Research Notes
5G China Cyber Security EU

European Commission’s Proposal Wants to Secure Telecom and 17 Other Critical Industries from High-Risk Suppliers

5 Feb 2026

The New Cybersecurity Package, proposed by the European Commission from January 2026, is designed to strengthen the EU’s resilience, preparedness and response to rapidly evolving cyber and hybrid threats that increasingly target critical sectors. At its core is a revised Cybersecurity Act that updates the EU’s cybersecurity framework to address contemporary risks, particularly in information and communication technology (ICT) supply chains, including risks linked to high-risk third-country suppliers. This proposal would apply across all 27 EU Member States, the three EEA countries (Iceland, Liechtenstein, and Norway), and Switzerland. It covers 18 industries in total, of which telecommunications is only one.

Over the past decade, the European Union has grappled with persistent cybersecurity and resilience challenges linked to foreign state actors, notably those associated with China, alongside concerns about economic coercion affecting strategic and critical industries. At the same time, Russia’s war of aggression against Ukraine—now in its fourth year—has fundamentally reshaped Europe’s security environment and heightened preparedness for the risk of wider regional spillover. In this context, cybersecurity risks are no longer viewed in isolation but as part of a broader nexus of hybrid threats, including the potential for coordinated or aligned actions by Russia and China. These concerns extend to the integrity and trustworthiness of digital and physical equipment embedded in critical infrastructure, where vulnerabilities could be exploited to disrupt essential services, undermine economic security, or weaken collective defence and societal resilience.

The proposal specifically focuses on strengthening the security of ICT supply chains within these 18 industries, ensuring that critical technologies and suppliers are vetted to avoid high-risk dependencies. The 18 industries are split into two groups: 11 industries of High Criticality: Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water, Waste Water, Digital Infrastructure, Public Administration, Space and Telecommunications. The 7 Other Critical industries are Postal and Courier Services, Waste Management, Chemicals, Food, Manufacturing, Digital Providers and Research. The 18 industries are aligned with the sectors in the Network Information Systems (NIS) 2 Directive.

Strand Consult has studied the high-risk supplier issue for many years. As early as 2018, it published a roadmap grounded in geopolitical realities, describing how political and regulatory frameworks worldwide were evolving on these questions. In Europe, much of this work was informed by the EU’s 5G Toolbox launched in 2020, and Strand Consult noted early on that concerns about high-risk suppliers in 5G networks would extend to other parts of the telecommunications sector and eventually to other industries. Developments over recent years have confirmed that these assessments and predictions were well founded.

Denmark is one of the countries that use a risk assessment approach to broader telecom and other infrastructure solutions. A Danish law directs assessment of telecommunications equipment and requires removal of equipment from high-risk suppliers. In 2023, TDC was ordered to replace their old WDM network from Huawei before 2027. The Investment Screening Act forms the foundation for the Danish National Strategy for Cyber and Information Security. The assessment is performed by the Danish Resilience Agency.

From 2018 to today, Strand Consult has created transparency, debunked myths, and uncovered facts. It has conducted extensive research in this area, while consistently maintaining the independence to speak candidly. This ensures that clients have clear, well-grounded informational assessments which help them to navigate an increasingly complex policy world.

This note describes what EU Commission’s proposal means for telecommunications companies in the 27 EU countries and outside the EU, depending on the negotiation position of EU member states and European Parliament’s promulgation of the final CSA law. It offers insights to other industries from the process. 

What is the proposal

At 270 pages, the CSA is a fairly comprehensive proposal that covers 18 industries. It suggests signification backend work to create the EU proposal. Media coverage of the CSA has focused on the telecommunications industry, with little discussion of the other 17 industries covered by the proposed law. Note that the mobile telecom industry is regulated by the longstanding 5G Toolbox, This means that mobile, fixed and satellite networks are fast-tracked in the CSA proposal. The other 17 industries will likely experience an official assessment process similar to telecom with the 5G Toolbox. This also includes the ICT supply chain risk assessment and sectorial applications, among other provisions.

