Trends
Fact-checking impact of EC’s Cybersecurity Act, Strand Consult
For many years, Strand Consult has examined the risks associated with telecommunications operators’ use of infrastructure supplied by untrusted vendors, referred to by the European Commission as High-Risk Suppliers. Since the European Commission (EC) launched its review of the Cybersecurity Act (CSA2) earlier this year, numerous media reports have claimed that the proposed requirements to use trusted suppliers will impose significant costs on the telecommunications industry.
National security is increasingly being viewed through the broader lenses of economic security, supply chain security, resilience, technological capability, and sovereignty. As national security becomes a more prominent consideration in economic policymaking, these factors are playing an increasingly important role in competition enforcement, particularly in sectors that authorities routinely assess, including telecommunications, digital infrastructure, advanced technologies, and critical supply chains.
This note references more than eight years of Strand Consult’s empirical research including notes from its security library. It examines the challenges facing the European Union, the reasons why, and the validity of the purpoted high cost estimates. Relatedly Strand Consult presented at OECD Competition Week on the theme of “National Security Considerations in Competition Enforcement – Best Practice.”
Background: What is happening in the European Union?
In January, The European Commission presented its proposal for the revised Cybersecurity Act (CSA2). It introduced an ICT supply chain framework with a regulatory impact assessment estimating compliance costs for mobile operators would range from €3.4 billion to €4.3 billion annually over a three-year period.
Strand Consult’s analysis of the European Commission’s calculations suggests that they are broadly consistent with the experience from countries that have already replaced equipment from High-Risk Suppliers (HRS). Telecommunications operators have transitioned to trusted suppliers in many European countries, including Albania, Belgium, Denmark, Estonia, France, Kosovo, Latvia, Lithuania, Luxembourg, Norway, North Macedonia, Portugal, Romania, Sweden, the United Kingdom, and others.
A key factor in assessing the actual economic impact of CSA2 will be each Member State’s level of exposure to HRS when the regulation is expected to take effect in 2028. At the beginning of 2026, exposure to HRS across the European Union stood at approximately 30%, down from about 45% only a few years earlier. Strand Consult expects this figure to decline further for several reasons:
Poland is expected to implement legislation during 2026 that includes restrictions and phased removal of High-Risk Suppliers. Poland alone could reduce the EU-wide exposure to HRS by approximately five percentage points.
The continued implementation of national 5G Toolbox measures in France, Finland, Portugal, and Romania will further reduce Europe’s exposure to High-Risk Suppliers.
Several Member States do not need to wait for CSA2 because they have already adopted, or are ready to implement, national legislation addressing High-Risk Suppliers. These countries include Croatia, the Czech Republic, Ireland, and Slovenia.
Several late-moving Member States continue to have significant exposure to High-Risk Suppliers. These include Austria (70%), Bulgaria (67%), Germany (58%), Greece (49%), Hungary (65%), Italy (43%), and Spain (24%).
This remaining dependency is concentrated primarily in 5G Radio Access Networks (RAN). By contrast, more than 95% of mobile core networks across the European Union were supplied by trusted vendors at the beginning of 2026. The remaining exposure in core networks is likely to be addressed before CSA2 enters into force.
This research note does not attempt to forecast the exact level of HRS exposure when CSA2 takes effect. However, the developments outlined above suggest that EU-wide exposure is likely to decline to approximately 25% under a conservative scenario and could be closer to 20%. As a result, the actual implementation costs for 5G are likely to be lower than those estimated in the European Commission’s regulatory impact assessment,
In other words, Member States with the highest remaining exposure that have already established national regulatory frameworks can reduce both their dependency on High-Risk Suppliers and the associated economic costs by completing the transition before CSA2 enters into force.
Where is High-Risk Supplier exposure concentrated in Europe?
The remaining exposure to HRS in EU is today concentrated to few EU Member States. There are approximately 100 5G networks in EU, of which at the beginning of 2026, 60 networks were supplied by trusted suppliers (Samsung, Nokia and Ericsson). There are approximately 10 networks, that due to national implementation of 5G toolbox will be with trusted suppliers only by the time CSA 2 comes into effect.
There are approximately 30 networks with between 35–100% of their radio access network (RAN) supplied by high-risk suppliers, not the core network that, has already been upgraded to handle 5G with trusted suppliers. Thies networks are owned and controlled by a limited number of operators across Europe who have made a commercial choice to stick with the High-Risk Suppliers when they decided to upgrade their 4G equipment to 5G using HRS and continue to do so at the beginning of 2026. All these operators should know, based on the decisions taken in the European Commission, and by at least half of EU Member States in connection with the 5G Toolbox, that it was not a wise decision.
