Critical infrastructure: Commission aims to ban Member States from selecting suppliers—they will be appointed in Brussels.

From our correspondent in Strasbourg – After six years of work on measures to address the security risks associated with the introduction of 5G, the European Commission is changing tack and proposing to make what has so far been only a recommendation mandatory for Member States, namely ensuring that components from high-risk suppliers are not used in key network infrastructure. In other words, Brussels is laying the groundwork for imposing the exclusion of suppliers, such as China’s Huawei and ZTE, from critical infrastructure. 

This is the key passage of the cybersecurity package presented today (20 January) in Strasbourg by the Executive Vice-President of the European Commission, Henna Virkkunen. Essentially, the executive proposes amending the Cybersecurity Act, passed in 2019, to reduce risks in the supply chain of Information and Communication Technologies (ICT) from suppliers in third countries with cybersecurity issues. 

“In the current geopolitical context, supply chain security is no longer just about the technical security of products or services, but also risks related to suppliers, in particular dependencies and foreign interference,” reads the statement released by the European Commission.

Already in 2023, the then Commissioner for Internal Market, Thierry Breton, identified Chinese companies Huawei and ZTE as high-risk suppliers and welcomed the decisions taken by some Member States to restrict or exclude the two Chinese technology companies from the list of 5G network suppliers. The point, Virkkunen said at a press conference, is that some Member States have turned a deaf ear to the recommendations in the “EU Cybersecurity Toolbox”. 

“It didn’t work on a voluntary basis,” Virkkunen said. Just this summer the latest example, when Pedro Sanchez’s Spain chose to entrust its fibre optic telecommunications services to Huawei. A choice that, as the executive vice-president immediately warned, “could potentially create dependence on a high-risk supplier in a critical and sensitive sector, increasing the risk of foreign interference.” 

Now Brussels wants to change tack: risk reduction in 18 critical sectors identified by Brussels would thus become mandatory, and Member States would have “three years” to comply with the European Commission’s blacklist and the restrictions indicated by Brussels. This includes not only 5G and fibre-optics, but also water and electricity supply, cloud computing services, surveillance equipment, medical devices, and semiconductors. These are all areas where it may be necessary to ban companies that pose a risk to European security. 

“When we identify countries of concern and high-risk suppliers from those countries, we can impose restrictions on participation in EU-funded programmes or participation in our public procurement,” Virkkunen explained. Sometimes “we may restrict these high-risk suppliers entirely,” she added. 

The Commission has not yet identified any countries or companies. It will do so at a later stage, when and if the EU Council and the European Parliament approve the new approach. “We will also have to consider the economic implications (of replacing suppliers, editor’s note), because resilience comes at a price, that’s for sure,” Virkkunen admitted.