Photo: VCG

Recently, the Chinese Ministry of Commerce formally submitted its comments to the European Commission regarding the draft revision of the EU's Cybersecurity Act, expressing China's serious concerns. The draft would exclude listed countries and suppliers from relevant EU supply chains across 18 sectors. On the surface, it flies the banner of "security," but in reality, it introduces a highly politicized and subjective "non-technical risk" assessment mechanism, while also packaging geopolitical considerations and a broad securitization mindset into the framework. China believes this represents a classic example of politicizing trade and economic issues while overstretching the concept of security. This assessment hits the nail on the head.

Cybersecurity is a common concern for the globe, and the EU's desire to protect its own cybersecurity is understandable. However, as pointed out by the Chinese side, the draft contains multiple serious problems. 

First, it is suspected of violating core WTO principles, such as Most-Favored-Nation treatment and National Treatment. It breaches multiple multilateral trade agreements and contravenes the EU's commitments under its services trade schedule. One of the basic WTO principles is the principle of non-discrimination, which fundamentally prohibits contracting parties from treating specific enterprises or products differently based on their country of origin. The draft, however, seeks to comprehensively and fully exclude companies of certain countries from the EU market across the entire supply chain. This constitutes an overt challenge to multilateral trading rules.

Second, the draft is suspected of going beyond the European Commission's legal authority and encroaching upon the exclusive competence of EU member states in managing national security affairs. Safeguarding national security is the responsibility of individual EU member states. 

Yet the Commission is attempting, through this draft, to centralize the power to assess cybersecurity risks in Brussels and impose uniform restrictive measures on member states through a one-size-fits-all directive. This represents an abuse of the powers of European economic integration, transforming the EU from a market regulator into a "geopolitical arbiter."

Third, it will cause substantial harm to China-EU economic and trade relations, deliver a severe blow to global production and supply chains, and inevitably hinder the EU's own digital and green transformation processes. Although the draft text does not explicitly name any country or company, the criteria are widely seen as tailor-made for Chinese technology firms. The 18 sectors include energy, transport, information and communications technology, and others. It would be unrealistic for the EU to fully exclude China from the entire supply chain. For example, the EU has a huge demand for imports of green energy products from China. If it forcibly excludes this mature, cost-effective and technologically advanced supply chain, it will ultimately harm its own competitiveness.

Chinese companies have operated in the European market for many years, strictly complying with local laws and regulations. They have never compromised the national security of any European country, but have also been writing a story of "win-win" cooperation - this is an indisputable fact. As for where the EU's real security risks come from, there are several well-known cases. For example, the 2013 "PRISM" surveillance scandal exposed by Edward Snowden, and reports in 2021 by Danish media revealing that intelligence agencies from a certain country eavesdropped on European leaders through Denmark's undersea internet cables. While Europe's communication security repeatedly faces systematic threats from other countries, the EU chooses to target Chinese companies that have never been involved in similar scandals. This misplaced logic is truly baffling.

When shutting the door on China, can the EU's cyberspace truly become more secure? The answer is self-evident. A recent report released by the Brussels-based Future of Technology Institute shows that national security systems in 23 of the 28 countries studied seem to rely on US tech, and 16 of 28 national defense agencies or ministries are at high risk to a potential US "kill switch." In other words, it is not China that has the ability to unilaterally cut off critical cloud services at any time. If we're talking about "excessive reliance," the EU may have picked the wrong target.

We call on the EU to abandon the zero-sum game mentality of the Cold War, stop the wrong practices of politicizing, weaponizing, and securitizing economic, technological, and trade issues, and return to the right path of abiding by international rules, respecting market laws, and resolving concerns through dialogue and consultation. 

The EU should seriously consider China's constructive suggestions: remove provisions related to "countries posing cybersecurity concerns" and "non-technical risks," and delete or substantially revise the criteria for identifying "high-risk suppliers" and the related restrictive measures. If the EU insists on enacting the Cybersecurity Act as is and treats Chinese companies discriminatorily, China will have no choice but to take corresponding countermeasures.

An open Europe serves China's interests, and a developing China offers great opportunities for Europe. The EU has greatly benefited from globalization and should deeply understand the true meaning of win-win cooperation. Engaging in protectionism under the guise of security will ultimately harm its own competitiveness, its own consumers, and its own transformation process. 

Hopefully the EU won't underestimate China's firm resolve to safeguard its national interests and the legitimate rights and interests of its enterprises, nor underestimate the cost of taking detours and wrong paths.