Interviews | Economy | East Asia

EU Cybersecurity Act: Increased Scrutiny of China-Based Supply Chains 

Insights from Martin Catarata.

The Diplomat author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Martin Catarata – project leader and lead researcher specializing in China-U.S./EU geoeconomic strategy, export controls, and high-tech supply chains at Sinolytics in Berlin – is the 498th in “The Trans-Pacific View Insight Series.”

Explain the regulatory significance of the EU Cybersecurity Act. 

The significance of the EU Cybersecurity Act lies in its use as a strategic instrument of economic security. It broadens the legal architecture that allows Brussels to restrict or condition market access for vendors deemed “high-risk.” This category is widely understood to apply especially to certain China-based ICT suppliers.

By strengthening ENISA [the European Union Agency for Cybersecurity] and establishing EU-wide cybersecurity certification schemes, the Act reduces member states’ discretion to set their own security thresholds. That harmonization is crucial in the China context: it prevents Beijing-facing suppliers from leveraging divisions within the EU single market. The revised framework enables Brussels to embed geopolitical risk assessment into technical certification processes.

Examine the proposed bill’s objective to de-risk the supply chain of ICT infrastructure. 

The Commission’s recent revision proposals pursue a deliberate objective to de-risk ICT infrastructure supply chains by identifying “high-risk” suppliers and creating a legal path to exclude them from critical sectors. The proposal replaces purely national patchwork remedies with a risk-based EU framework that standardizes risk assessment, creates lists of high-risk suppliers, and sets enforceable mitigation (including phased removal) obligations for operators in 18 critical sectors. This approach aims to reduce systemic dependence, accelerate coordinated “rip-and-replace” activity where needed, and lower cross-border fragmentation of security rules so that procurement, incident response, and resilience measures are interoperable across the single market. 

Analyze the scope and scale of Brussels’ increased scrutiny of China-based supply chains. 

Brussels’ increased scrutiny of China-based supply chains is wide in both scope and potential impact. The draft targets not only telecoms equipment but spans 18 critical sectors including electricity, water, cloud, medical devices, satellites, semiconductors, and connected vehicles, applying to both new procurement and in many cases existing network components with multi-year phase-out timetables. 

The scale is across the EU: the Commission proposes EU-level designation and mitigation rules (rather than leaving decisions to each capital), and envisages multi-sectoral assessment, detection, and remediation programs that implicate suppliers across value chains. The combination of broad sectoral coverage, application to legacy assets, and EU-level enforcement represents a big change from the earlier, largely telecom-focused 5G toolbox. 

How would the bill impact the transfer of power from member states to the Commission? 

The draft materially shifts decision-making authority from member states towards the European Commission by centralizing risk designation and setting binding constraints on procurement choices. Previously, restrictions on Chinese ICT vendors (particularly in 5G networks) were implemented unevenly across member states. For example, in Germany Huawei still provided the gear for about 60 percent of 5G sites in 2024. 

Under the proposal Brussels can identify “high-risk” suppliers and require exclusion or mitigation measures that national authorities and operators must implement, thereby constraining national discretion in supplier selection and in when and how to remediate networks. This strengthens ENISA and creates Commission instruments to harmonize lists and phase-out timetables, reducing regulatory fragmentation. The net effect is to move strategic gatekeeping over critical-ICT supply decisions to the EU level.

Assess China’s response to the proposed bill and its broader implications for China-EU trade relations. 

China’s official response has been one of strong opposition, framing the measures as politically motivated and protectionist and warning of consequences for bilateral trade and investment. Beijing’s Foreign Ministry and commerce agencies publicly expressed “grave concern” and denounced listing Chinese firms as “high-risk,” while major Chinese vendors and state media called the initiative discriminatory and lacking technical justification.

In the short term, this rhetoric signals several likely implications: it raises the probability of diplomatic pushback and trade-policy retaliation and increases the incentive for Chinese suppliers to litigate or seek WTO avenues.

Over the medium term, the policy increases political risk for China-EU technology trade and could provoke reciprocal industrial policy measures from Beijing (tariffs, procurement restrictions, or market access barriers) that would complicate broader economic cooperation. Chinese analysts also argue that de-risking raises costs and slows EU green/digital transitions, a domestic framing Beijing will use diplomatically to pressure EU firms and member states to resist full implementation.

Get to the bottom of the story

Subscribe today and join thousands of diplomats, analysts, policy professionals and business readers who rely on The Diplomat for expert Asia-Pacific coverage.