It will likely take 1-1.5 years before the proposal is adopted, and then the telecommunications companies have 3 years to implement the new rules for critical infrastructure. In practice, the telecommunications companies that currently use high-risk suppliers have under 5 years to phase out the equipment, which in many cases is already in the middle or at the end of its lifecycle. 

The extent of Chinese equipment in critical infrastructures in Europe

Over the years, there have been claims that restrictions on the use of high-risk suppliers will make 5G more expensive and slower to deploy. Strand Consult has address this claim, one promoted by  Chinese vendors like Huawei and ZTE, in the report Fact Check: 10 Myths That Drive Huawei’s Media Narrative.

Telecom operators that use high-risk suppliers can be grouped into three categories: first, operators that switched to Chinese suppliers when upgrading their networks from 4G to 5G; second, operators that began deploying 5G but chose to change strategy early in the rollout, or that operate in markets where the EU’s 5G Toolbox has been implemented; and third, operators that have continued to rely on Chinese suppliers in countries where the EU’s 5G Toolbox has not been implemented at all, or only partially

However, many operators have changed to trusted suppliers when they upgrade to 5G, without increasing cost or slowing rollout.

Two of Denmark’s three 4G mobile networks were built with Huawei equipment. However, when upgrading to 5G, these two operators switched to trusted vendors. Denmark was among the first European countries to launch 5G services. Today Denmark has the best 5G coverage in the EU.

Of the approximately 100 mobile networks in the EU, about 60 of them are already classified as “clean networks”. Of the approximately remaining 40 networks, about 10 have low exposure to high-risk suppliers (between 10-30%). Most of these are in countries in which the EU’s 5G Toolbox is being implemented and hence will not be impacted by CSA. This means that there are about 30 operators which have between 35-100% of their radio access network (RAN), which comes from high-risk suppliers, and which primarily operate in countries where the EU’s 5G Toolbox has not been implemented.

In practice, this means that at the beginning of 2026, approximately 30% of the installed equipment in the 27 EU, as well as the three EEA countries (Iceland, Liechtenstein, and Norway) and Switzerland, is from high-risk suppliers. This may sound like a high number, but it’s worth taking a closer look this equipment and where it’s installed.

By far the largest share of the equipment to be replaced over the next five years is located in Germany (Vodafone, O2 and T-Mobile), Italy (“Vodafone” and Windtre), and Spain (MasOrange and “Vodafone”). Based on Strand Consult’s research and the figures from the EU’s Regulatory Impact Assessment as well as the underlying figures, these three countries make up over 55% of equipment that must be replaced over the next five years.

On this replacement measure, Vodafone and Deutsche Telekom (DT) are significant. DT’s networks run across many countries and it is provisioned largely by Huawei: 58% in Germany, 100% in Greece, 100% in Austria, 100% in Czech Republic, 50% in Croatia, and 70% in Poland. In addition, its T-Systems resells cloud solutions built and run by Huawei.

Vodafone is 100% reliant on Huawei in four European countries: Czech Republic, Greece, Hungary and Romania. In Spain it is 67%; Germany; 53%.

European armed forces will use mobile operators’ 5G network for their communications. From a EU-NATO perspective, approximately one quarter of 4G/5G RAN infrastructure in Europe and NATO countries originates from China. Germany has the highest exposure, followed by Italy, Poland, and Spain. Together, these five countries account for 65% of NATO’s exposure to Chinese equipment, with Germany alone representing about 25% of the risk.

Put simply, a few countries and three large European mobile operators account for a large share of the equipment that the EU categorizes as equipment from high-risk and high-risk suppliers. This is the infrastructure that EU Commissioner Thierry Breton described in June 2023 when he presented the European Commission’s plan for restricting high risk suppliers like Huawei and ZTE from European telecommunications networks.

Plainly speaking, many operators made strategic choices without taking sufficient account of developments in the EU and in countries such as the UK, Canada, Australia, Japan, and India. Contrary to the recommendations of experts and public authorities, these operators chose to upgrade their 4G networks using Chinese 5G equipment. This raises the question of responsibility for those decisions, and whether the costs of ensuring secure networks for citizens, businesses, and society should be borne by taxpayers or by shareholders.

