Europe depends on Chinese and American tech — and worries about the safety of its critical telecom and IT systems. A new cybersecurity proposal focuses on protecting against not only cyberattacks, but against what European Commission Executive Vice-President for Technological Sovereignty, Security and Democracy Henna Virkkunen calls “critical ICT supply chains.” 

If approved, the proposal would trigger binding rules for countries to force telecom operators to phase out Chinese vendors Huawei and ZTE. Gentle recommendations made in a 2020 security toolbox to achieve this goal have failed. One-third of Europe’s 5G sites use Chinese equipment — a figure unchanged since 2022. Germany relies on Chinese vendors for 59% of its 5G network. 

But there’s a twist. The new rules could also hit US tech: Virkkunen mentions cloud services and satellite technology as two areas of potential security risks. Microsoft, Google, and Amazon dominate cloud computing, controlling 70% of the European market. Starlink enjoys a near monopoly over satellite communication. Given deteriorating transatlantic relations, many Europeans now see these dependencies as dangerous as their reliance on Chinese telecom equipment.  

Yet Europe’s hope of loosening the Chinese American stranglehold remains dark. Consider the first Cybersecurity Act’s record. It made big promises and thick documents, yet politics and internal divisions slowed genuine progress. Brussels adopted only one certification approval in five years.

The modernized cybersecurity regulation promises to accelerate progress. It includes an 81.5% budget increase, 118 additional staff, and modular certification designed to reduce compliance burdens. The hope is that moving decision-making to “neutral” technical certification schemes will allow quick action. 

Good luck. Europe’s influential telecom incumbents have already signaled opposition. Their main lobby, Connect Europe, called on legislators to “correct” the proposal to phase out low-cost Chinese vendors, warning against “policies that would significantly weaken the very sector they aim to safeguard.” A Huawei spokesperson said in a statement that laws to block suppliers based on their country of origin violate the EU’s “basic legal principles of fairness, non-discrimination and proportionality,” as well as its World Trade Organization obligations.  

Another key unanswered debate remains about how much the geographic origin of a supplier should be considered. The long-running battle over cloud cybersecurity requirements revealed the unpleasant truth  — no consensus exists in Europe. France, Germany, Spain, and Italy demanded “High+” requirements: EU headquarters, EU infrastructure, and immunity from US surveillance laws. The Netherlands, Poland, Ireland, and Sweden opposed this, having partnered with American hyperscalers.  

The new cybersecurity rules had the chance to resolve this question. They could have empowered rigorous certification, enabling choice between providers meeting transparent standards — EU or non-EU— plus investment, making European alternatives competitive. Instead, sovereignty requirements vanished. The Commission made everything voluntary and promised nothing about investing in European capacity. 

A comparison with Ukraine, where I work, is revealing. Ukraine’s wartime cyber resilience came from near-real-time threat intelligence sharing, clear guidance to cloud providers, and ruthless prioritization of recovery over documentation. It required none of the certification schemes or five-year evaluation cycles. It required operational capability under pressure. Data was moved offshore to protect it. Firms were chosen based on their operational capabilities, not because of their nationality. US firms, from Microsoft to Broadcom, proved key. 

Europe has rejected such an approach. Member States have refused to give up their powers. Instead of strong centralized leadership with firm rules, the new cyber proposal calls for “continuous operational cooperation.” It preserves that “national security remains the sole responsibility of each Member State.” 

The sovereignty battle reveals an unpleasant truth. This incoherence makes a strong certification essential. If Europe can’t agree on “sovereignty requirements,” it will pass those discussions to future debates. Europe once again risks getting neither improved security nor reduced dependency on China and the US.  

Ieva Ilves has more than two decades of experience in digital transformation, cybersecurity, and international affairs. Her career spans high-level roles in Latvia, Estonia, and internationally, including as Digital Policy Advisor to Latvia’s President. She led Latvia’s first national cybersecurity strategy and the project to establish NATO’s Strategic Communications Centre of Excellence in Riga. She advisesUkraine’s Ministry of Digital Transformation and WithSecure, a Finnish cybersecurity company. She has a master’s from Johns Hopkins University SAIS. 

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.