Huawei and ZTE under the magnifying glass – the EU’s new rule can change everything

Europe is targeted daily by cyber and hybrid attacks, carried out by both state and organized criminal groups.

The Commission wants to protect European critical infrastructure from these attacks, which is why it announced an updated cybersecurity regulation on Tuesday, according to which EU countries should no longer use the technology of companies from a country defined as high risk in networks and systems classified as critical.

“This is a very big change, that we are now proposing at the European level that critical infrastructure and the companies operating there are subject to this kind of scrutiny,” says the European Commission’s Executive Vice-President and Commissioner for Technological Sovereignty, Security and Democracy Henna Virkkunenwhose responsibility was the preparation of the package.

Critical, i.e. infrastructure to be protected, includes transport, energy, healthcare, water supply and ICT service providers, among others.

“From these sectors, we are now looking at critical infrastructure and making risk assessments of whether there are these critical operators,” says Virkkunen.

According to the vice-president of the Commission, it cannot be the case that when the member states invest hundreds of billions of euros in defense and security, at the same time high-risk actors operate in the critical infrastructure of the EU countries.

Risk countries are evaluated

According to Virkkunen, high-risk countries have not yet been evaluated and companies have not been listed. That is to be done later.

“The purpose is to define the risk countries that pose a cybersecurity risk to us, and based on that, a list of companies that are high-risk companies would also be made,” says Virkkunen.

According to Virkkunen, becoming a high-risk country could mean that the companies in that country would be closed either completely or in certain parts of the EU countries’ critical infrastructure.

According to Virkkunen, risk assessments of countries and companies are supposed to be done “in good cooperation with the member countries”. After this, they would enter into force directly with the Commission’s executive order.

The attackers are responsible

According to Virkkunen, high-risk countries are evaluated on the basis of how they have carried out cyber attacks against EU countries.

According to European research institutes, Russia and China are the most significant cyber attackers operating against the EU, which means that in practice the Commission’s reform means that EU countries should no longer use the data of Chinese companies, such as Huawei’s and ZTE‘s technology in networks and systems classified as critical.

Virkkunen says that the previous commission already stated that Huawei and ZTE pose a higher risk and that is why they have been excluded from, for example, the commission’s own network.

In a 2023 report, the commission stated that the Chinese companies Huawei and ZTE represent “significantly greater risks than other 5g providers”.

The fear is that Chinese companies may use their devices for espionage for the Chinese government, as the country’s legislation obliges companies to cooperate with state security authorities.

Member countries are slow

The EU has already urged member states not to use high-risk suppliers in critical infrastructure procurements, but the member states have not acted as expected.

For example, Spain signed a 12 million euro procurement contract with Huawei last summer. The procurement concerned the equipment of wiretapping devices for law enforcement and intelligence services.

Operators in Finland DNA is known to make the most use of Huawei products. The Chinese company’s geographical share of DNA’s radio network area is less than 40 percent. Also Elisa use Huawei products in their networks.

In 2020, a toolkit for 5g networks was already made in the EU, in which high-risk network providers had to be shut down or restricted from 5g networks.

According to Virkkunen, the calls have not sufficiently affected the activities of all member countries, and therefore the 5g toolkit is now being made binding. It means that member countries are given three years to ensure that there are no longer high-risk operators at critical points of the 5g network.

Nokia and Ericsson have been lobbying for a long time for the 5g security toolkit to be accepted in full, and now, according to the Commission’s proposal, this will be done.

The decision can create new business opportunities for trusted European online companies.

It will be expensive

The new cyber security regulation does not mean that, for example, Huawei could no longer be used in EU countries, but, according to Virkkunen, it means that EU countries must protect all critical infrastructure points from operators and companies in high-risk countries.

“We have to do this carefully, because we have to remember that around eighty percent of Europe’s technologies currently come from outside the Union,” says Virkkunen.

Removing high-risk technology from critical infrastructure also takes time and becomes expensive, but according to Virkkunen, it is even more expensive if security is not taken care of.

The European Commissioner responsible for digital security says that the timetable for removing risky technology is still open and may vary from industry to industry. According to Virkkunen, the schedule for the application of the cybersecurity regulation could be stricter, for example, in the case of very critical infrastructure.

In this time of the world, we have to finally ask, can the United States led by Donald Trump pose a high risk to the EU countries?

“Basically, in the preparation, it has not been that our partner countries pose a high risk for us,” Virkkunen replies.

The new cyber security regulation will enter into force after the European Parliament and the Council of the EU have approved it.