The current security environment is shaped by Russia’s invasion of Ukraine, China’s alignment with Russia, North Korea, and Iran, and these countries’ support for Russia’s war effort. In this context, the European Commission notes in its documentation that vulnerabilities are particularly acute given the role of 5G in modern defense systems, military logistics, and counter-drone capabilities, which must be viewed against the backdrop of the “no-limits” partnership announced by Russia and China in February 2022. To fully understand the significance of this assessment, it is instructive to examine China’s position on Russia’s invasion of Ukraine. See the document from the US-China Economic and Security Review Commission and this 700-page report from The European Commission’s Directorate General on the economic distortions created by the Chinese government.

How will this affect the telecommunications industry’s economy?

The economic consequences extend across all three categories of operators: those that, when upgrading from 4G to 5G, chose to replace Chinese suppliers; those that had begun 5G deployment but changed strategy early in the process, or that operate in markets where the EU’s 5G Toolbox has been implemented; and those that have continued to use Chinese suppliers in countries where the EU’s 5G Toolbox has not been implemented, or has only been partially applied. For the first two categories, the associated costs are marginal. For the third category of operators, however, the costs will be directly proportional to the extent to which they have downplayed or underestimated the issue.

Strand Consult’s 2020 research showed that 86 percent of the population in Europe (474 million people) subscribed to mobile services. The actual cost to replace the Chinese equipment at that time was €3.5 billion for the upgradeable equipment. This cost equated to a “one-time cost” of €7.40 per mobile subscriber. Since some of the equipment has already been upgraded to trusted vendors, it can be assumed that the total cost today will be lower. It is also necessary to deduct the ongoing upgrade and maintenance costs that would be incurred by continuing to operate equipment from high-risk suppliers in the network.

It is expected that operators which o failed to read the writing on the wall will argue that the costs are unmanageable, and that these same operators will present the public with exaggerated or speculative cost estimates, similar to those seen in the UK when the use of equipment from high-risk suppliers was banned in 2019.

How does the CSA impact assessment view the costs?

In connection with the EU Commission’s proposal for a revised Cybersecurity Act, a Regulatory Impact Assessment has been made, revealing important underlying figures from the 5G Observatory.

The European Commission divides the Member States into four categories related to enacted restrictions on high-risk suppliers:

  • Member States which have enacted restrictions on high-risk suppliers, covering all the key assets as recommended in the 5G Toolbox.
  • Member States which have enacted restrictions on high-risk suppliers, but which are not or only partially covering the key assets.
  • Member States which have not enacted any restrictions on high-risk suppliers but are still highly dependent on them in their 5G networks.
  • Member States which have not enacted any restrictions on high-risk suppliers, but which have no high-risk supplier in their network.

The EC recognizes that there are both countries and operators that have not taken the concept of “high-risk suppliers” seriously. There may be several reasons for this. One clear indication can be seen in the differing levels of military support provided to Ukraine, which reflect significant differences in how European countries perceive and prioritise security issues.

The European Union has invested substantial time and effort in assessing both the costs of implementing the proposal and the costs that would arise from failing to implement it. They have examined at the costs associated with implementation in Europe, including with the national authorities and the business community.

Based on available data from the 5G Observatory on investments in 5G RAN and core network equipment, and assuming a transition period of three years, it is estimated that the one-off cost of replacement of the equipment coming from the high-risk suppliers could amount to EUR €3.4-4.3 billion bn for the non-upgradeable equipment.

The European Commission estimates that the onetime costs will be a maximum but nominal EUR €6.5-8.3 per mobile subscriber over three years, if the costs are passed through the consumers.

Separately, Strand Consult suggested a similar upgrade cost in 2020, before operators upgraded their networks from high-risk suppliers to trusted vendors.

