The policy debate about Chinese infrastructure is not about trade; it’s about security. Just ask NATO

Strand Consult is a 30-year-old company specializing in the telecommunications world that generates all our revenues from telecommunications companies around the world. We are considered the leading experts when it comes to why Chinese equipment should not be used to build the digital infrastructure in a modern society. We are the ones who have published the most research in this area, and we are the only ones who have been able to map the use of Chinese telecommunications equipment across over 62 countries around the world since 2019, including all European countries. We have recently published the report: How to ensure NATO’s next generation weapons access to modern communication solutions

For over 30 years, our CEO John Strand has been one of the leading experts when it comes to what the telecommunications industry looks like and how it develops. He also serve on the board of the Parliamentary Intelligence-Security Forum. It is an organization that holds three events every year. One in Washington where we are invited by the Senate and hold it in the Senate, watch his presentation from December 2024. The other two conferences are held in different countries, where PI-SF are invited by the government each time and hold the conference in the national parliament. Strand Consult have precented our research in many parliaments including Romania, Hungary, UK, Guatemala, Panama, Parlemantino (Latin America’s mini EU), the Philippines, the Spanish Senate and most recently in El Salvador where we were invited by President of El Salvador Legislative Assembly, Hon. Ernesto Castro.

The risk of using untrusted vendors.

In 2019, 5G emerged as a mainstream policy topic, reinvigorating discussions regarding the social and economic value of telecommunications. From the invention of the telephone to the present day, the industry has transformed how individuals communicate, how businesses operate, and how public sector services are delivered, all built upon the advanced telecommunications infrastructure.

Given that modern society requires telecommunications to function, US and EU policymakers desire secure networks and have increasingly focused on the integrity of network equipment vendors and the degree to which supplier based in China could be compromised by their government. Strand Consult provides research notes and reports designed to assist telecommunications companies in navigating this complex landscape. While media coverage has predominantly focused on Huawei, the broader discussion should encompass the range of companies owned or affiliated with the Chinese government, including, but not limited to TikTok, Hikvision, DeepSeek, and ZTE. Strand Consult’s publishes accurate assessments of the risk of using untrusted vendors, even when this information runs counter to its clients’ preferences.

The notion of “rip and replace” of Chinese equipment is frequently misunderstood. No European country has undertaken a whole scale rip-and-replace of such equipment. Instead, operators have ceased new investments in Chinese network equipment and are gradually phasing out or replacing existing installations. Within the context of ongoing technological evolution, the replacement of older RAN equipment with newer systems constitutes a normal component of network modernization.

In 2012 Australian Prime Minister Julia Gillard of the Social Democratic party was the first world leader to restrict Chinese equipment in mobile networks. Other countries followed including USA, Belgium, Canada, Costa Rica, Denmark, France, Estonia, India, Japan, Latvia, Lithuania, New Zealand, North Macedonia, Portugal, South Korea, Romania, Sweden, UK etc.

Strand Consult believes that the debate on network security is an important one, and it requires objectivity and dispassion for a telecom operator to make purchasing decisions. Strand Consult examines the claims for and against actions to restrict Chinese-made equipment. It presents the facts and reviews the situation from economic, technical and political perspectives.

The EU´s 5G Toolbox.

The European Commission, European Union Agency for Cybersecurity (ENISA), and the Body of European Regulators for Electronic Communication (BEREC) developed an EU-wide coordinated risk assessment. Based upon a set of identified risks, the EU 5G Toolbox was developed with strategic (non-technical) and technical mitigating measures, and the EU member states pledged to follow it. The European Commission and the EU member states implemented key measures in two areas; strategic (non-technical) and technical security measures. Both assessments and mitigation measures must be satisfied to deem 5G equipment suppliers as secure and trusted.

The EU 5G Toolbox was launched in 2020. In the 2nd Progress report of the EU 5G toolbox (June 2023) all 27 EU Member States pledged to fully implement the EU´s 5G Toolbox. As of June 2023, 24 Member States have adopted the toolbox or were in the process to do so, for example by preparing legislative measures which vest the local authority to perform security assessments. By June 2023, only 11 Member States had taken measures to implement high risk vendor restrictions. As all EU countries support the 5G Toolbox, its implementation moves toward the de facto removal of Huawei and ZTE from European mobile networks.

