European critical infrastructure still struggles with Chinese ICT vendors
22 Jul 2025|, and

Five years after the height of debates on banning Huawei from European 5G infrastructure, Spain has quietly handed the Chinese tech giant a contract to store and manage police wiretaps, the legal interceptions of communications ordered by Spanish judges. For €12.3 million, Huawei’s OceanStor servers will now store some of the country’s most sensitive law enforcement and intelligence data.

This decision, made under Prime Minister Pedro Sanchez, flies in the face of much of Europe’s approach to telecoms security and Chinese technology vendors. EU member states (including Spain) and Britain have committed to removing Huawei from sensitive 5G telecoms infrastructure, citing the company’s close ties to the Chinese Communist Party. Despite this, Spain continues to integrate Huawei into a core component of its national security apparatus. This latest contract builds on a longstanding relationship between Huawei and Spain’s legal intercept systems which stretches back to 2004.

Lawful intercept platforms are attractive targets for foreign intelligence agencies, because they support counterintelligence operations. Indeed, in 2024, US lawful intercept platforms were apparently targeted by Salt Typhoon, a Chinese cyber espionage unit, albeit unsuccessfully.

In this case, the task of obtaining legal intercept data from Spain (and by extension, countries it has intelligence-sharing partnerships with) could potentially be more straightforward for Chinese intelligence. In China, corporate autonomy of tech companies has clear limits. Under China’s National Intelligence Law of 2017, as well as data security and cybersecurity laws, Chinese companies, public or private, can be legally compelled to support state intelligence activities at home or abroad, and to do so in secret. This statutory framework creates a systemic risk, regardless of any given company’s intentions or public assurances. When a Chinese tech firm handles sensitive foreign data, the risk isn’t just hypothetical; it’s written into law.

The decision to award Huawei a new contract highlights several inconsistencies and challenges for creating a cross-European approach to managing high-risk Chinese vendors in critical national infrastructure.

First, it is a reminder that Europe is not united when it comes to de-risking sensitive technology stacks. Although Spain has continued to implement the EU’s 5G Security Toolbox and taken steps to remove Chinese vendors from its 5G networks, it has also welcomed Chinese investment in such strategic sectors as electric vehicles and renewable energy, including the Chery-Ebro joint venture and a US$1 billion hydrogen project with Envision. Huawei also remains a significant partner for digital transformation initiatives in Spain’s public sector. The result is a cautious, often accommodating stance toward Chinese technology suppliers. Madrid prefers to manage risks through regulatory frameworks and compliance rather than outright bans, unless the EU forces the issue. This approach is unlikely to change without a recalibration of the Spanish government’s threat perception of China.

The case is also likely to reopen old debates about telecoms security in Europe. The discussion on how to manage the risks posed by Chinese ICT vendors is not a new one. The 2020 debates on the potential ban of Huawei from 5G infrastructure split European states in different camps—from a ban to buy any new equipment and needing to remove all components from Huawei until 2027 in Britain to Germany’s initial reluctance to ban Chinese components.

The implementation of the EU’s 5G Security Toolbox is slow and inconsistent. To date, only 10 member states have fully implemented it, with four members—Austria, Bulgaria, Hungary and Cyprus—apparently having no plans to implement the toolbox. New data from early 2025 suggests Cyprus’s 5G networks, for example, are fully dependent on Chinese components.

In January, Henna Virkkunen, the EU Commission’s executive vice-president for tech sovereignty, security and democracy emphasised that ‘the current situation with regards to the 5G Toolbox implementation by Member States is not satisfactory.’ Europe’s inconsistency on telecoms security is likely to persist to at least some extent while it remains divided on the threat posed by Chinese vendors and while sovereign alternatives remain more expensive.

The gap between ambition and reality is a recurring theme in Europe’s efforts to manage cyber risk. Through the NIS2 Directive, the EU has legislated to increase cyber security standards in critical national infrastructure. Like the 5G toolbox, at the national level, implementation of the directive—through cybersecurity measures on a wider scope of businesses and organisations—is also patchy. In many countries, including in large economies such as Germany, draft proposals are still making their way through the respective legislative processes.

Spain’s decision to continue to allow Huawei to support an important aspect of its national security apparatus emphasises the need to move beyond 5G risk management and create a cross-European approach to designate and remove high-risk vendors. Recent reporting by Politico suggests that the EU intends to do just that by creating an ICT Supply Chain Toolbox. At the same time, implementing another toolbox still leaves European technology supply chains vulnerable to the same patchy implementation that has beset the 5G toolbox and other cyber security initiatives. A coherent approach will require bringing more member states along on the journey and enacting legally binding regulation as supported by a small group of EU parliamentarians.

Author

Natasha Buckley is a researcher, Pia Huesch is a research fellow and Jamie MacColl is a senior research fellow with the Cyber and Tech research group of the Royal United Services Institute.

 

Image of Huawei sign on building, Belgrade, Serbia: Jovan Vasiljević/Unsplash.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2025