The Commission estimates may reflect that the underlying figures estimate that RAN capital expenditure accounts for between 60 and 70 percent of total mobile capex. That estimate is likely too high; however, this does not change the underlying conclusion that the sooner operators stop investing in equipment from high-risk suppliers and begin transitioning to trusted suppliers, the lower the overall costs will be.

It is also important to note that, over time, mobile capital expenditure is typically estimated to account for around 12–13 percent of mobile operators’ turnover. RAN capital expenditure is commonly assumed to represent approximately 25–30 percent of total mobile capex. In practical terms, this implies that current RAN capex corresponds to roughly 3–4 percent of mobile operators’ revenues.

At the same time, the EU Commission claims that streamlined and reduced compliance obligations are expected to generate cost savings of up to EUR 15.3 billion for businesses over five years. Furthermore, improving the Union’s overall cyber posture and technological sovereignty and stimulating innovation and competitiveness would yield significant benefits for the general public, public authorities and businesses. This is expected to largely offset initial expenditures in the long term.

Without going into further detail on the figures, this analysis outlines the risks associated with not choosing trusted vendors. See Strand Consult’s research note from December 2024: Eight risks for the 5G supply chain from suppliers under the influence of adversarial countries like China.

The experience of EE and Vodafone in the UK

The UK—and in particular the country’s poor 5G coverage—is often cited as evidence that banning high-risk suppliers is costly and delays 5G rollout. This argument is a myth, one that has been debunked repeatedly, most recently in the following note: 5G rollout slowed while mobile operators await merger approval. Case in point: the slow rollout in the UK.

A review of the transcript from British Telecom’s (BT+EE) investor call on 30 January 2020 shows that the UK’s leading telecom operator directly challenged the cost myth. BT estimated that the impact of the Huawei ban would amount to £100 million (approximately $130 million) per year over five years. Rather than postponing £500 million in investment, BT adjusted its investment schedule to bring those expenditures forward. This figure should be viewed in the context of BT’s annual capital expenditure of £4.8 billion, amounting to approximately £24 billion over a five-year period.

A review of the transcript from Vodafone’s investor call on 2 February 2020 shows a similar assessment. Vodafone stated that it had paused further development with Huawei in the core network the previous year and had decided to replace Huawei in sensitive areas, namely the core, across the EU within five years at an estimated cost of approximately €200 million. Vodafone further noted that it was closely engaged with European governments on the Huawei issue and had committed to removing Huawei from its European core networks. At the same time, the company expressed optimism that regulators would recognise the need for a fact- and risk-based approach distinguishing between sensitive core functions and non-sensitive RAN, arguing that, given low industry returns, a major acceleration of capex to replace modern 4G networks could not be justified and would risk delaying 5G rollouts in affected member states as investment priorities were adjusted.

On the same call analyst Jakob Bluestone asked, “Thanks for taking the question. I just had a question on the Huawei and network security issue. You mentioned that there is quite a bit of member state discretion. So I was just wondering if there may be any particular markets that you would call out where there is sort of a greater risk of any incremental CAPEX beyond the EUR200 million you flagged for Europe. And specifically for Germany, if you can maybe just remind us where are we on the process of making some sort of a decision there. What are the sort of key dates to watch out for? Thank you.”

Vodafone: Nick Read, Chief Executive Officer replied, “Yes. In a way, Jakob, we can’t really call out any country because effectively the European toolbox has just come out and all the European countries, with the exception of a few small countries, have been awaiting that toolbox and therefore we’re engaging with them. Essentially, they have to look at that toolbox and go through and adopt measures by April with a view to show implementation as in that they start to implement the framework in June. So, I think we’re going to be in a much better position in May to give you a sort of overall summary of where the various countries landed. What I’d say is, I think we’ve had very active and positive engagement with countries. They are really keen to understand the implications of various scenarios. They are very attuned to wanting 5G deploy quickly. They understand the need to 5G as a key enabler to a digital society. And they know that we could undermine the fantastic manufacturing base we have through Europe if we do not move quickly on 5G. So, they really do understand the importance of getting 5G out and they also understand the operational and financial constraints of the industry as a whole. And I think one of the important things here is the industry is one with its voice with governments, making it clear, it’s the same implication for everyone. And therefore, we are trying to find the right path. We too want then the resilience and balancing over time, but these things take time.”

