EU’s Evolving Governance of High-Risk Telecom Technology
By Ipek Kara | 12 February 2026
Summary
The EU is strengthening its approach to secure its critical telecom infrastructure against high-risk suppliers such as the Chinese companies Huawei and ZTE.
The January 2026 revision of the Cybersecurity Act makes the past guidelines binding to all EU member states, expands coverage to other critical ICT infrastructure, and allows EU-level risk assessments and supplier exclusions.
This marks the EU’s shift toward a stricter, risk-based, security-driven technology governance model, balancing strategic autonomy, market competition, and internal market rules while raising questions of transparency and rule of law for foreign companies operating in the EU through protectionist measures.
Context
Concerns about the security of critical digital infrastructure within the European Union (EU) have led to increased policymaking regarding “high-risk” technology suppliers. These concerns are tied to increasing fears of espionage and strategic dependencies on non-EU actors, particularly in relation to Chinese technology companies operating in sensitive sectors. As a result, the EU’s strategy has been particularly focused on 5G telecommunication networks and infrastructure.
On January 20, the European Commission proposed revisions to the Cybersecurity Act. Under the revised framework, the commission will be able to organise new EU-level risk assessments, support restrictions and bans on certain imported infrastructure equipment.
5G Cybersecurity Toolbox
First published in 2020, Toolbox for 5G Security is a set of practices and risk-assessment guidelines for EU member states. Although not legally binding, it includes measures such as diversifying suppliers and security requirements for 5G network operators. The European Commission Vice President Virkkunen identified suppliers like Huawei and ZTE as presenting “materially higher risks compared with other suppliers” and supports member states’ decisions to restrict or exclude these vendors as compliant with EU guidance.
Cybersecurity Act Revision
The Cybersecurity Act revision proposal of the European Commission makes the current advisories more enforceable by making the guidelines of the 5G toolbox into binding obligations for the member states and extending risk provision into areas such as fibre-optic networks and related technologies. The EU could require the exclusion of suppliers assessed as posing elevated cybersecurity risks and introduce a gradual phase-out of the insecure critical infrastructure equipment under the revision. Member States will be given three years to comply with the European Commission’s blacklisted suppliers.
Implications
Regardless of the toolbox’s adoption in 2020, implementation has varied across member states over the years. Commission statements and responses to the European Parliament indicate that only a limited number of countries have taken actions to restrict high-risk vendors from their national telecom infrastructure in the past 5 years. For instance, Sweden adopted binding measures effectively excluding certain high-risk suppliers from its 5G networks, while France introduced a security authorisation regime that allows authorities the ability to deny or time-limit the use of high-risk equipment in core network components. In contrast, many other member states have relied primarily on non-binding guidance. The revision to the Cybersecurity Act is likely to help improve the current uneven implementation policies and accelerate the harmonisation process among EU member states.
This shift signals a broad evolution in the EU’s approach to technology governance through enabling EU-level risk assessments, binding supplier restrictions, and institutionalising a security-driven market intervention. This strategy allows the EU to preserve regulatory flexibility, but it brings up questions of transparency, legal certainty for operators, and democratic accountability. Particularly, the methodologies used in risk assessment processes are not always fully disclosed, which limits the ability of affected operators and stakeholders to challenge decisions. As the implications of the revised act extend beyond the scope of the EU’s internal regulatory regime. Potential upcoming supplier restrictions could generate tension with third countries such as the US and China under the international trade and investment frameworks.
Similar risk-based frameworks are increasingly discussed for other strategic technologies, including cloud services and data infrastructure. The telecom sector is likely to serve as a precedent for how the EU balances openness, security, and strategic autonomy in the future of technology governance in the current rapidly-changing environment.
Forecast
Short-term (Now - 3 months)
EU member states are highly likely to begin interpreting the Cybersecurity Act revisions and planning implementation roadmaps.
Early restrictions on high-risk suppliers are likely to be applied by leading countries such as Germany and Netherlands, but coordination challenges are likely to emerge as interpretations of binding obligations differ.
Telecom operators are highly likely to start adjusting procurement and compliance plans, raising questions about legal clarity and transparency of the process.
Medium-term (3-12 months)
Implementation of risk-based frameworks are likely to start and followed by exclusions or phased removals of high-risk equipment is likely to be accelerated across member states.
Expansion of risk assessments is likely to begin to cover additional critical infrastructure beyond 5G, such as fiber-optic networks and data services.
Political and market debates are likely to intensify around strategic autonomy, regulatory alignment, and potential impacts on EU telecom market competition.
Long-term (>1 year)
The EU is likely to consolidate another strategic autonomy framework for ICT supply chains by using the telecom sector experience as a baseline.
Success of the act will depend on fast and harmonized implementation across member states. There is a remote chance that uneven timelines for adoption could weaken security objectives.
