EU’s plans to reduce dependency on high-risk vendors
As the EU prepares to revise its Cybersecurity Act, the EU is quietly choking off funding for “high-risk” Chinese 5G vendors, pushing mobile operators and Member States toward European suppliers like Nokia and Ericsson.
The European Commission’s efforts to reduce EU’s dependency on so-called high-risk vendors for information and communications technology (in the case of 5G networks, mainly Chinese telecom companies like Huawei and ZTE) have seen ups and downs, as well as fragmented willingness by both Member States and mobile operators to follow its guidance ever since the introduction of the EU Toolbox on 5G cybersecurity in 2020.
LightReading.com reports that slightly more than a third of European networks (32%) still rely on Chinese ICT infrastructure: quite a change from the 4G era, when the figure was at least 50%. ECIPE reports that Chinese vendors’ market share has dropped from 40% to 25% in 2024.
Our attention is now on the upcoming revision of the Cybersecurity Act, which is set to be published in January 2026.
Fresh debate on the Cybersecurity Act in the European Parliament
Last week, Member of the European Parliament Aura Salla asked European Commission Executive Vice-President Henna Virkkunen about the plans for the upcoming revision of the Cybersecurity Act. She also asked whether the Commission intends to introduce binding measures for Member States based on the 5G cybersecurity toolbox and ICT supply chain toolboxes, to create an EU-wide list of high-risk vendors, and to extend the logic of these toolboxes beyond telecoms actors.
In characteristically direct Finnish fashion, Aura Salla added:
“Europe has been extremely naive when it comes to China and Chinese companies for years, and the risk they pose to our critical infrastructure, including data. Recently, we have seen China restrict access to its market even more to our companies, like Nokia and Ericsson. So we are completely lacking in reciprocity. At the same time, China is helping Putin in Ukraine”.
EVP Henna Virkkunen mentioned that the Cyber Security Act is planned to be presented in January 2026, that the EU is thinking of expanding the scope of the high-risk ve and that she is “not happy” with the implementation of the 5G cybersecurity toolbox.
In her own words, “stricter measures are needed,” most importantly, this will be backed by a new step: no EU money for high-risk vendors in the next Multiannual Financial Framework for 2028–2034.
“In our Multiannual Financial Framework (MFF 2028-2034) proposal we also made it very clear that we are not funding high-risk vendors. Not in the European Union, or outside of the European Union”.
How has the EU been cutting funding for high-risk vendor purchases?
While there is no explicit EU-wide ban on such vendors (and the implementation of the 5G cybersecurity toolbox remains limited at the Member State level), the EU has taken steps to cut the lifeline for these vendors by reducing funding for the purchase of such equipment.
ECIPE reported that, first, the European Investment Bank (EIB) has denied financing for EU operators that purchase Chinese equipment.
Second, the Covid-era baby, the Recovery and Resilience Facility (RRF), as well as the Connecting Europe Facility (CEF), includes conditions related to Chinese equipment, regardless of whether countries have formally designated these companies as high-risk vendors.
Lastly, as pointed out by EVP Henna Virkkunen last week, the next Multiannual Financial Framework (Europe’s € 2 trillion budget for 2028–2034) will ensure that European funds are not used for high-risk vendor infrastructure both within and outside the EU.
Potential outcomes and limitations
If the EU continues its approach of reduced funding and related restrictions on the purchase of high-risk vendors’ infrastructure, European mobile operators (who are simultaneously asking for multiple favours in the upcoming Digital Networks Act) will have to “walk the European sovereignty talk” and start relying more on European infrastructure providers such as Nokia and Ericsson.
Moreover, poorer Member States that rely on EU funding and have argued in the past that Chinese equipment is "simply cheaper" will have to allocate their own national budget resources for such infrastructure, and it is likely that this is where the pragmatic mindset will end.
Finally, the potential binding measures in the revised Cybersecurity Act could be a final push for larger Member States to adopt the necessary measures as well.
But the EU Member States still have to agree on such an approach.
Countries that have been either slow to implement, or merely imitating adherence to the 5G cybersecurity toolbox, usually have one thing in common - close trade relationships with China - and are therefore likely to oppose or at least stay sceptical about strict, binding measures in the upcoming Cybersecurity Act in fear of damaging that relationship.
Moreover, the EU’s strained relationship with the United States may prompt some politicians to favour a more lenient approach toward Chinese telecom equipment makers, or at least to delay tougher action. Yet they should also consider how EU trade overtures have been received in Beijing so far - with a distinctly chilly welcome.
EVP Henna Virkkunen was right to point out a discrepancy in the European approach in her answer to MEP Aura Salla: while the EU is investing heavily in its defence capabilities, we are still leaving our critical infrastructure vulnerable.