Due to the non-technical nature of hardware risks and the criticality of 5G networks to a nation, effective mitigation of non-technical factors and risks has been deemed to require non-technical mitigations e.g. exclusions by “assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risks-including necessary exclusions to effectively mitigate risks for key network assets”. Such restrictions in national laws have been among others implemented in Australia, Belgium, Canada, Costa Rica, Denmark, France, Estonia, India, Japan, Latvia, Lithuania, New Zealand, North Macedonia, Portugal, South Korea, Romania, Sweden, UK and US.

5G networks transmit far more than private consumer and corporate communications. They form the backbone of critical societal functions, connecting energy grids, water systems, essential industrial production, mining operations, and logistical networks including railways, roads, airports, and seaports. As a result, the security of these networks—including the integrity of their suppliers—must be assessed in a broader context that goes beyond privacy and confidentiality concerns to encompass risks to public safety, strategic autonomy, resilience, and, ultimately, national security.

The European Union provides financial aid for telecommunication infrastructure.

The best way to understanding current developments within the European Union requires recognizing that the path to EU membership is lengthy, complex, and highly negotiated. Member states enjoy significant geopolitical, economic, security, and fiscal benefits. Minimum requirements for accession include compliance with EU standards and rules, approval by existing member states and EU institutions, and the consent of the candidate country’s citizens.

In addition, candidate countries must demonstrate stable democratic governance, uphold the rule of law, protect human rights and minority rights, and maintain a functioning market economy. Crucially, they are assessed on their ability to adopt, implement, and enforce EU rules across a wide range of policy areas, including telecommunications, energy, transport, and the environment.

Compliance with EU rules is also a prerequisite for financial support, regardless of whether a country is a member. The EU currently comprises 27 member states. Many of the other countries are included in the European Commission’s 2023 Enlargement Package, primarily covering nations in the Balkans and Central Europe, several of which already receive EU financial support.

The EU provides financial aid and support to many countries around the world including nations in Africa and Latin America through the Global Gateway program. Indeed EU financing is already underway in many nations, as the European Commission (EC) notes, “Broadband national strategies were developed in Moldova and Georgia to facilitate investments in high-speed and affordable internet in the region. This included a EUR 70 million co-investment by the EIB and the World Bank in Georgia to roll out broadband in rural communities. The price of international connectivity for research and education institutions has decreased by 70% in recent years. In addition, two ultra-fast digital highways (up to 400 Gbps) were set up between the EU, Moldova, and Ukraine to facilitate cooperation in research and innovation, including participation in Horizon Europe.”

The EC Communication from June 2023 established a prerequisite for obtaining financial support for the establishment of telecommunications infrastructure as compliance with the EU’s 5G toolbox. The European Commission Communication on EU enlargement policy describes the enlargement principles, policy, and process, including the requirements for telecommunications networks detailed on p. 53.  

The prerequisite for receiving EU support is that these projects have been crucial to ensure their compliance with the EU’s digital standards, on cybersecurity (5G toolbox) and “open access to the internet.” In practice, this means that the prerequisite for these countries to be able to access aid from the EU is that they must comply with the rules that apply to receive the corresponding aid from the EU.

The prerequisite for receiving EU support (existing and new EU countries) is that projects contribute to ensuring compliance with the EU’s digital standards, including cybersecurity requirements outlined in the 5G Toolbox and principles of “open access to the internet.” In practice, this means that access to EU aid (existing and new EU countries) is contingent on adherence to the rules associated with the corresponding funding.

The EU has long maintained a strategic approach toward the Western Balkans, as reflected in the Reform and Growth Facility for the Western Balkans states. The Facility is designed to support investments and reforms that advance beneficiaries’ digital transformation in line with the EU’s vision for 2030, as set out in the Commission communication 2030 Digital Compass: The European way for the Digital Decade. The Facility aims to facilitate the achievement of EU digital objectives and targets. As noted in the Commission communication of 15 June 2023, and in the 4 November statement the 5G Cybersecurity Toolbox serves as the reference framework for EU funding to ensure the security, resilience, and integrity of digital infrastructure in the region.