A substantial share of the equipment scheduled for replacement over the next five years is concentrated in Germany (Vodafone, O2, and Deutsche Telekom), Italy (Vodafone and Wind Tre), and Spain (MasOrange and Vodafone). Based on Strand Consult’s analysis, combined with figures from the EU’s Regulatory Impact Assessment as well as the underlying figures, these three countries make up over 55% of equipment that must be replaced over the next five years, which also opens up the opportunity to replace the supplier.
Vodafone and Deutsche Telekom (DT) are particularly significant in this context. DT operates across multiple countries with varying levels of exposure to high-risk suppliers, including Germany (58%), Greece (100%), Austria (100%), the Czech Republic (100%), Croatia (50%), and Poland (70%). In addition, its subsidiary T-Systems resells cloud solutions built and operated on Huawei infrastructure. Vodafone is also heavily exposed in several European markets, including 100% reliance on Huawei in the Czech Republic, Greece, Hungary, and Romania, as well as 67% in Spain and 53% in Germany.
Some telecommunications operators have overstated the cost of replacing 5G Radio Access Network (RAN) equipment supplied by HRS with equipment from trusted suppliers. Their public estimates do not always reflect the actual costs observed in markets that have already completed or are implementing supplier transitions.
Germany provides a useful case study. Approximately 58% of the country’s mobile sites—equivalent to around 46,000 sites—still use Huawei 5G RAN equipment. Based on Strand Consult’s research, replacing this equipment with 5G RAN equipment from trusted suppliers would cost approximately €50,000 per site. This results in an estimated total replacement cost of EUR 2.5 billion, distributed approximately as follows: Deutsche Telekom: €1.1 billion, Vodafone Germany: €0.7 billion and Telefónica Germany: €0.7 billion
For comparison, Deutsche Telekom is estimated to invest approximately €300 million annually in RAN infrastructure in Germany. Viewed in this context, replacing all Huawei 5G RAN equipment represents a one-time investment rather than a recurring cost.
Expressed differently, the total replacement cost is equivalent to approximately €29 per German citizen. This perspective provides a useful benchmark when evaluating the economic impact of replacing HRS.
The more important policy question is not only the cost of replacing the equipment, but also the potential cost of maintaining dependence on High-Risk Suppliers. Policymakers must consider the economic and national security consequences if critical 5G infrastructure were disrupted or disabled during a geopolitical crisis. As critical infrastructure becomes increasingly dependent on secure telecommunications networks, the cost of inaction may ultimately exceed the cost of replacing high-risk equipment.
The operator perspective
Operators that adopted the strategy recommended by Strand Consult during the transition from 4G to 5G have avoided costly and disruptive “rip-and-replace” programs. Rather than removing existing equipment from untrusted suppliers immediately, these operators stopped purchasing new equipment from High-Risk Suppliers and replaced legacy equipment with trusted suppliers’ equipment as part of their normal 4G-to-5G network modernization cycle.
This approach has proven both operationally and economically effective. It enables operators to reduce dependency on High-Risk Suppliers while minimizing disruption to network operations and avoiding unnecessary capital expenditure.
It is equally important to note that no country that has introduced restrictions on High-Risk Suppliers has required national mobile operators to undertake an immediate nationwide rip-and-replace program. Instead, governments have generally prohibited new investments in equipment from High-Risk Suppliers while requiring operators to phase out existing equipment over time.
The United States is often cited as an example of a rip-and-replace program, but the comparison is misleading. The U.S. program was narrowly targeted at smaller rural operators and did not apply to nationwide mobile network operators. Consequently, the U.S. experience is not directly comparable to the implementation model proposed under CSA2.
The evidence from Europe demonstrates that operators transitioning to trusted suppliers have generally not experienced higher long-term costs or significant delays in 5G deployment. Denmark provides one of the clearest examples. Before the transition, two of the country’s three nationwide mobile networks—TDC and Hutchison—relied 100% on equipment from untrusted suppliers, serving approximately 62% of Danish mobile subscribers. Both operators successfully migrated to trusted suppliers as part of their network modernization programs without delaying Denmark’s 5G rollout.
These findings are consistent with independent research. A study by the European Centre for International Political Economy (ECIPE), based on GSMA data covering 39 countries, found no evidence that replacing High-Risk Suppliers slows 5G deployment or weakens network performance.
The Danish experience is also reflected in independent network performance measurements. In its June 2026 Network Performance survey covering 29 European countries, OpenSignal ranked Denmark first in Europe. According to the study, Danish users achieved average download speeds of 226 Mbit/s, demonstrating that replacing untrusted suppliers is fully compatible with delivering world-class mobile network performance.
Lessons from supplier transitions: The United Kingdom
The United Kingdom provides one of the most important case studies for assessing the economic and operational impact of restricting High-Risk Suppliers.
