EU Moves to Expel High-Risk Technology from Critical Infrastructure Networks

2026-01-21 digital

Brussels, Wednesday 21 January 2026
Brussels proposes a mandatory phase-out of high-risk vendors across 18 sectors, giving operators just three years to strip Chinese technology from core 5G networks.

From Industrial Strategy to Security Enforcement

This legislative push marks a sharp escalation from the industrial strategies reported previously, where the primary focus was on incentivising domestic manufacturing to combat trade deficits [9]. While the earlier ‘Made in Europe’ drive sought to bolster economic sovereignty through production targets, the European Commission’s latest move, unveiled on Tuesday, 20 January 2026, prioritises the immediate excision of ‘high-risk’ vendors from the continent’s digital nervous system [1]. The transition from economic incentives to regulatory enforcement underscores Brussels’ hardening stance on strategic autonomy.

A Mandate for Removal

The draft proposal, introduced by Executive Vice-President Henna Virkkunen, abandons the voluntary approach of the 2020 5G Toolbox [2][3]. Citing frustration that only 13 member states had effectively taken steps to restrict high-risk vendors, Virkkunen confirmed that Brussels now seeks to oblige national governments to purge their networks [2][5]. Under the strict new regulations, telecommunications providers will have exactly 36 months from the publication of the high-risk list to remove equipment from suppliers like Huawei and ZTE from the ‘core’ parts of their 5G networks [1]. These core components, which are responsible for processing and routing data, are distinct from peripheral hardware such as antennas and masts, which currently fall outside the immediate scope of the mandatory ban [6][7].

Securing the Digital Supply Chain

The Commission’s crackdown extends far beyond the telecommunications sector. The revised Cybersecurity Act and NIS2 directive target 18 critical sectors, ranging from electricity and water supply to autonomous vehicles, medical devices, cloud services, and semiconductors [1][7]. The legislation aims to harmonise risk assessments across the bloc, ensuring that a supplier deemed ‘high-risk’ in one member state faces consistent restrictions EU-wide [3]. To support this, the European Union Agency for Cybersecurity (ENISA) will see its powers expanded, with a mandate to develop new certification schemes for ICT products within 12 months [3][7]. This creates a comprehensive legal framework for identifying and mitigating risks throughout the supply chain, addressing the fragmentation that plagued previous security efforts [3].

Industry Mobilisation and Geopolitics

European legacy industries are already leveraging this regulatory shift to protect their market share. On 20 January 2026, the European Rail Industry (UNIFE) urged the Commission to immediately apply these new cyber powers to railway infrastructure [8]. With Chinese manufacturers gaining ground—evidenced by recent contracts with Austria’s Westbahn and controversies surrounding the Budapest-Belgrade line—UNIFE Director General Enno Wiebe warned that Europe risks losing control over its strategic transport networks if price continues to trump security in procurement [8]. Meanwhile, the reaction from Chinese stakeholders has been swift; Huawei has criticised the proposal as a violation of the EU’s own principles of fairness and non-discrimination, hinting at potential legal challenges, while the telecoms lobby group Connect Europe warned that the replacement of infrastructure could impose billions of euros in regulatory costs [1][6].

Sources & Ecosystem Partners

Cybersecurity Telecommunications