Merkel’s decision on Huawei creates a dilemma for the EU
In a setback to EU unity and technological sovereignty, on October 15 Berlin published its draft 5G security guidelines. Prepared by the Federal Office for Information Security (BSI), the document could open the way for Chinese suppliers Huawei and ZTE to build the critical information infrastructure of Europe’s largest economy.
The guidelines come just days after the European Commission and the European Agency for Cybersecurity released the long-awaited results of EU Member States’ coordinated risk assessment of 5G networks security. The report recognizes that the threat landscape of mobile networks is poised to become immensely complex and that the security and resilience of 5G networks will rest on (geo)political as much as technical factors. A non-binding toolbox of mitigating measures to address the risks at national and EU level is expected by year-end.
While not citing China by name, the Commission’s report could hardly be more explicit in underlining the vulnerabilities arising from Huawei’s and ZTE’s involvement in Europe’s 5G networks. “The likelihood of the supplier being subject to interference from a non-EU country” affects its risk profile, the report observes. The supplier’s state links corporate ownership, and the jurisdiction in which it operates – especially “where there are no legislative or democratic checks and balances in place” – all matter in determining whether interference may occur.
By contrast, the German government has de facto neglected political risks in its assessment of 5G network security, reducing it to a technical matter. The decision to drop a clause that would have prevented Huawei from supplying components for Germany’s fifth-generation cellular networks, which reportedly came from Chancellor Merkel herself, sends an important signal not only to other Member States but also to the EU’s allies. Large German companies heavily depend on the Chinese market and Berlin has once again demonstrated its determination to put its short-term business interests before Europe’s security and technological autonomy.
Within Germany, the move has already met with resistance. A group of parliamentarians led by Foreign Affairs Committee chairman and CDU member Norbert Röttgen strongly opposed it and called for the Parliament to intervene. The guidelines require firms like Huawei only to sign a self-declaration of trustworthiness with carriers. Critics consider that asking Chinese vendors to provide written assurance of their own reliability, when Chinese law explicitly limits their ability to reject CCP interference, is a rather poor choice.
Quite apart from exposing the country to a heightened risk of hacks and crippling Brussels’ efforts to craft a truly European China policy, by allowing subsidized Chinese vendors into its market, Germany is putting European competitors at a disadvantage. This contrasts sharply with the latest moves by the US to lobby European countries to ban Huawei – Washington is considering providing European firms Ericsson and Nokia with financial support to help them compete with Huawei.
The lack of EU competence on the issue of 5G cybersecurity means that Member States will have the final say over the technology chosen by their carriers, unless they agree to give more power to the Commission. And EU countries continue to diverge in their positions on China and their appreciation of the geopolitical and security risks associated with it. For instance, while Italy broadened the government’s powers to scrutinize 5G supply deals involving non-EU vendors’ equipment and Poland signed an agreement with the US in a bid to limit Huawei's influence in the region, others are wary of making decisions that might irritate the Chinese Communist Party.
“The European Commission’s coordinated risk assessment report may be non-binding, but those who criticize it for this fail to appreciate the amount of political effort and coordination which went into such document,” says Rebecca Arcesati, junior analyst at MERICS. “Its keen awareness of the non-technical, political determinants of 5G cybersecurity could have laid the foundations for an aligned approach across the EU; sadly, Berlin’s fear of irritating Beijing has just made that alignment more difficult.”
MERICS analysis: Merkel’s China challenge – signaling distance and conditional engagement. Blogpost by Mikko Huotari.