Europe moves to effectively ban Chinese vendors from members' 5G networks

EU messaging around ‘high-risk’ vendors is looking increasingly like an outright ban on Huawei and ZTE, with pressure mounting on countries that have yet to remove them from their 5G networks.

The ‘EU toolbox on 5G cybersecurity’ is a set of guidelines adopted in 2020, which encouraged EU member states to assess the security of ‘high risk’ (Chinese) vendors in their networks. While it started out sounding more like recommendations, the rhetoric in an ‘update’ published today has now ratcheted up to a point where it feels more like an effective ban has been imposed.

9 days ago the EU Commissioner in charge of the internal market Thierry Breton publicly called for EU countries to accelerate their replacement of high risk vendors from their 5G networks. Today’s published ‘progress report’ appears to cement that sentiment into more overt instruction, pointing the finger at the remaining EU states who haven’t already ripped out Huawei and ZTE kit from networks.

Noting that out of 24 member states 10 have imposed restrictions and 3 are working on it, the announcement says: “Given the importance of the connectivity infrastructure for the digital economy and dependence of many critical services on 5G networks, Member States should achieve the implementation of the Toolbox without delay.

“The Commission underlines in its Communication its strong concerns about the risks posed by certain suppliers of mobile network communication equipment to the security of the Union. The Commission considers that decisions adopted by Member States to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the 5G Toolbox. Consistently with such decisions, and on the basis of a broad range of available information, the Commission considers that Huawei and ZTE represent in fact materially higher risks than other 5G suppliers.

“Without prejudice to the Member States’ competences as regards national security, the Commission has also applied the Toolbox criteria to assess the needs and vulnerabilities of its own corporate communications systems and those of the other European institutions, bodies and agencies, as well as the implementation of Union funding programmes in the light of the Union’s overall policy objectives. Drawing on its own assessment, which is consistent with that of certain Member States, the Commission urges Member States that have not yet implemented the Toolbox, to adopt urgently relevant measures as recommended in the EU Toolbox, to effectively and quickly address the risks posed by the identified suppliers.”

There remains a lot of language fudging in the announcement to skirt around the matter – but the above paragraph seems to be implying that future funding decisions may be effected by whether or not member states have got around to removing Huawei and ZTE kit yet. Breton has come out himself once more to add a little more pointed commentary.

“Three years on, almost all Member States have transposed the toolkit’s recommendations into their national law,” he said. “In other words, they can now decide to restrict or exclude suppliers on the basis of security risk analysis. But to date, only 10 of them have used these prerogatives to restrict or exclude high-risk vendors. This is too slow, and it poses a major security risk and exposes the Union’s collective security, since it creates a major dependency for the EU and serious vulnerabilities.

“We will continue to work with determination with the Member States that are lagging behind and the telecommunications operators. I can only emphasise the importance of speeding up decisions to replace high-risk suppliers from their 5G networks. I have also reminded the telecoms operators concerned that it is time to get to grips with this issue.”

Breton finished up by saying “I therefore call on all EU Member States and telecom operators to take the necessary measures without further delay”, and we were also told that the Commission will ‘implement the 5G toolbox principles to its own procurement of telecoms services.’

The US has for years now been pressuring all of its allies to follow its lead to shun Huawei and ZTE kit from networks as it prosecutes what amounts to a technology trade war with China. However the EU isn’t a country and the Commission doesn’t have the same sort of direct legislative power the US government has on individual US states, so when Europe wants to impose something big like this it has to go about things somewhat differently.

Today’s updates have not explicitly said that there is now a ban on Huawei and ZTE in place, but that would perhaps be a little too on the nose. The reports, recommendations, and rhetoric have, however, coalesced into something that is effectively just that. Furthermore it has been implied decisions on contracts and funding may be increasingly informed by adherence to the ‘EU toolbox’ going forward.

While Breton sounds impatient with progress made, we’ll have to see if this goes any further and any specific punitive measures are threatened for the remaining EU states that continue to not do as they are told, and perhaps telecoms firms themselves. Which would be awkward since Germany, the biggest cog in the EU machine, is one of these states that still has a lot of Chinese kit in its networks.

UPDATE – 10:20, 19/6/23: Huawei emailed us the following statement in response to this story.

Huawei strongly opposes and disagrees with the comments made by representatives from the European Commission. This is clearly not based on a verified, transparent, objective and technical assessment of 5G networks.

Huawei understands the European Commission’s concern to protect cybersecurity within the EU. However, restrictions or exclusions based on discriminatory judgments will pose serious economic and social risks. It would hamper innovation and distort the EU market. An Oxford Economics report states that excluding Huawei could increase 5G investment costs by up to tens of billions of euros, and it will have to be paid by European consumers.

Publicly singling out an individual entity as ‘HRV’(High Risk Vendor) without legal basis is against principles of free trade. It is of paramount importance to emphasize that the discriminatory ‘HRV’ assessment shall not be applied to any vendor without justified procedure and adequate hearing. As an economic operator in the EU, Huawei holds procedural and substantial rights and should be protected under the EU and Member States’ laws as well as their international commitments.

Cybersecurity is Huawei’s top priority. Huawei has opened a Cyber Security Transparency Centre in Brussels. This center is open to customers and independent third-party testing organizations. They are invited to perform fair, objective, and independent security tests and verifications according to industry-recognized cyber security standards and best practices. We remain committed to delivering globally certified and trusted products and services, connecting millions of Europeans.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.