Get unlimited access to in-depth analysis you won't find anywhere else, from South China Sea tensions to ASEAN diplomacy to India-Pakistan relations. More than 5,000 articles a year.

Unlimited articles and expert analysis

Weekly newsletter with exclusive insights

16-year archive of diplomatic coverage

Ad-free reading on all devices

Support independent journalism

Already have an account? Log in.

The Diplomat author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Martin Catarata – project leader and lead researcher specializing in China-U.S./EU geoeconomic strategy, export controls, and high-tech supply chains at Sinolytics in Berlin – is the 498th in “The Trans-Pacific View Insight Series.”

Explain the regulatory significance of the EU Cybersecurity Act. 

The significance of the EU Cybersecurity Act lies in its use as a strategic instrument of economic security. It broadens the legal architecture that allows Brussels to restrict or condition market access for vendors deemed “high-risk.” This category is widely understood to apply especially to certain China-based ICT suppliers.

By strengthening ENISA [the European Union Agency for Cybersecurity] and establishing EU-wide cybersecurity certification schemes, the Act reduces member states’ discretion to set their own security thresholds. That harmonization is crucial in the China context: it prevents Beijing-facing suppliers from leveraging divisions within the EU single market. The revised framework enables Brussels to embed geopolitical risk assessment into technical certification processes.

Examine the proposed bill’s objective to de-risk the supply chain of ICT infrastructure. 

The Commission’s recent revision proposals pursue a deliberate objective to de-risk ICT infrastructure supply chains by identifying “high-risk” suppliers and creating a legal path to exclude them from critical sectors. The proposal replaces purely national patchwork remedies with a risk-based EU framework that standardizes risk assessment, creates lists of high-risk suppliers, and sets enforceable mitigation (including phased removal) obligations for operators in 18 critical sectors. This approach aims to reduce systemic dependence, accelerate coordinated “rip-and-replace” activity where needed, and lower cross-border fragmentation of security rules so that procurement, incident response, and resilience measures are interoperable across the single market. 

Analyze the scope and scale of Brussels’ increased scrutiny of China-based supply chains. 

Brussels’ increased scrutiny of China-based supply chains is wide in both scope and potential impact. The draft targets not only telecoms equipment but spans 18 critical sectors including electricity, water, cloud, medical devices, satellites, semiconductors, and connected vehicles, applying to both new procurement and in many cases existing network components with multi-year phase-out timetables. 

The scale is across the EU: the Commission proposes EU-level designation and mitigation rules (rather than leaving decisions to each capital), and envisages multi-sectoral assessment, detection, and remediation programs that implicate suppliers across value chains. The combination of broad sectoral coverage, application to legacy assets, and EU-level enforcement represents a big change from the earlier, largely telecom-focused 5G toolbox. 

How would the bill impact the transfer of power from member states to the Commission? 

The draft materially shifts decision-making authority from member states towards the European Commission by centralizing risk designation and setting binding constraints on procurement choices. Previously, restrictions on Chinese ICT vendors (particularly in 5G networks) were implemented unevenly across member states. For example, in Germany Huawei still provided the gear for about 60 percent of 5G sites in 2024. 

Under the proposal Brussels can identify “high-risk” suppliers and require exclusion or mitigation measures that national authorities and operators must implement, thereby constraining national discretion in supplier selection and in when and how to remediate networks. This strengthens ENISA and creates Commission instruments to harmonize lists and phase-out timetables, reducing regulatory fragmentation. The net effect is to move strategic gatekeeping over critical-ICT supply decisions to the EU level.

Assess China’s response to the proposed bill and its broader implications for China-EU trade relations. 

China’s official response has been one of strong opposition, framing the measures as politically motivated and protectionist and warning of consequences for bilateral trade and investment. Beijing’s Foreign Ministry and commerce agencies publicly expressed “grave concern” and denounced listing Chinese firms as “high-risk,” while major Chinese vendors and state media called the initiative discriminatory and lacking technical justification.

In the short term, this rhetoric signals several likely implications: it raises the probability of diplomatic pushback and trade-policy retaliation and increases the incentive for Chinese suppliers to litigate or seek WTO avenues.

Over the medium term, the policy increases political risk for China-EU technology trade and could provoke reciprocal industrial policy measures from Beijing (tariffs, procurement restrictions, or market access barriers) that would complicate broader economic cooperation. Chinese analysts also argue that de-risking raises costs and slows EU green/digital transitions, a domestic framing Beijing will use diplomatically to pressure EU firms and member states to resist full implementation.

Mercy A. Kuo is Senior Contributing Author at The Diplomat.

China cyber espionage

© The Diplomat