After years of hesitation, Europe is finally getting serious about de-risking. A new proposal makes it mandatory to rip out Huawei and other dangerous components from the continents’ telephone systems. 

Previous attempts left governments free to decide whether and which components of Chinese suppliers to remove from 5G networks. Governments took different approaches; some hesitated, while others moved forward. Results were poor. Recent research shows that Chinese vendors supplied more than 50% of 5G equipment in 31 European countries at the end of 2022.  

Despite the new seriousness, the new European approach remains far too weak. It requires de-risking only for mobile and fixed telecom networks. It makes no mention of other key assets intechnologies, particularly in the transportation or energy sectors.  

This gap will allow Chinese connected vehicles and solar technologies to penetrate the European market, just as with 5G telephony. When Europe decides to remove untrusted components, it will be costly. At the same time, the money spent on Chinese tech during those years will fuel innovation inside China.  

The US offers a good model. Washington has adopted a broad definition of critical components, including autonomous driving and Wi-Fi technologies in connected vehicles, and banned their supply from untrustworthy entities.  

In contrast, Europe’s process for “defining” tech security risks remains cumbersome. To identify tech as a risk, either three member states or the European Commission need to initiate a security assessment. This takes months and leaves the door open to lobbying. 

Instead of its piecemeal approach, Europe should undertake a comprehensive review of its critical infrastructure and ban untrustworthy entities. This includes Chinese software suppliers for cranes in ports, connected solar power inverters, advanced autonomous driving software and hardware, and AI-powered robots.  

Europe should aim to avoid risk, not to wake up and discover that it needs to de-risk. It must define critical components and mandate the use of trustworthy suppliers.  

Consider cars. Europe’s new Supply Chain Security Toolbox fails to define the risky parts in connected vehicles. Instead, it focuses on broad risk scenarios, avoiding identifying specific technical definitions. In contrast, the US last year banned cars and auto parts made in China or Russia.  

Most European policymakers continue to cling to a misguided conception of combatting cybersecurity risk. During the 5G debate, they focused on technical mitigation, attempting to safeguard components after their installation. It took years of debate for policymakers to conclude that some technologies are so complex and so critical that risks cannot be managed to an acceptable level.  

The Chinese government will always be able to put pressure on entities that are headquartered in China and potentially in third countries that depend on China. This pressure will not be visible to the outside, just as technological backdoors are hidden. The only way for “untrustworthy” companies to deal with geopolitical risk is to relocate to Europe and have their sole headquarters there.  

De-risking forces policymakers into a defensive mindset. Every minute spent on de-risking is not spent on propelling innovation. The best strategy would be for Europe to become a tech leader, gain market share, and avoid having to constantly think about de-risking from Chinese tech.  

Dr. Valentin Weber is a Senior Research Associate at the German Council on Foreign Relations  

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

The post Chinese De-Risking: Europe Needs to Accelerate  appeared first on CEPA.