EU plan to phase-out high-risk tech draws fire from China's Huawei

BRUSSELS (Reuters) - The EU plans to phase out components and equipment from high-risk suppliers in critical sectors, according to a draft proposal released by Brussels on Tuesday - a move criticised by China's Huawei, which is set to be among the companies affected.

The measures, set out by the European Commission in revisions to the EU's Cybersecurity Act, follow a rise in cyber and ransomware attacks and growing concerns over foreign interference, espionage and Europe's reliance on non-EU technology suppliers.

The Commission, the 27-nation bloc's executive arm, did not name any companies or countries.

Europe has, however, been tightening scrutiny of Chinese technology. Germany recently appointed an expert commission to reassess trade policy toward Beijing and has banned the use of Chinese components in future 6G telecoms networks.

The U.S. banned approvals of new telecoms equipment from Huawei and Chinese rival ZTE in 2022 and has urged European allies to follow suit.

NEW MEASURES CREATE MORE SAFETY, TECH SOVEREIGNTY, EU SAYS

"With the new Cybersecurity Package, we will have the means in place to better protect our critical (information and communications technology) supply chains but also to combat cyber attacks decisively," EU tech chief Henna Virkkunen said in a statement.

Huawei echoed earlier criticism from China's foreign ministry.

"A legislative proposal to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU's basic legal principles of fairness, non-discrimination, and proportionality, as well as its WTO (World Trade Organization) obligations," a Huawei spokesperson said.

"We will closely monitor the subsequent development of the legislative process and reserve all rights to safeguard our legitimate interests," she said.

The new measures will apply to 18 key sectors identified by the Commission, including detection equipment, connected and automated vehicles, electricity supply and storage systems, water supply systems, and drones and counter drone systems. Cloud services, medical devices, surveillance equipment, space services and semiconductors are also classified as critical.

The EU adopted a 5G security "toolbox" in 2020 to curb the use of perceived high-risk vendors such as Huawei over concerns about sabotage or espionage. Some countries have yet to remove such equipment due to its high replacement cost.

Under Tuesday's proposals, mobile operators will have 36 months from the publication of the high-risk supplier list to phase out key components. Phase-out periods for fixed networks, including fibre-optic and submarine cables, as well as satellite networks, will be announced later.

"This is an important step in securing our European technological sovereignty and ensuring greater safety for all," Virkkunen said.

Restrictions on suppliers from countries deemed to pose cybersecurity risks would take effect only after a formal risk assessment initiated by the Commission or at least three EU countries. Any measures would be based on market analysis and impact assessments.

Telecoms lobby group Connect Europe warned that the proposals would increase the burden on the industry, with additional regulatory costs running into the billions of euros.

The updated Cybersecurity Act must still be negotiated with EU governments and the European Parliament in the coming months before it becomes law.