Huawei and ZTE in the catalog of prohibited products. The EU is toughening its stance towards Chinese technology

The European Commission proposed on Tuesday that member states be obliged to abandon mobile network providers from third countries that are deemed risky. Previously, the EC considered the Chinese company Huawei to be a “high-risk” supplier.

This proposal was included in the cybersecurity package presented on Tuesday. Its purpose is to exclude suppliers of products and services that could be used by countries or third parties, e.g. for espionage or cyber attacks.

Such concerns are raised in the European Union by mobile network providers from China. Although the European Commission has in the past considered Huawei and ZTE to be risky suppliers, many countries still use their services because the EC's actions so far were in the form of recommendations – so they were not obligatory for member states.

A wide catalog of prohibited products

The new law will cover not only mobile network providers, but also those providing critical services and goods, such as:

• scanners,
• automated vehicles,
• electricity supply and storage systems,
• water supply systems,
• drones and anti-drone systems,
• cloud computing services,
• medical devices,
• semiconductors.

A source in the EC emphasized that this list will not be closed.

Poland is a leader in cyber incidents

As the EC wrote in its announcement, in the current geopolitical landscape, supply chain security is no longer limited only to the issue of technical security of products and services.

It is also a matter of risk related to the supplier, in particular related to foreign dependencies and interference – noted the European Commission.

According to EC data, in one week from January 10 to 16, over 100 cyber incidents were recorded throughout the EU, most of them in Poland.

According to the EC, in 2025 cybercrime has caused damage worth more than €9 trillion worldwide. The five most frequently attacked sectors were public, transport, digital, financial and industrial.

Three years to “clean up” the network

A third country may be considered risky from a cybersecurity point of view following an investigation initiated at the request of the European Commission or at least three Member States. From the moment such a risk is identified Member States will have three years to discontinue the services of companies from such countries and find alternative suppliers.

According to the proposal, third countries of “cybersecurity concern” will be considered to be countries associated with coordinated cyber campaigns that do not have independent and democratic control mechanisms.

As part of the cybersecurity package, the EC also proposed strengthening the EU Cybersecurity Agency (ENISA). It will gain a budget that is 75% larger. and powers to certify and support Member States

In March 2025, the Ministry of Digitization declared that Poland would not introduce a ban or restriction on the use of Huawei equipment in telecommunications networks. This equipment is used in Polish 5G networks, and approximately 60 percent 4G network infrastructure in Poland comes from a Chinese supplier.

From Brussels Magdalena Cedro (PAP)

mce/zm/