BRUSSELS — The European Commission unveiled draft changes to the EU Cybersecurity Act that would force critical-infrastructure operators to phase out components and equipment from “high-risk” suppliers, a move widely seen as targeting Huawei and other Chinese vendors, Jan. 20, 2026. The proposal would give mobile network operators 36 months to remove high-risk components after the EU publishes a supplier list, as Brussels says it needs tougher defenses against cyberattacks, espionage and overreliance on non-EU technology providers.
The draft would extend mandatory supply-chain “de-risking” beyond telecom networks to 18 sectors the Commission classifies as critical — from electricity and water systems to cloud services, medical devices, surveillance equipment, connected vehicles, drones and semiconductors. Under the plan, phase-out periods for fixed networks, including fiber-optic and submarine cables, and for satellite networks would be announced later, according to the draft proposal described by Reuters.
EU tech chief Henna Virkkunen said the package would equip the bloc to “combat cyber attacks decisively,” while Huawei criticized the approach as discriminatory. In its response, Huawei argued that restricting suppliers based on country of origin rather than technical evidence undermines EU legal principles and the bloc’s World Trade Organization obligations.
What the plan could mean for Huawei and telecom operators
Even without naming Huawei, the draft is likely to reshape procurement decisions across the EU because it would standardize how “high-risk” suppliers are identified and removed. The proposed restrictions would take effect only after a formal risk assessment initiated by the Commission or at least three EU member states, followed by market analysis and impact assessments.
For operators, the key pressure point is timing: the 36-month clock would not start immediately; it would begin once the EU publishes a high-risk supplier list. That structure could encourage carriers to begin swapping out sensitive equipment early to avoid a last-minute scramble in markets where Huawei gear is deeply embedded. The Commission’s push to make these rules binding is also meant to address uneven national enforcement, as reported by The Associated Press.
Industry groups have warned that accelerated replacement programs could add billions of euros in costs, piling onto existing investment demands as European operators continue rolling out and upgrading 5G networks.
Huawei and the EU: from a 2020 toolbox to a 2026 deadline
This is not a sudden turn. In January 2020, EU countries agreed to a common set of risk-mitigation measures for next-generation mobile networks — the EU 5G security toolbox — designed to steer member states toward limiting high-risk suppliers in the most sensitive parts of their networks.
But the toolbox relied largely on voluntary national action. By mid-2023, EU officials were publicly urging faster moves against Huawei and ZTE, arguing that bans could be justified under existing guidance and warning that slow-moving countries were leaving the bloc exposed — a message captured in a Euronews report on the Commission’s stance.
What is new in 2026 is the attempt to turn years of guidance into enforceable deadlines, with the Commission rolling the proposal into a wider legislative push. The next step is negotiation with EU governments and the European Parliament, as outlined in the European Commission summary of the broader cybersecurity package. If adopted, the rules would put Huawei on a clearer, faster phase-out track across EU mobile networks — but the countdown would start only after the high-risk list is published.