Importantly, the EU applies the same conditions to its member states. For example, projects under the Connecting Europe Facility (CEF, pp. 12–13) may be eligible for cooperation initiatives with covered countries like the Latvian cooperation with Ukraine on Telecom.

In a report from 4 November 2025 the European Commission (EC) highlighting that: “Regarding 5G security, Ukraine has adopted a Protocol of Intent on 5G Security between the responsible authorities, which includes an action plan to develop and implement rules on 5G security in line with the EU’s 5G Cybersecurity Toolbox, including the exclusion of high-risk suppliers. However, Ukraine has made limited progress in implementing these commitments. Notably, in a recently launched 5G pilot project in Lviv, the National Commission for the Regulation of State Electronic Communications, Radio Frequency Spectrum and Postal Services (NCEC) granted a licence to a high-risk supplier, contradicting the spirit of the Protocol and risking increased dependence on high-risk vendors, thereby posing a threat to the security of critical infrastructures. Ukraine should effectively and quickly address such risks.”

Denmark’s Investment Screening Act.

The EU’s 5G Toolbox is a starting point. As 5G networks connect critical systems, energy, water, transport, and industry its security is vital for security, autonomy, and national defense. Beyond mobile networks, Denmark and others are applying this risk assessment approach to broader telecom and infrastructure systems. A new Danish law directs assessment of telecommunications equipment and requires removal of equipment from non-trusted vendors. This Investment Screening Act forms the foundation for the Danish National Strategy for Cyber and Information Security. The assessment is performed by The Centre for Cyber Security (CFCS).

Conclusion.

The world is changing rapidly. China is not the same country it was ten years ago. Today, China considers Russia, Iran and North Korea its allies. These countries seek to undermine democracies in the free world.

China assists Russia in its war on Ukraine. Chinese mobile network providers delivered 4G networks to Crimea after Russia’s 2014 invasion. Thousands of North Korean soldiers are fighting on Russia’s side in the war against Ukraine. War is being waged on European soil with the tacit approval of the Chinese government.

Daily news reports describe how Chinese government affiliated hackers target critical infrastructure, including telecommunications, energy systems, government departments, and public officials. A Chinese ship has been implicated in sabotage of a subsea cable near Taiwan. These represent China’s increasingly sophisticated campaign of electronic warfare.

EU’s updated International Digital Strategy from June 2025, says: “The security and resilience of digital networks and infrastructures are essential to enable developments in critical sectors such as energy, transport, finance and health. While the EU has already demonstrated leadership in this area, work will continue, by drawing on instruments such as the 5G Toolbox, to assist partner countries who are equally concerned about the need to build their digital economy on secure foundations. In line with the recent Communication to strengthen the security and resilience of submarine cables, this approach could be extended to submarine cables and other critical digital infrastructure. This could be the subject of an annual conference to deepen technical contacts and understanding on opportunities and security requirements for future routes, partnerships, and financing, feeding into the Global Gateway“.

In simple terms, all telecom companies are required to comply with rules that have already been implemented in parts of the European Union and are in the process of being applied across the remaining part of the Union. Observations regarding countries such as Germany and Spain not following this path may reflect a lack of awareness of the broader regulatory developments underway across the EU and in the two countries.

Operators that have chosen to use equipment from suppliers like Huawei and ZTE are unlikely to meet the security requirements. The qualification review and exercise which will be undertaken among the 32 NATO countries and many other nations around the world aligned with NATO, countries like Japan, India, and others. Countries which consider China a military partner (Pakistan, Belarus, and Cambodia) use Huawei and ZTE equipment. 

Strand Consult’s mission is to provide transparency and contribute valuable insight to telecom operators. Check out Strand Consult’s library on network security and contact Strand Consult for a policy workshop.