BRUSSELS—In a bold move to fortify Europe’s digital defenses, the European Commission unveiled a sweeping cybersecurity package on January 20, 2026, targeting high-risk suppliers in telecommunications and beyond. The proposal mandates the phased removal of equipment from vendors deemed security threats, primarily those from non-EU nations, escalating tensions with global tech giants like China’s Huawei.

The revised EU Cybersecurity Act, part of a broader package amending the NIS2 Directive, introduces mandatory phase-outs within three years for 5G networks and extends scrutiny to 18 critical sectors including energy, transport, and health. This shift from voluntary national measures to binding EU-wide rules aims to counter state-sponsored cyber threats and supply-chain vulnerabilities, according to Commission documents.

Roots in 5G Security Fears

The initiative builds on years of warnings about foreign vendors embedding backdoors in network gear. A 2020 EU 5G Toolbox had urged member states to mitigate risks from ‘high-risk suppliers,’ but implementation varied widely. Now, the Commission is standardizing enforcement, with BleepingComputer reporting that the legislation ‘mandating the removal of high-risk suppliers to secure telecommunications networks’ ([BleepingComputer]).

Huawei swiftly condemned the plan, calling it ‘politically motivated’ in a statement to Reuters. ‘This move discriminates against companies based on nationality rather than evidence,’ the firm said, echoing U.S. campaigns that have largely barred its gear ([Reuters]). Industry analysts note this could accelerate Europe’s push for ‘digital sovereignty,’ though at a steep cost.

Mandatory Timelines and Sector Scope

Under the proposal, operators must identify and replace high-risk components in core 5G networks by 2029, with full divestment deadlines staggered across sectors. Euractiv details how the Cybersecurity Act 2 ‘aims to make the phase-out of high risk suppliers in 5G networks mandatory on EU countries within three years’ ([Euractiv]). ENISA, the EU’s cybersecurity agency, gains expanded powers to certify products and designate risky suppliers.

The rules cover not just telecom but solar plants, security scanners, and ICT in public tenders, as highlighted by Invidis. ‘Logic made in China is often already banned in public tenders,’ the publication notes, signaling broader de-risking from Beijing-linked firms ([Invidis]). Telecom operators face audits and fines up to 2% of global revenue for non-compliance.

Industry Pushback and Economic Stakes

Telecom executives warn of billions in rip-and-replace costs. GSMA, the mobile industry group, called for ‘proportionate’ measures, citing a potential €6 billion hit across Europe. Huawei, with a foothold in several EU markets despite bans in nations like Germany and Sweden, faces existential threats in the region.

Help Net Security reports the package ‘simplif(ies) compliance’ via unified certification but tightens supply-chain scrutiny, requiring vendors to disclose third-country ties ([Help Net Security]). Posts on X from industry watchers like TelecomTV underscore the three-year mandate: ‘mandatory measures to remove technology supplied by “high-risk third-country suppliers” from networks.’

Geopolitical Ripples

China’s foreign ministry labeled the proposal ‘protectionist,’ vowing retaliation amid strained EU-Beijing ties. U.S. officials quietly applaud, seeing alignment with their own export controls on advanced chips. Euronews notes enforcement lags until late 2027, giving operators breathing room but fueling uncertainty ([Euronews]).

The Commission’s Q&A emphasizes resilience against ‘state-backed and cybercrime groups targeting critical infrastructure,’ linking to recent attacks like those on French hospitals ([European Commission]). TechRepublic warns of ‘major damage’ if rushed, potentially sidelining trusted vendors ([TechRepublic]).

Certification Overhaul and ENISA’s Role

A revamped certification framework under the Act covers hardware, software, and services, with ‘high assurance’ levels for critical use. ENISA will maintain a public list of risky suppliers, drawing from national intel. The proposal amends NIS2 to cover more entities, imposing incident reporting within 24 hours.

Commission President Ursula von der Leyen framed it as essential for ‘Europe’s digital future,’ per official releases. Yet, MEPs from greens and liberals push for faster timelines, while industry lobbies seek carve-outs for legacy gear.

Path to Ratification

The package heads to European Parliament and Council for approval, likely facing 18 months of wrangling. National security exceptions could dilute impact, as seen in past 5G efforts. BleepingComputer highlights defenses against ‘state-backed and cybercrime groups,’ positioning this as a holistic shield.

Market reactions were muted, with Nokia and Ericsson shares ticking up 2-3% on expectations of contracts. Long-term, the rules could spur €50 billion in EU-native tech investment, per Commission estimates, reshaping global supply chains.

Broader Implications for Global Tech

As enforcement nears, vendors from India, South Korea, and elsewhere scramble for EU certification. The U.S. CHIPS Act offers a parallel, but Europe’s focus on telecom sets it apart. X discussions from experts like Matthew Green caution against overreach stifling innovation.

This overhaul marks a pivot from risk assessment to outright exclusion, signaling Europe’s resolve amid rising hybrid threats. Stakeholders watch closely as Brussels wields regulation as a geopolitical tool.