An examination of current network swap cases across Europe—including TDC Denmark, Telenor Norway, Telia Norway, Proximus in Belgium, and KPN in the Netherlands—shows that none of these operators have reported increased costs or delays as a result of their network swaps.

How will it affect other countries – The European Union provides financial aid for telecommunication infrastructure

The best way to understand current developments within the European Union requires recognizing that the path to EU membership is lengthy, complex, and highly negotiated. Member states enjoy significant geopolitical, economic, security, and fiscal benefits. Minimum requirements for accession include compliance with EU standards and rules, approval by existing member states and EU institutions, and the consent of the candidate country’s citizens.

In addition, candidate countries must demonstrate stable democratic governance, uphold the rule of law, protect human rights and minority rights, and maintain a functioning market economy. Crucially, they are assessed on their ability to adopt, implement, and enforce EU rules across a wide range of policy areas, including telecommunications, energy, transport, and the environment.

Compliance with EU rules is also a prerequisite for financial support, regardless of whether a country is a member. The EU currently comprises 27 member states. Many of the other countries are included in the European Commission’s 2023 Enlargement Package, primarily covering nations in the Balkans and Central Europe, several of which already receive EU financial support.

The EU provides financial aid and support to many countries around the world, including nations in Africa and Latin America through the Global Gateway program. Indeed EU financing is already underway in many nations, as the European Commission (EC) notes, Broadband national strategies were developed in Moldova and Georgia to facilitate investments in high-speed and affordable internet in the region. This included a EUR 70 million co-investment by the EIB and the World Bank in Georgia to roll out broadband in rural communities. The price of international connectivity for research and education institutions has decreased by 70% in recent years. In addition, two ultra-fast digital highways (up to 400 Gbps) were set up between the EU, Moldova, and Ukraine to facilitate cooperation in research and innovation, including participation in Horizon Europe.”

In its International Digital Strategy adopted in June 2025, the European Commission and the High Representative for Foreign Affairs and Security Policy set out priority areas for cooperation with partner countries, among which secure and trusted digital infrastructure is a central focus. The strategy recognises that building resilient, secure and trustworthy digital infrastructure is essential for economic growth and for critical sectors such as energy, transport, finance and health. This includes cooperation on secure connectivity, cybersecurity and related technologies in order to strengthen both the EU’s digital security and that of its partners. It also reflects the broader objective of enhancing technological competitiveness and resilience in international partnerships, as part of the EU’s effort to shape global digital governance aligned with democratic values and security priorities. It notes,

The security and resilience of digital networks and infrastructures are essential to enable developments in critical sectors such as energy, transport, finance and health. While the EU has already demonstrated leadership in this area, work will continue, by drawing on instruments such as the 5G Toolbox, to assist partner countries who are equally concerned about the need to build their digital economy on secure foundations. In line with the recent Communication to strengthen the security and resilience of submarine cables, this approach could be extended to submarine cables and other critical digital infrastructure. This could be the subject of an annual conference to deepen technical contacts and understanding on opportunities and security requirements for future routes, partnerships, and financing, feeding into the Global Gateway process.”

This is an extension of The EC Communication from June 2023 establishing a prerequisite for obtaining financial support for the establishment of telecommunications infrastructure as compliance with the EU’s 5G toolbox. The European Commission Communication on EU enlargement policy describes the enlargement principles, policy, and process, including the requirements for telecommunications networks detailed on p. 53.  

The prerequisite for receiving EU support is that these projects have been crucial to ensure their compliance with the EU’s digital standards, on cybersecurity (5G toolbox) and “open access to the internet.” In practice, this means that the prerequisite for these countries to be able to access aid from the EU is that they must comply with the rules that apply to receive the corresponding aid from the EU.

