The European Commission has formally recommended that member states keep Huawei and ZTE out of their connectivity infrastructure. The same restrictions are now moving toward becoming legally binding. China has already threatened to retaliate.
When the European Commission first asked its member states to keep Huawei and ZTE out of their 5G networks, in the 2020 5G Cybersecurity Toolbox, it did so as a recommendation. Six years later, on 4 May 2026, the Commission did roughly the same thing again.
Reuters reported that Brussels has formally recommended its 27 member states not use the two Chinese vendors’ equipment in their connectivity infrastructure, broadening the original ask beyond mobile networks to the wider stack of telecoms and digital plumbing on which the Union depends.
If that sounds like the Commission is repeating itself, it is, but with a deliberate purpose. Monday’s recommendation is the public-facing companion to a much harder structural shift.
The same restrictions are now moving, through a draft cybersecurity law presented in January, toward becoming legally binding obligations on member states with infringement procedures attached. The voluntary phase, by Brussels’s own admission, did not work.
What the recommendation actually says, and what it does not
The Commission’s 4 May text reaffirms its longstanding position that Huawei and ZTE pose risks materially higher than other suppliers in the EU’s connectivity layer, and instructs member-state governments and telecoms operators not to use their equipment in critical network infrastructure.
The recommendation, as published, is non-binding. National regulators retain formal authority over their own procurement decisions. Member states that wish to continue using the two vendors are not, in narrow legal terms, prevented from doing so.
What has changed is that the recommendation is no longer the Commission’s main lever. On 20 January 2026, Henna Virkkunen, the EU’s Executive Vice-President for Tech Sovereignty, presented a cybersecurity package designed precisely to convert the soft instrument into a hard one.
Under the proposed law, components from designated high-risk suppliers would have to be removed from key network infrastructure within 36 months of the rules taking effect; member states ignoring the obligation would face infringement procedures and possible financial penalties.
“It didn’t work on a voluntary basis,” Virkkunen said at the time, in a remark widely reproduced by Euronews and CNBC.
Monday’s recommendation, in that context, is best read as a holding pattern: a reaffirmation of the underlying policy direction while the legislative apparatus that will actually impose it works through co-decision.
Why the voluntary phase did not work
Numbers help. By Euronews’s count, as of February 2024, only 11 of the EU’s then-27 member states had taken concrete 5G security measures targeting Huawei and ZTE. By the time the Commission’s January 2026 package was unveiled, that figure had moved to 13.
In other words, after six years of steady regulatory pressure, slightly fewer than half of the member states had acted on the recommendation that has now been re-recommended.
The reasons are partly economic and partly political. Germany, the EU’s largest market, was the most visible holdout: Huawei equipment was estimated to be in approximately 60 per cent of German 5G sites as recently as late 2024, and the cost and complexity of replacing it has, until now, been treated by Berlin as a slower, locally driven process. Several Eastern European member states have been similarly reluctant.
The Commission’s frustration with that pattern is, by all accounts, the proximate political cause of the legislative push.
Member states with strong domestic vendors, France with Nokia’s Alcatel-Lucent, and Sweden with Ericsson, have been more aligned with Brussels’s position from the start. Sweden, in particular, banned Huawei and ZTE from its 5G network back in October 2020.
The downstream consequence was instructive: Ericsson’s China revenue fell 46 per cent the year after the Swedish ban, and the company has not since recovered that business. Capitals reading the Commission’s draft law are aware of that history.
What the connectivity-infrastructure framing adds
Until now, the Commission’s primary focus has been mobile networks: 5G core, radio access, the equipment that determines how citizens connect.
Monday’s recommendation broadens the language to “connectivity infrastructure” generally, and the Commission has signalled that the eventual binding regime will extend to fixed networks, fibre-optic and submarine cables, and satellite networks. Phase-out periods for those categories will be announced later.
The submarine-cable extension is, in some ways, the most strategically consequential. We wrote on the geopolitical tension building around undersea cable infrastructure, which carries the bulk of the EU’s intercontinental internet traffic and has, in recent years, become a focus of suspected sabotage incidents in the Baltic and the Red Sea. Excluding high-risk suppliers from that layer of the stack is a different kind of project from excluding them from a base station. It is also, by most expert accounts, more urgent.
China’s reaction was characteristically firm. Beijing has called the cybersecurity package “discriminatory” and threatened to retaliate against European companies operating in the Chinese market. We wrote earlier this year on China’s broader pattern of retaliatory threats against the EU, and the May 4 statement from Beijing repeats the same playbook.
The threat carries weight because the EU’s exposure to Chinese countermeasures is asymmetric. Major European industrial groups, particularly in autos, luxury goods, and machinery, depend on the Chinese market in ways that small Chinese exposure to the EU does not match. Brussels knows this. So does Beijing.
Whether the threat actually changes the legislative trajectory is another matter. The Commission’s January package is now in the hands of the European Parliament and the Council.
Member states with the most to lose from Chinese retaliation, Germany above all, have leverage in those negotiations. But the political cost of rolling back the cybersecurity push, after six years of public commitment to it, would be unusually high.
The wider tech-sovereignty arc
Monday’s recommendation also fits a broader European pattern that has been visible across the past 12 months. TNW has covered the EU’s €180m sovereign cloud awards, France’s directive that government ministries migrate from Windows to Linux, and the EU’s renewed focus on digital sovereignty under both the Cybersecurity Act and the AI Act.
The Huawei/ZTE recommendation is one of the most concrete and enforceable elements of that arc, in the sense that telecoms equipment is a relatively well-defined category and its exclusion can be measured.
It also sits inside a larger strategic question Brussels has been forced to confront more openly in 2026 than ever before. China’s Digital Silk Road, which has built telecommunications, data-centre, and submarine-cable infrastructure across more than a dozen Belt-and-Road countries with terms favourable to Beijing’s data-sovereignty interests, is a direct counterpart to the EU’s effort to disentangle its own infrastructure from Chinese vendors.
The two arcs, sovereignty in Brussels and sovereignty in Beijing, are now visibly working against each other.
What happens next?
Three things will indicate whether Monday’s recommendation is more than rhetorical. The first is the legislative timeline: how quickly the European Parliament and Council move the January 2026 cybersecurity package toward a vote, and whether the 36-month phase-out period survives that process intact.
The second is German political will: Berlin’s revised position, in particular on the percentage of its 5G estate currently supplied by Huawei, will be the single most visible test of whether the binding regime can actually be implemented at scale.
The third is the response from operators that have, until now, been quiet, particularly in Italy and Spain, where Huawei’s market share has been substantial and the political costs of public re-procurement have been politically inconvenient.
The Commission has, on Monday, repeated itself deliberately. The recommendation is not new. Its legal force is not new.
The policy backdrop, however, has shifted: a mandatory regime is now drafted, China has been explicit about countermeasures, and the EU’s wider tech-sovereignty push has lent the question additional political weight.
None of which solves the underlying problem of how to remove tens of billions of euros’ worth of installed equipment from networks that European citizens use every day. It does, however, make clear that the question is no longer whether to do so, but how, and on what timetable.
Get the TNW newsletter
Get the most important tech news in your inbox each week.