The most recent action of Europe to strengthen cybersecurity regulations has marked a new phase in the decades-old debate on the dependence on technology, global supply chains, and sovereignty in the digital sector. The center of the conversation is the proposal to slowly eliminate the suppliers with a high-risk label in the most crucial areas, the transition that has attracted significant criticism among the telecom giant of China Huawei, which is broadly assumed to be the victim of the changes.
The European Commission defined the proposed measures when it revised the Cybersecurity Act in response to the evolving urgency in the continent. Cyberattacks, ransomware, and fears of foreign intrusion have ceased to be a policy concern that governments and businesses worry about in abstract, but have become a reality experienced by the government, businesses, and average citizens over the last few years. Cybersecurity has become less of a niche in the technical domain and more of an essential topic concerning the safety of the masses as hospitals affected by ransomware, transport systems positively disrupted by digital failures, and energy networks come under cyber threat.
Even though the Commission neither named particular companies nor nations, the trend is evident. Governments in Europe have been subjecting scrutiny to Chinese technology suppliers especially in telecommunications and digital infrastructure. An example of such steps is Germany, which has established a concrete proposal of appointing an expert commission to re-evaluate its trade and technology policy with Beijing and by prohibiting future 6G telecom network Chinese components. Such choices are an indication of a larger reevaluation of the extent of strategic risk that Europe is ready to take in its digital backbone.
The international environment is also a factor. The United States has already acted with force in this field, prohibiting any new telecom equipment authorization of Huawei and its Chinese competitor ZTE in 2022. Washington has already urged its allies to do the same over and over again using the argument of national security instead of trade protectionism. The set of proposals presented by Europe currently seems to be on the axis between these pressures, with the internal security considerations in contrast to the foreign geopolitical realities.
The new package on cybersecurity will enhance the protection throughout the information and communications technology supply chains, and also enhance the capability to build a decisive response to the cyber threat, as stipulated by the Commission. EU tech head Henna Virkkun explained the project by stating, that with the new Cybersecurity Package, we shall have both the tools available to tighten the nut in our critical (information and communications technology) supply chains but also to deal with cyber attacks with a scalpel. Her statement highlights a policy mentality according to which prevention and resilience are indivisible.
The proposals have however been dismissed by Huawei. Repeating the arguments of the foreign ministry of China, the company makes a point that basing decisions on the country of origin instead of technical arguments contradict fundamental legal principles. A spokesperson of Huawei mentioned that a proposal by legislation to restrict or exclude non-EU suppliers on the basis of country of origin, instead of on the basis of factual evidence and technical standards, contravenes the fundamental legal principles of fairness, non-discrimination, and proportionality provided by the EU, and its WTO (World Trade Organization) commitments. The spokesperson also said that the next change of the legislative process would be highly tracked and we will not give up all the rights to protect our legitimate interests.
This reaction is indicative of a larger anger in Chinese companies, which feel like they are being overlooked by the politics but not solely because of their performance or security credentials. On their part, the discussion is going to the risk of losing focus on cybersecurity and more on economic decoupling. The case of Europe, however, does not merely focus on the origin of technology, but rather on control, transparency, and long term strategic resilience.
The magnitude of the suggested actions is great. The Commission has made 18 key areas of criticality, comprising of detection equipment and automated vehicles, electricity supply, water system, and drones. Others are cloud services, medical devices, surveillance tools, space services, and semiconductors. Such industries have a direct impact on daily life that can simply go unnoticed until something goes awry, and this is the reason why policymakers are becoming more worried about how vulnerable supply chains are at the bottom.
The experience of 5G in Europe provides a good example. A security toolbox was implemented in 2020 with an intention of limiting the use of so-called high-risk vendors, such as Huawei, in fear of sabotage or espionage. It has however been unevenly implemented. A number of nations have been unable to eliminate the current equipment due to the expensive financial and technical nature of the task. Decades-old networks cannot be completely changed in a single night without being shaken and this fact has informed the more incremental schedules currently under discussion.
The mobile network operators would have 36 months under the new plan to remove key components after the introduction of an official high-risk supplier list. Fixed networks (fibre-optic networks and submarine cable) and satellite networks will be announced later. Such a gradual process implies that there is a desire to strike a balance between the security objectives and the realities of the economy and operations, recognizing that such a shift can have counterintuitive effects.
Virkkunen presented the project as a move towards increased autonomy, declaring it to be an essential move towards gaining European technological independence and avaluing the safety of everyone. Technological sovereignty is a term that has gained significant mobilization in the policy discourse, as it is believed to make it possible to decrease the reliance on foreign forces in the fields that are regarded as the key strategic ones. To some observers this is an indication of the maturing of the digital policy in Europe; to others, it is a sign of fragmentation and increased expenses.
Notably, the restrictions would not be automatic. Any action against the suppliers of countries that are considered significant cybersecurity threats would only be carried out after a formal risk evaluation, which is initiated by the Commission or at least three of the member states. Interventions would be based on market analysis and impact evaluations, which is aimed at giving legal and economic argumentation, but not political gestures.
Still, questions remain. Critics fear the way in which the term of high-risk will be put into practice, and that the definition will not be similar across lines, and across countries. Some activists state that it is impractical to wait to be absolutely sure of harm in cybersecurity, as more often than not, threats appear only when vulnerabilities have been predatory.
