EU Pushes for Stronger Cybersecurity Oversight: Tech and Geopolitical Implications

By Artor Cara

Introduction:

On the 20th of January 2026, the European Commission announced a new cybersecurity package aimed at strengthening the EU’s resilience and capabilities against rising digital threats. The new package is designed to make the EU’s ICT supply chains more secure.
It introduces a streamlined certification system to ensure technology products are built with cybersecurity standards in place from the outset, while also simplifying compliance with existing EU regulations. Moreover, it is aimed to strengthen the role of the EU Agency for Cybersecurity (ENISA) in helping Member States respond to and manage cyber threats (1).

This initiative clearly displays that the EU is advancing its stance on cybersecurity and is no longer viewing cybersecurity as purely a technical or regulatory issue. Instead, the EU is establishing digital security as a strategic pillar of economic resilience and technological sovereignty. The EU aims to reduce reliance on ICT suppliers from third-countries, which essentially refers to countries outside the EU, where cybersecurity risks could threaten critical infrastructure (2). Overall, this has been met with significant pushback from foreign technology providers, which in turn shows the growing tension between regulatory ambitions and global market dependencies.

This report will focus on analysing the diverse implications of the EU’s new cybersecurity package, particularly focusing on its impact on technology suppliers, European industry and geopolitical dynamics.

Implications for Suppliers:

The EU’s new cybersecurity package is likely to have the most immediate and direct impact on technology firms classified as “high-risk” suppliers, which are major foreign vendors such as Huawei and ZTE, as well as non-EU cloud service providers operating within critical infrastructure sectors.
As shown in the chart above, Huawei alone accounted for the largest share, 31 % of the global telecom equipment market in 2025, while ZTE represented 10 %. This equates to 41 % of the market being held by suppliers most exposed to potential regulatory restrictions. The large market presence of these companies in turn helps explain why Huawei responded almost immediately with criticism following the announcement of the EU’s new cybersecurity package. Huawei criticised the EU’s proposal of a new cybersecurity package, arguing that excluding suppliers based on country of origin rather than technical standards breaches principles of fairness and WTO obligations, and said it would monitor the legislative process to protect its interests (4). From an analytical perspective, EU’s new package creates both operational and reputational risks for suppliers such as Huawei.

In regards of the operational aspect, vendor companies may face contract disruptions as EU operators review their supply chains to comply with the new certification requirements. This can potentially delay ongoing deployments and increase compliance costs. Furthermore, there is an uncertainty around which products will meet EU standards, which thus adds complexity to project planning, particularly for high-value infrastructure contracts. From a reputational standpoint, being designated as a “high-risk” supplier can affect the global market perception of the company. Being seen as a high-risk supplier could lead to hesitancy from potential clients and allied countries when awarding contracts, while also attracting increased scrutiny from regulators.

As a result of the operational and reputational pressures on high-risk suppliers, the competitive landscape is likely to shift. This could create opportunities for European technology firms to grow their market share and play a stronger role in critical infrastructure.

Implications for EU Tech Industry:
The EU’s new cybersecurity package presents the EU tech industry with both challenges and opportunities.

The cybersecurity package will likely limit the participation of certain foreign suppliers in future infrastructure projects due to the stricter cybersecurity requirements. Consequently, EU-based companies such as Nokia and Ericsson, which together held 25% of the global telecom equipment market in 2025, can benefit from a reduction in competition within the European market. This shift can therefore result in EU operators to prioritise conducting business with domestic or lower-risk suppliers within the EU in order to minimise risks and maintain regulatory certainty. Engaging with more domestic suppliers over time can in turn gradually cause a shift in market dynamics in favour of European companies. Ultimately, this will strengthen the EU’s technological autonomy.

In addition to the change in market share distribution, the cybersecurity package will prompt organisations to rely more on specialised companies to help implement security measures and manage certification processes. Thus, the cybersecurity package will likely drive demand and thereby growth in sectors such as: cybersecurity services, compliance and supply chain risk management. Ultimately, this could lead to an increase in job creation and broader economic growth across the EU.

