Brussels reiterates its warning about Huawei and is taking steps to enforce it.

      The European Commission has officially advised member states to exclude Huawei and ZTE from their connectivity infrastructure. These restrictions are progressing towards becoming legally binding. China has already issued threats of retaliation.

      When the European Commission first urged its member states to avoid Huawei and ZTE in their 5G networks, in the 2020 5G Cybersecurity Toolbox, it was merely a recommendation. Six years later, on May 4, 2026, the Commission made a similar suggestion again.

      According to Reuters, Brussels has formally recommended that its 27 member states refrain from using equipment from these two Chinese vendors in their connectivity infrastructure, expanding the initial request from mobile networks to the broader telecommunications and digital services that the Union relies on.

      If this seems like the Commission is repeating itself, it is, but this repetition has a clear purpose. The recommendation issued on Monday serves as a public counterpart to a more substantial structural change.

      These restrictions are now advancing, through a draft cybersecurity law introduced in January, toward becoming legally binding requirements for member states, complete with infringement procedures. The voluntary phase has been deemed ineffective by Brussels.

      The actual content of the recommendation and its implications

      The Commission’s text from May 4 reiterates its long-held belief that Huawei and ZTE present significantly greater risks than other suppliers in the EU’s connectivity sector and directs member-state governments and telecom operators not to utilize their equipment in critical network infrastructure.

      The recommendation remains non-binding. National regulators maintain the authority over their own procurement choices. Member states that prefer to continue using the two vendors are not, in strict legal terms, prohibited from doing so.

      The key shift is that the recommendation has moved from being the Commission’s primary tool. On January 20, 2026, Henna Virkkunen, the EU’s Executive Vice-President for Tech Sovereignty, unveiled a cybersecurity package aimed at transforming this softer approach into a firmer requirement.

      Under the proposed legislation, components from declared high-risk suppliers would need to be phased out from essential network infrastructure within 36 months of the rules coming into effect; member states failing to comply would face infringement procedures and potential financial penalties.

      “It didn’t work on a voluntary basis,” Virkkunen stated at the time, a comment widely reported by Euronews and CNBC.

      In this context, Monday’s recommendation functions as a temporary measure: a reaffirmation of the fundamental policy direction while the legal framework that will enforce it progresses through legislative procedures.

      Reasons the voluntary phase proved ineffective

      Statistics highlight the issue. As of February 2024, only 11 out of the EU's then-27 member states had implemented tangible 5G security measures against Huawei and ZTE. By the announcement of the Commission’s package in January 2026, this number had risen to 13.

      Thus, nearly half of the member states had not acted on a recommendation that has now been reiterated after six years of consistent regulatory pressure.

      The reasons for this inaction are both economic and political. Germany, the EU’s largest market, was the most notable holdout: Huawei equipment was believed to be present in around 60 percent of German 5G sites as recently as late 2024, and the costs and complexities of replacing it have been viewed by Berlin as a gradual process. Several Eastern European nations have shared similar hesitations.

      The Commission's dissatisfaction with this trend is widely regarded as the immediate political impetus for the legislative push.

      Member states with strong domestic suppliers, such as France with Nokia’s Alcatel-Lucent and Sweden with Ericsson, have been more aligned with Brussels from the outset. Notably, Sweden banned Huawei and ZTE from its 5G network back in October 2020.

      The consequences were telling: Ericsson’s revenue from China plunged 46 percent the year after Sweden's ban, and the company has not regained that market share. Capitals discussing the Commission's draft law are aware of this history.

      What the broader connectivity infrastructure framing adds

      Thus far, the Commission has primarily focused on mobile networks: the 5G core, radio access, and the equipment enabling citizen connectivity.

      The recent recommendation expands its scope to encompass “connectivity infrastructure” more generally, with indications that the eventual binding framework will also cover fixed networks, fiber-optic and submarine cables, and satellite networks. Specific phase-out periods for these categories will be defined later.

      The submarine cable aspect is particularly strategically significant. There has been heightened geopolitical tension regarding undersea cable infrastructure, which carries the majority of the EU’s intercontinental internet traffic and has attracted attention due to suspected sabotage incidents in the Baltic and the Red Sea. Removing high-risk suppliers from this segment of the stack represents a more complex challenge than removing them from a base station, and experts indicate this is more urgent.

      China has reacted strongly, labeling the cybersecurity package as “discriminatory” and threatening to retaliate against European companies operating in the Chinese market. Earlier this year, we discussed China’s broader pattern of retaliatory threats against the EU,