Chinese chamber of commerce puts a $432bn price tag on the EU’s cybersecurity overhaul

A KPMG-conducted study commissioned by the CCCEU estimates that phasing Chinese suppliers out of 18 critical EU sectors between 2026 and 2030 would cost €367.8bn. Reuters’ headline rounds that down. The actual figure is materially higher.

China’s chamber of commerce in the EU has put a number on the cost of the European Commission’s plan to phase Chinese suppliers out of critical infrastructure, and the number is a large one. A study commissioned by the China Chamber of Commerce to the EU (CCCEU) and conducted by KPMG estimates that forced replacement of Chinese suppliers across 18 critical sectors would cost the bloc €367.8bn ($432.83bn) between 2026 and 2030.

The revised Cybersecurity Act, as we covered when the Commission reissued its Huawei and ZTE recommendation last week, is moving the EU’s existing soft restrictions on Chinese telecoms suppliers towards a binding regime.

The law would extend high-risk-supplier exclusions across 18 sectors of the European economy, including energy, transport, healthcare, banking, digital networks, and the space industry. Components and equipment from designated high-risk suppliers would have to be removed from key infrastructure within 36 months of the rules taking effect, with infringement procedures and possible financial penalties for non-compliance.

The KPMG-conducted study breaks down the projected $432.83bn cost into infrastructure replacement, operational disruption, lost interoperability, and downstream productivity drag. The methodology assumes that current Chinese-supplier penetration across the 18 sectors is replaced over the 2026 to 2030 window at price points reflecting available European, Japanese, and Korean alternatives. The headline cost is, in CCCEU’s framing, a floor rather than a ceiling.

How seriously to take the figure

The provenance of the study matters. The CCCEU is the official chamber representing Chinese commercial interests in the EU, and KPMG was engaged to produce the cost estimate on its behalf. The figure should therefore be read as the upper end of a self-interested advocacy position rather than as an independent cost projection. TNW has tracked the EU’s broader tech-sovereignty push, and the European Commission’s own internal cost analysis, when it eventually publishes, is likely to produce a materially different number.

That said, the order of magnitude is plausible. The European Union Institute for Security Studies has separately flagged the structural difficulty of replacing Chinese legacy chip and telecoms hardware at scale, particularly in sectors where European, Japanese, and Korean alternatives are not yet available at the volumes required. The legacy semiconductor question alone, on the ISS analysis, would account for tens of billions in replacement cost across the period CCCEU has modelled. The wider 18-sector footprint adds infrastructure categories, including grid equipment and rail signalling, where Chinese-supplier penetration is meaningful and the replacement cost is real.

The CCCEU figure lands in a particular moment for EU-China commercial relations. China’s Big Fund is now reported to be in talks to lead a $45bn funding round into DeepSeek, in what has been read as a Beijing-side assertion of frontier AI sovereignty.  The EU is, in 2026, simultaneously navigating its competition agenda, its AI safety framework, and its supply-chain sovereignty push. The Cybersecurity Act revision sits at the intersection of all three.

Beijing’s preferred outcome is unmistakable: a Brussels reconsideration of the proposed binding regime, ideally with carve-outs that keep Chinese suppliers commercially viable in the 18 sectors. The CCCEU study is the public-facing first move in that lobbying effort. Whether it lands depends on whether European member states with the largest absolute exposure, including Germany and Italy, decide that the projected cost is large enough to warrant softening the proposed law.

Three indicators will determine the trajectory of the proposal. The first is the European Commission’s own publication of its impact assessment, which is expected later this year. If the Commission’s number lands meaningfully below CCCEU’s $432bn, the political case for the binding regime survives intact. If it lands closer to the CCCEU number, member states will push for carve-outs and softer transition timelines.

The second is whether Germany, in particular, accepts the proposed 36-month removal window for Huawei equipment in its 5G networks, where the country still has the highest absolute exposure of any EU member. The third is whether Beijing follows the CCCEU study with concrete commercial countermeasures against European exporters, particularly in autos, luxury goods, and machinery.

None of those signals is available yet. What is available is the most detailed cost projection of the binding cybersecurity regime that any party has yet produced. The number is large, the methodology is transparent, and the political context makes the figure relevant regardless of whether the European Commission accepts the projection or not. Brussels will, in the coming months, have to publish its own.