However, while the regulatory framework may provide short-term advantages for European suppliers, it can also raise operational costs due to the stricter certification and compliance obligations. Smaller companies, in particular, may struggle to meet these requirements without sufficient resources or institutional support. Despite this, in the broader picture, the cybersecurity package helps the EU tech industry to strengthen its resilience and competitiveness while reducing reliance on high-risk foreign suppliers. Overall, in the long term, the new cybersecurity package will greatly aid the EU in achieving its goals of digital sovereignty and greater economic security.

Geopolitical Implications:
Beyond the economic and industrial affects, the EU’s new cybersecurity package also produces broader implications for global politics.

Several European countries have taken steps to restrict or phase out high-risk Chinese technology suppliers from their telecommunications infrastructure. Germany, for example, proposed in September 2023 that telecom operators remove critical components produced by Huawei and ZTE from core 5G networks by 2026, citing security concerns. Moreover, France has pursued a gradual phase-out by refusing to renew licences for Huawei equipment. EU countries such as Estonia, Denmark, and Lithuania have introduced legislation or security frameworks which were aimed at limiting the involvement of Chinese vendors in digital infrastructure (5).
These individual national measures in turn show how that in recent years European countries are starting to recognise the strategic risks of foreign tech dependency.

Hence, the EU’s new cybersecurity package therefore displays a collective attempt to reduce dependency on high-risk foreign technology and in turn presents a unified European stance within the wider geopolitical competition over digital infrastructure.
However, the new cybersecurity package was met immediately by China, who criticised the move. Chinese Foreign Ministry spokesperson Guo Jiakun said that restricting companies without clear technical evidence undermines fair competition and turns normal economic cooperation into political and security issues (6).

It is apparent that the EU’s new cybersecurity package has already contributed to tensions between Brussels and Beijing, thus portraying the immediate impact of technology regulation on diplomatic relations. China’s criticism shows how cybersecurity measures are often seen as political signals and not just technical regulations. Consequently, this perception has already eroded trust and cooperation between the EU and China.

Furthermore, the cybersecurity package aligns the EU more closely with prior USA actions whereby, in 2022, the USA, under the Biden administration, banned the approvals of new telecommunications equipment from China’s Huawei and ZTE due to them posing as ‘an unacceptable risk” to US national security (7). Overall, the EU’s stance signals a growing alignment with the US approach to managing high-risk suppliers and thus reinforces a transatlantic consensus on digital security. By mirroring the USA’s approach, the EU is signalling its determination to limit reliance on Chinese technology, which in turn further isolates Chinese tech firms and heightens tensions between China and the West.

Conclusion:

The EU’s new security package could substantially reshape Europe’s tech sector. By relying more on domestic or low-risk suppliers the EU can limit exposure to foreign political influence and encourage innovation in security-focused industries. Simultaneously, this approach may influence global politics and strengthen transatlantic coordination on tech regulation. However, it can also increase tensions between the EU and China.

Ultimately, the EU’s announcement of a new focused cybersecurity package shows that cybersecurity policy is now closely linked to economic and strategic goals. If implemented well, the cybersecurity package could make the EU a leader in secure digital infrastructure and can enable them to influence global technology dynamics. If it is not implemented effectively, the cybersecurity package could potentially leave security gaps and hurt the competitiveness of European companies. It might also create unnecessary geopolitical tensions and strain relations with foreign partners. This could result in a reduction in trust in EU regulations and limiting the strategic and economic benefits the cybersecurity package is meant to deliver.

Reference:

(1) EU Commission (2026a)
(2) EU Commission (2026b)
(3) Dell’Oro Group (2025)
(4) Reuters (2026)
(5) Reuters (2023)
(6) Global Times (2026)
(7) The Guardian (2022).