On Tuesday (20 January 2026), the European Commission presented a revision of the EU Cybersecurity Act, designed to strengthen the protection of critical infrastructure across the Union. The proposal responds to heightened geopolitical tensions and concerns about state-sponsored cyber activities. Under the revised framework, the EU would move beyond voluntary guidance and introduce legally binding measures allowing for the restriction or exclusion of suppliers classified as “high risk”, most notably Chinese giants like Huawei and ZTE, from sensitive sectors such as telecommunications, energy, and healthcare. This shift marks a decisive shift towards treating infrastructure security as a collective European concern rather than a matter of national preference.
Telecoms as a test case
The new legislation establishes what the Commission calls a “technology supply chain security mechanism”, a framework for assessing cyber risks posed by vendors from countries deemed unfriendly to the EU. While the proposal does not explicitly name China, the Commission’s intent is clear: formalise risk assessments that account for whether suppliers operate under the influence of states that pose strategic threats through espionage, remote sabotage, or by creating dangerous dependencies.
Telecommunications networks are presented as the primary test case for this approach. Under the revised Cybersecurity Act, binding requirements would oblige Member States to phase out suppliers classified as high risk from the most sensitive components of their 5G infrastructure. This would practically exclude Chinese vendors from the European infrastructure. Executive Vice-President for Technological Sovereignty Henna Virkkunen criticised the slow pace of implementation to date, noting that she was “not satisfied” with the progress made by national authorities, despite years of non-binding guidance from the Commission. She underlined that cybersecurity concerns extend beyond technical considerations, describing them as strategic risks affecting “democracy, the economy, and our way of life”.
While 5G infrastructure remains the immediate focus, the Commission has identified medical devices as a critical secondary front. In an increasingly connected healthcare system, devices such as pacemakers, insulin pumps, and hospital imaging machines are now part of the “Internet of Things.” The risk of a “kill switch” (the ability to remotely disable equipment) or the unauthorised extraction of sensitive patient data has moved the healthcare sector to the top of the priority list for security audits.
What this means for suppliers
The implications for technology providers are profound. Companies designated as “high-risk” will face an automatic lockout from public procurement contracts, European funding programmes, and influential standard-setting bodies. For the broader business community, the Act introduces two major pillars:
- Mandatory derisking: Telecom operators will be legally required to phase out equipment from vendors deemed a security threat. This moves the EU’s “5G Toolbox” from a set of suggestions to a binding mandate.
- The certification shield: To simplify the complex world of security, the European Cybersecurity Certification Framework (ECCF) is being overhauled. This will allow companies to earn a “cyber-secure by design” seal of approval within 12 months, making it easier for European firms to prove their products are safe for the market.
Streamlining the rules
Recognising that smaller businesses are often overwhelmed by red tape, the package includes targeted updates to the NIS2 Directive (the EU-wide law on infrastructure security). These amendments seek to simplify compliance for nearly 29,000 companies.
Conclusions
The package represents a fundamental recalibration of how Europe approaches technological sovereignty. Whilst American tech giants such as Microsoft, Google and Amazon are not the primary target, Commission officials acknowledged that cloud services and satellite technology – areas dominated by US firms, may also face future risk assessments under the same framework.
The revised Cybersecurity Act will now proceed to the European Parliament and Council for approval. Once adopted, member states will have one year to transpose the requirements into national law.
