The EU defied American calls for a blanket ban on Huawei and ZTE, opting instead to demand stricter security measures on telecoms vendors by the end of the year.
The European Commission’s plans, unveiled in Strasbourg Tuesday, include asking national capitals to conduct risk assessments and work together to draft common European security checks on companies building high-speed 5G networks.
“We have to protect our privacy, we have to protect our business secrets, we have to protect our whole lives,” Andrus Ansip, vice president of the European Commission, told reporters. He said the Commission has “specific security concerns,” adding “everyone knows I’m talking about China and Huawei.”
While there is no blanket ban, the guidelines pave the way for a European model of managing risks associated with Chinese vendors. The Commission is also working on tools to handle competition from China, including trade defense instruments, privacy requirements and procurement rules.
Here are seven takeaways from the 5G security plan:
1. There will be EU-wide measures by year-end
EU countries pushed the Commission to present its thoughts following months of pressure from Washington to clamp down on Chinese vendors.
The plans are timed to coincide with the auction of spectrum bands for 5G networks and the rollout of initial commercial 5G services across Europe.
“It’s urgent that we get on with this because decisions are being taken now and in the next year or so” on spectrum and network equipment, Julian King, European security commissioner, told reporters in Strasbourg.
The Commission said 11 countries have auctions planned this year and six others have auctions planned next year.
The Commission asked EU countries to complete national risk assessments by June 30 and send them by mid-July. The EU will conduct its own risk assessment by October. By year-end a group of key cybersecurity experts is due to agree on EU-wide measures to mitigate the risks.
2. Operators are still in limbo
While the Commission’s move shows the EU isn’t close to or likely to impose blanket bans on foreign vendors, it leaves open the question of Huawei’s access to national markets.
One telecoms industry official, who asked not to be named because of the sensitivity of the issue, said the Commission seems to have kicked the can down the road. The move prolongs operators’ uncertainty about whether foreign vendors could face restrictions in the future.
Europe’s main telecoms lobby organizations reacted with caution.
“We support a fact-based and harmonized approach to network security,” Lise Fuhr, head of ETNO (the European Telecommunications Network Operators’ Association), said in a statement.
Global mobile lobby GSMA said in a statement it welcomes the EU’s efforts “to avoid fragmentation, and ensure a proportionate and coherent approach to this important issue.”
Many European operators are in the process of contracting vendors for the rollout of 5G networks. Huawei is considered a strong player, pitching its gear at lower prices than its competitors, industry officials said. But the global debate about alleged security risks is forcing operators to consider potential restrictions on Chinese telecoms equipment in Europe in the future.
Huawei’s chief representative to the EU institutions, Abraham Liu, said in a statement that the company “understands the cybersecurity concerns that European regulators have. Based on the mutual understanding, Huawei looks forward to contributing to the European framework on cybersecurity.”
3. Washington failed to get its Huawei ban …
The Commission’s plan comes after months of lobbying by U.S. officials in Europe. U.S. State Department officials toured Europe to convince their counterparts to block, ban or restrict Huawei’s activities. The diplomats targeted key events like the Munich Security Conference and Barcelona Mobile World Congress for talks with operators and lawmakers.
But the German government and others stopped short of introducing bans, and now the Commission has also refused to impose specific measures targeting Huawei.
Ansip stressed that the EU is not siding with either Washington or Beijing. “Some people aren’t able to understand we have our own concerns,” he said. “It’s not just the support for one or another. We have to think about our own security, our own future.”
4. … but Huawei, ZTE remain clear targets
The Commission stressed that the work in the coming months could lead to a list of products and even suppliers not being considered trustworthy.
National assessments of 5G security “should take into account both technical and other factors,” the recommendation reads, including “regulatory or other requirements imposed on information and communications technologies equipment suppliers.” The text goes on to say “an assessment of the significance of such factors would need to take into account, inter alia, the overall risk of influence by a third country,” including security governance, privacy standards and whether the country abides by international norms and law on cybersecurity.
That’s a clear stab at China, which has been accused of cyber espionage activities by Western security authorities.
5. Watch Berlin …
Brussels’ plans echo those presented in Berlin, where regulators presented a set of draft requirements on 5G security earlier this month. The draft German rules, which will be finalized later this year, stress that operators have to buy equipment from “trusted suppliers,” and that critical network components can only be procured by suppliers that provide an “assurance of trustworthiness.”
The European Commission will ask its cybersecurity agency ENISA to start work on a certification scheme under the EU’s new Cybersecurity Act, which enters into force in coming weeks. Such a scheme is likely to mimic the German draft requirements, or even copy popular certification schemes of large EU countries for application across the EU.
The German security procedure doesn’t allow for measures that target vendors from a specific country, though.
6. … and Rome, Paris, London
In Rome, lawmakers published an update of a trade defense instrument to allow the government to strike down business contracts between operators and foreign vendors — de facto allowing the government to ban Huawei, ZTE and Samsung from any sector it would consider “strategic.”
Notably, the Italian tool targets foreign vendors only and even extends to foreign vendors that establish an office in Europe but are still “directly or indirectly controlled” from abroad.
In Paris, lawmakers are still discussing a review of checks that operators and vendors have to pass with security agency ANSSI. In London the intelligence service’s National Cyber Security Centre is just weeks away from coming out with a new annual oversight report that scrutinizes Huawei’s security standards. The report is expected to be highly critical of the company’s handling of outstanding security concerns.
While European lawmakers have watched Germany’s steps on the issue closely, the moves by Italian and French colleagues could move the goalposts in terms of legal measures that European countries would use to manage the security risks.
7. Talks continue at international stage
While Tuesday’s text put telecom security officials to work, analysts are already looking at a series of international meetings where European countries are expected to streamline their positions on the issue.
Foreign ministers of NATO countries are scheduled to meet in Washington next week, where the issue of China and 5G is expected to be discussed, according to diplomats involved in the preparations. On April 9, the EU has a bilateral trade summit scheduled with China.
France is hosting a ministerial meeting focused on digital issues on May 16, at which 5G security has risen to near the top items on the agenda.
This article is part of POLITICO’s premium Tech policy coverage: Pro Technology. Our expert journalism and suite of policy intelligence tools allow you to seamlessly search, track and understand the developments and stakeholders shaping EU Tech policy and driving decisions impacting your industry. Email email@example.com with the code ‘TECH’ for a complimentary trial.