Brussels — The European Commission is preparing legislation that could, in effect, force EU member states to remove equipment from Chinese telecoms suppliers Huawei and ZTE from mobile networks and other parts of critical infrastructure.
A draft proposal tied to a revision of the EU Cybersecurity Act would create an EU-level mechanism to identify “high-risk” suppliers and require operators to phase out their equipment from critical assets. Under the plan reported on 20 January 2026, mobile network operators would have 36 months to remove high-risk components once an EU list is finalised. The scope extends beyond telecoms to 18 sectors cited in reporting, including areas such as energy and healthcare technology.
The Commission has argued for several years that fragmented national approaches leave gaps in Europe’s digital defences. In June 2023 it said Huawei and ZTE “represent in fact materially higher risks than other 5G suppliers”, urging member states to apply restrictions in line with the EU’s 5G security toolbox.
From recommendations to legal compulsion
The EU’s 5G security toolbox, agreed in 2020, set out a menu of technical and strategic measures, including the possibility of restricting or excluding suppliers considered high risk. Its weakness has been enforcement: decisions remained largely national and unevenly applied. The Commission’s latest move is designed to turn that voluntary framework into binding obligations through a horizontal approach to “trusted ICT supply chains”, according to the Commission’s own summary of the revised Cybersecurity Act package.
As described in reporting, the proposed mechanism would allow either the Commission or a group of at least three member states to trigger a risk assessment of a supplier. If a supplier is designated high risk after market and impact analysis, operators would be required to remove the relevant equipment within a set period.
Huawei has criticised the approach, arguing that it discriminates on the basis of origin rather than technical evidence and raises trade-law issues. China has also objected to what it describes as protectionist measures.
The practical difficulty: legacy kit in live networks
The policy challenge is that Huawei and ZTE equipment is already embedded in parts of Europe’s networks, particularly in radio access and transport layers that are costly to swap out without disruption.
Germany illustrates the scale of the task. In July 2024, the Federal Ministry of the Interior said it had reached agreements with major operators requiring them to stop using “all critical components” from Huawei and ZTE in 5G core networks by the end of 2026, and to replace critical functions in network management systems in parts of access and transport networks by the end of 2029.
The Commission’s plan would bring a tighter and more uniform timetable at EU level for what remains, in practice, a multi-year engineering and procurement exercise.
What Europe can do to harden networks against cyber and espionage risks
First, the Commission can use the revised Cybersecurity Act framework to reduce reliance on single vendors in critical assets, not only in telecoms but across other sensitive sectors. The stated aim is a harmonised, risk-based approach that addresses “strategic risks of undue foreign interference” and dependencies in ICT supply chains.
Second, member states can accelerate asset mapping and risk audits of critical network functions. The operational reality is that security risk is often concentrated in privileged components: core network functions, network management systems, lawful-intercept interfaces, and remote maintenance pathways. A detailed inventory allows regulators to set replacement priorities that minimise outage risk.
Third, Europe can tighten certification and standards for critical network equipment and software. The Commission’s package describes changes intended to simplify and strengthen EU cybersecurity certification and to increase ENISA’s role in standards and operational cooperation.
Fourth, governments can plan for the transition costs. Replacing installed base stations, routers, and management platforms is capital-intensive, and operators typically want clarity on timelines and permitted architectures before committing to large-scale swaps. A uniform EU rulebook is intended to reduce uncertainty, but it does not remove the immediate budget pressure on operators and, ultimately, consumers.
Finally, Europe can strengthen cyber crisis readiness alongside supply-chain controls. The Commission’s package links the Cybersecurity Act revision to improved shared situational awareness and incident-handling cooperation, with an expanded role for ENISA and a proposed budget increase.
The Commission’s proposal still requires negotiation and approval by member states and the European Parliament. If adopted, it would mark a shift from guidance on 5G security towards a legal framework that can compel the removal of designated high-risk suppliers from Europe’s most sensitive digital systems.
