Beijing's numerical lobbying push regarding the EU Cybersecurity Act

      A study conducted by KPMG and commissioned by the CCCEU estimates that eliminating Chinese suppliers from 18 critical sectors in the EU between 2026 and 2030 could cost €367.8 billion. Reuters’ headline simplifies this figure, but the actual cost is significantly higher. The China Chamber of Commerce in the EU has calculated the expense tied to the European Commission’s initiative to phase out Chinese suppliers from essential infrastructure, and it's a substantial amount. The study estimates that the enforced replacement of these suppliers across the specified sectors will cost the European bloc €367.8 billion ($432.83 billion) over the upcoming years.

      The revised Cybersecurity Act, which we mentioned when the Commission reissued its recommendations regarding Huawei and ZTE last week, indicates a shift from the EU's current soft restrictions on Chinese telecom suppliers towards a mandatory framework. This legislation would broaden exclusions of high-risk suppliers across 18 sectors of the European economy, including energy, transport, healthcare, banking, digital networks, and the space industry. Equipment from identified high-risk suppliers would need to be eliminated from critical infrastructure within 36 months of the implementation of the new rules, with possible legal actions and financial penalties for those who do not comply.

      The KPMG study delineates the projected cost of $432.83 billion into categories such as infrastructure replacement, operational disruptions, loss of interoperability, and decreased productivity. The methodology assumes that the existing reliance on Chinese suppliers in the 18 sectors will be replaced during the 2026 to 2030 timeframe with European, Japanese, and Korean alternatives, reflecting their price levels. The figure presented by CCCEU is viewed as a lower limit rather than an upper limit.

      The origin of the study is significant. The CCCEU represents Chinese business interests in the EU, and KPMG was contracted to generate the cost estimate on its behalf. Consequently, this figure should be interpreted as the high end of a self-serving advocacy position rather than an independent cost assessment. TNW has followed the EU's broader push for tech sovereignty, and when the European Commission eventually publishes its own cost analysis, the resulting figure is expected to differ considerably.

      However, the order of magnitude presented is plausible. The European Union Institute for Security Studies has highlighted the inherent challenges of replacing Chinese legacy chip and telecom hardware on a large scale, especially in areas where alternatives from Europe, Japan, and Korea are not yet available in the necessary quantities. The issue of legacy semiconductors alone, according to ISS analysis, could represent tens of billions in replacement costs throughout the period modeled by CCCEU. The overall impact across 18 sectors includes critical infrastructure such as grid equipment and rail signaling, where there is significant Chinese supplier penetration and genuine replacement costs.

      The CCCEU figure comes at a crucial time for EU-China trade relations. Reports indicate that China’s Big Fund is in discussions to lead a $45 billion funding round for DeepSeek, which is interpreted as a demonstration of Beijing’s commitment to AI sovereignty. Simultaneously, the EU is navigating its competition agenda, AI safety regulations, and supply-chain sovereignty efforts. The Cybersecurity Act revision intersects all three of these issues.

      Beijing has a clear goal: to persuade Brussels to reconsider the proposed binding regime, preferably including exemptions that would allow Chinese suppliers to remain commercially viable in the 18 sectors. The CCCEU study serves as the first public effort in this lobbying endeavor. Its impact will largely depend on whether European member states with significant exposure, like Germany and Italy, believe the projected cost is substantial enough to justify tempering the proposed law.

      Three factors will influence the proposal’s direction. First is the European Commission’s forthcoming publication of its impact assessment, expected later this year. If the Commission's figure is significantly lower than CCCEU’s $432 billion, the political case for the binding regime will remain strong. Conversely, if it’s closer to CCCEU’s estimate, member states may seek exclusions and more lenient transition timelines.

      The second factor is whether Germany accepts the suggested 36-month deadline for removing Huawei equipment from its 5G networks, where it currently faces the highest exposure among EU nations. The third is whether Beijing follows the CCCEU study with concrete commercial responses against European exporters, particularly in sectors such as automotive, luxury items, and machinery.

      Currently, none of these signals are available. What is known is that this is the most detailed cost projection of the proposed binding cybersecurity framework produced by any entity to date. The amount is significant, the methodology is clear, and the political context makes this figure relevant, regardless of whether the European Commission agrees with the projection. In the coming months, Brussels will need to publish its analysis.