The prerequisite for receiving EU support (existing and new EU countries) is that projects contribute to ensuring compliance with the EU’s digital standards, including cybersecurity requirements outlined in the 5G Toolbox and principles of “open access to the internet.” In practice, this means that access to EU aid (existing and new EU countries) is contingent on adherence to the rules associated with the corresponding funding.

The EU has long maintained a strategic approach toward the Western Balkans, as reflected in the Reform and Growth Facility for the Western Balkans states. The Facility is designed to support investments and reforms that advance beneficiaries’ digital transformation in line with the EU’s vision for 2030, as set out in the Commission communication 2030 Digital Compass: The European way for the Digital Decade. The Facility aims to facilitate the achievement of EU digital objectives and targets. As noted in the Commission communication of 15 June 2023, and in the 4 November statement the 5G Cybersecurity Toolbox serves as the reference framework for EU funding to ensure the security, resilience, and integrity of digital infrastructure in the region.

Importantly, the EU applies the same conditions to its member states. For example, projects under the Connecting Europe Facility (CEF, pp. 12–13) may be eligible for cooperation initiatives with covered countries like the Latvian cooperation with Ukraine on Telecom.

In a report from 4 November 2025 the European Commission (EC) highlighting that: “Regarding 5G security, Ukraine has adopted a Protocol of Intent on 5G Security between the responsible authorities, which includes an action plan to develop and implement rules on 5G security in line with the EU’s 5G Cybersecurity Toolbox, including the exclusion of high-risk suppliers. However, Ukraine has made limited progress in implementing these commitments. Notably, in a recently launched 5G pilot project in Lviv, the National Commission for the Regulation of State Electronic Communications, Radio Frequency Spectrum and Postal Services (NCEC) granted a licence to a high-risk supplier, contradicting the spirit of the Protocol and risking increased dependence on high-risk vendors, thereby posing a threat to the security of critical infrastructures. Ukraine should effectively and quickly address such risks.”

Conclusion

It is clear that the European Commission has drawn on both positive and negative experiences from the telecommunications sector, as well as from the EU’s 5G Toolbox, in developing the framework for a revised Cybersecurity Act. The proposal seeks to strengthen cybersecurity capabilities and resilience while preventing regulatory fragmentation across the EU. It also aims to enhance the security of the EU’s information and communication technology (ICT) supply chains and to ensure that products reaching EU citizens are cyber-secure by design through a simplified certification process. The proposal will apply to all 27 EU Member States, the three EEA countries (Iceland, Liechtenstein, and Norway), and Switzerland, and it will cover 18 industries in total, of which telecommunications is only one.

In connection with the preparation of the proposal, a fairly extensive Regulatory Impact Assessment based on some underlying figures from the 5G Observatory which gives some reasonable estimates of what it will cost the telecommunications industry to implement this new legislation. 

When comparing the calculations made by the European Commission with those produced by Strand Consult in 2020, there is no significant divergence between the two assessments. Both point to an estimated onetime cost of around €7 per mobile user in Europe.

When this is set against Strand Consult’s mapping of Chinese infrastructure across the 31 countries covered, it becomes clear that more than half of the equipment requiring replacement is concentrated primarily in Germany, Italy, and Spain. The analysis also shows that the majority of this equipment is owned by Vodafone and Deutsche Telekom, and is deployed in countries including Austria, the Czech Republic, Croatia, Germany, Greece, Hungary, Poland, Romania, and Spain.

There is little doubt that some operators will resist efforts to restrict their use of Chinese suppliers. Conversely, those operators may face a significant commercial risk if NATO—or other security bodies—were to designate them as “untrusted operators,” a point highlighted by Commissioner Thierry Breton in June 2023. This risk is further explored in Strand Consult’s analysis The pressure to restrict Huawei from telecom networks is driven not by governments, but by the many companies which have experienced hacking, IP theft, or espionage.

Strand Consult’s mission is to provide transparency and deliver rigorous, independent insights. Its library on network security offers extensive analysis and documentation. Strand Consult is available to engage with stakeholders through dedicated policy workshops.

Contact Strand Consult to learn more.

Share