from particularly high-risk foreign companies. While the draft does not explicitly name specific companies or countries, its focus is clear.
This move could make the European Commission’s long-standing recommendations to EU countries to avoid Huawei and ZTE technology in their mobile networks for security reasons mandatory. The authority believes too few countries have excluded these two manufacturers from operating 5G mobile networks.
In 2023, the EU Commission stated that ZTE and Huawei posed significantly higher risks compared to other 5G providers. Despite this, Spain entered into a multi-million euro contract with Huawei last year, drawing criticism from EU Commission Vice-President Henna Virkkunen.
Huawei and ZTE’s Extensive Use in German Mobile Networks
For approximately 15 years, since the introduction of the 4th generation mobile technology, Huawei and ZTE have been integral to German mobile networks, including Telekom, Vodafone, and especially O2 Telefónica. These Chinese suppliers offered advanced technology at prices that European competitors like Ericsson or Nokia struggled to match.
However, in recent years, the use of this foreign technology has faced increasing scrutiny due to suspected security risks and potential influence from China.
Concerns about espionage and sabotage intensified during the trade conflict between the USA and China, with fears that communications could be intercepted or networks remotely shut down. After years of deliberation, Germany’s Federal Ministry of the Interior reached an agreement with network operators in summer 2024. This agreement stipulates that Huawei and ZTE components must be removed from 5G core networks by the end of 2026, while their technology can still be used on radio masts until the end of 2029.
Potential Bans in Other Critical Infrastructure Sectors
Specifically, the mechanism proposed by the EU Commission would enable Brussels’ network regulators, in collaboration with member states, to initiate a risk assessment for specific manufacturers. If a provider is deemed too high-risk, the Commission could ultimately place it on a prohibition list.
Technology from manufacturers on this list would then be disallowed in the critical infrastructure of EU countries, and existing components would need to be replaced within three years according to the proposal.
Components Widely Used Beyond Mobile Networks
Expert concerns regarding the use of Chinese technology extend beyond mobile communications. For years, devices from Huawei or ZTE have also been installed in other critical infrastructure sectors, such as railways, the energy sector, and urban networks.
For instance, Huawei is a global market leader in inverters for solar power systems. These smart devices are connected to the grid. Some experts fear a specific threat scenario here: if a hostile actor could simultaneously shut down or manipulate thousands of these inverters, the stability of the power grid would be jeopardized.
Under the proposed legislation, the EU Commission could also take action in these areas, examining and excluding manufacturers deemed to pose security risks.
Before the EU Commission’s proposals are implemented and the Brussels authority gains these significantly broader powers, the European Parliament and EU member states must review the ideas. They also have the opportunity to suggest amendments.
EU Cybersecurity Agency to Aid in Defense
The EU Commission also plans to empower the EU Cybersecurity Agency (ENISA) with increased authority and responsibilities. Based in Greece, ENISA would, for instance, collaborate with national authorities to defend against ransomware attacks. Ransomware is malicious software that encrypts data and systems, releasing them only upon payment of a ransom.
The significant impact of such cyberattacks on people in Europe was recently demonstrated by numerous disruptions and delays at several European airports last September. Following a ransomware attack on an IT service provider, airports in Berlin, Brussels, Dublin, and London Heathrow experienced days of problems with passenger and baggage handling.
In cooperation with member states, ENISA is also tasked with identifying cybersecurity vulnerabilities and establishing additional EU-wide standards. To support its expanded responsibilities, the agency is slated to receive approximately 100 new staff members and a significant increase in funding, according to the EU Commission’s plans. These proposals from the Commission also require review by the European Parliament and EU member states.
