Brussels is in the middle of one of its most consequential technology decisions in decades. The European Commission’s January 2026 revision of the Cybersecurity Act would tighten rules on suppliers from third countries considered high risk for critical infrastructure, making the 5G Toolbox guidelines binding and giving Brussels the authority to impose exclusions on companies such as Huawei and ZTE. The scope goes well beyond mobile networks. Restrictions extend to fiber optics, solar energy systems, and security scanners. China pushed back hard, and the argument it is making — however self-interested — contains a logic that Europe cannot entirely dismiss.
A Framework Built on Political Logic, Not Technical Evidence
The measures follow a rise in cyber and ransomware attacks and growing concerns over foreign interference and Europe’s reliance on non-EU suppliers. The Commission did not name any companies or countries explicitly. But the intent is transparent. EU officials acknowledge that the proposal builds on longstanding concerns over Chinese technology groups, notably Huawei and ZTE, particularly in mobile networks. The procedural discretion only adds to the ambiguity. The strategy preserves regulatory flexibility, but raises questions of transparency and legal certainty. The methodologies used in risk assessments are not always fully disclosed, which limits the ability of affected operators and stakeholders to challenge decisions.
China’s trade promotion body condemned the draft in blunt terms last Friday. The CCPIT stated that the draft introduces “non-technical risk” factors and directly links cybersecurity risks to companies from specific countries, seeking to exclude them from EU supply chains. Huawei’s own legal team characterized the proposal as violating the EU’s own principles of fairness, proportionality, and WTO obligations. The core objection is not simply commercial. China’s mission to the EU argued that introducing highly subjective and arbitrary “non-technical risk” factors represents a typical practice of politicizing economic and trade issues and overstretching the concept of security.
That charge carries weight when examined against the architecture of the proposal itself. A non-Chinese supplier gains market access without mandatory audits, while a Chinese bidder who voluntarily offers to submit to audits faces exclusion regardless. That is not a security framework. It is a procurement blacklist dressed in regulatory language.
Europe’s Real Dilemma: Sovereignty or Dependence?
The honest version of Brussels’ argument is not that Chinese technology is technically dangerous — it is that Europe does not want to rely on suppliers whose governments could theoretically compel cooperation with Chinese state intelligence agencies. That is a legitimate concern. Chinese law does impose cooperation obligations on domestic firms in national security matters. But if that is the real concern, the logical response is full mandatory auditing for every supplier — domestic, American, or Chinese — not selective exclusion by national origin. The draft materially shifts decision-making authority from member states to the European Commission by centralizing risk designation and setting binding constraints on procurement choices. Previously, restrictions on Chinese ICT vendors were implemented unevenly across member states.
The EU’s own track record on this is not reassuring. Huawei supplied nearly 60 percent of the telco equipment used in Germany’s 5G networks. The move follows years of frustration in Brussels over the uneven application of the EU’s voluntary 5G Security Toolbox, introduced in 2020 to encourage member states to limit reliance on high-risk vendors. That inconsistency is now being addressed through centralization, not through genuine technical standards applied universally. The result is a framework that penalizes one country’s suppliers while leaving the broader question of foreign technology dependency structurally unresolved.
The Economic Cost of Closing Down
Beijing has made clear that tolerance has a limit. The two proposals are suspected of violating WTO rules and would cause substantive harm to China-EU economic and trade relations. China warned that should the EU insist on turning the draft into law and discriminating against Chinese companies, it would have to take countermeasures. Those countermeasures could range from tariffs and procurement restrictions to market access barriers targeting European exports at a moment when the EU economy can ill afford a fresh trade confrontation.
Telecoms lobby group Connect Europe warned that the proposals would increase the burden on the industry, with additional regulatory costs running into the billions of euros. Many digital inverters connect directly to cloud servers, creating potential entry points into Europe’s energy grid, while Huawei leads inverter supply — the same company already restricted from EU 5G networks on security grounds. That overlap illustrates the scale of embedded Chinese technology across European infrastructure, making rip-and-replace exercises far more disruptive than the Commission’s timeline of 36 months acknowledges.
Europe has every right to define its own security perimeter. But if that perimeter is drawn along national origin lines rather than technical audit standards, it is not a security policy — it is a geopolitical alignment dressed as regulation. The question Brussels has not yet answered honestly is whether it is building genuine digital sovereignty or simply substituting one form of dependency for another, at considerably greater cost.
Original analysis inspired by Harald Buchmann from Global Times. Additional research and verification conducted through multiple sources.