By 2020, the UK had accumulated more than 12 years of regulatory experience with Huawei. That year, the UK Government concluded that Huawei should be treated as an untrustworthy supplier and introduced restrictions that applied across all network technologies—not only 5G, but also 2G, 3G, 4G, fixed broadband, and fiber infrastructure. At the time, Strand Consult argued that the European Union would eventually adopt a similarly comprehensive approach by extending restrictions beyond 5G to include 4G and fixed network infrastructure.
The UK decision effectively prevented Huawei from remaining a full-scale infrastructure supplier. This significantly reduced the company’s future commercial opportunities by limiting its ability to offer volume discounts, cross-sell products, and cross-subsidize across multiple product lines. As a result, Huawei’s market share and business opportunities in the UK declined substantially.
To understand the practical implications of the UK decision from an operator’s perspective, it is useful to revisit the investor calls held by BT and Vodafone in January and February 2020.
BT: The cost myth
The transcript of British Telecom’s (BT/EE) investor call on January 30, 2020, provides one of the clearest examples of how operators assessed the financial impact of the UK restrictions.
BT estimated that the Huawei restrictions would cost approximately £100 million per year over five years. Rather than representing an entirely new expense, BT explained that it would bring forward investments that were already planned. Instead of postponing approximately £500 million of network investment, the company would accelerate that expenditure.
The estimated annual impact of £100 million represented approximately 2.4% of BT’s annual capital expenditure on network infrastructure.
Vodafone: What the investor call revealed
The transcript of Vodafone’s investor call on February 5, 2020, offers additional insight into the company’s strategy and expectations.
Vodafone stated:
“This time last year, we decided to pause any further developments of Huawei in the core. We have now decided to replace Huawei in the areas deemed sensitive, i.e., the core, across the EU within 5 years at a cost of approximately €200 million. In the non-sensitive radio access network, Huawei are an important supplier to both Vodafone and the overall industry, reflecting the high-quality technology.”
At the time of this statement, Vodafone had not yet deployed a commercial 5G core network. Consequently, the quoted €200 million largely reflected the normal cost of upgrading its core network to 5G rather than an additional cost created by removing Huawei equipment. In other words, Vodafone would have incurred much of this investment regardless of the supplier.
During the same investor call, Vodafone also stated:
“We are closely engaged with European Governments on the Huawei question and have now committed to remove Huawei from our European core networks. I’m optimistic that regulators and governments are recognizing the need for a fact and risk assessed basis understanding the distinction between sensitive core and non-sensitive RAN. With industry returns at such low point, we simply cannot justify a large acceleration of CapEx to swap out modern 4G networks. So, we would have to delay 5G rollouts for those member states as we re-prioritize our CapEx.”
Vodafone’s distinction between “sensitive core” and “non-sensitive RAN” was not consistent with the approach adopted by many European authorities. For example, Germany’s Bundesnetzagentur includes gNodeBs—the technical term for 5G base stations—within its definition of critical infrastructure, demonstrating that security considerations extend beyond the core network.
At the same time, several European operators—including TDC (Denmark), Telenor (Norway), Telia (Norway), and Proximus (Belgium)—were already replacing equipment from High-Risk Suppliers. None reported significant cost increases or delays attributable to supplier replacement. This raises an important question: why did Vodafone argue in 2020 that replacing Huawei equipment would delay 5G deployment when several other European operators completed similar transitions without reporting comparable problems?
Vodafone’s expectations regarding the EU 5G toolbox
During the same investor call, financial analyst Jakob Bluestone asked:
“Thanks for taking the question. I just had a question on the Huawei and network security issue. You mentioned that there is quite a bit of member state discretion. So I was just wondering if there may be any particular markets that you would call out where there is sort of a greater risk of any incremental CapEx beyond the EUR200 million you flagged for Europe. And specifically for Germany, if you can maybe just remind us where are we on the process on making some sort of a decision there. What are the sort of key dates to watch out for? Thank you.”
Vodafone’s Chief Executive Officer, Nick Read, responded:
“In a way, Jakob, we can’t really call out any country because effectively the European toolbox has just come out and all the European countries, with the exception of a few small countries, have been awaiting that toolbox and therefore we’re engaging with them. Essentially, they have to look at that toolbox and go through and adopt measures by April with a view to show implementation as in that they start to implement the framework in June. So, I think we’re going to be in a lot better position in May to give you a sort of overall summary of where the various countries landed.
What I’d say is, I think we’ve had very active and positive engagement with countries. They are really keen to understand the implications of various scenarios. They are very attuned to wanting 5G deploy quickly. They understand the need to 5G as a key enabler to a digital society. And they know that we could undermine the fantastic manufacturing base we have through Europe if we do not move quickly on 5G. So, they really do understand the importance of getting 5G out and they also understand the operational and financial constraints of the industry as a whole. And I think one of the important things here is the industry is one with its voice with governments, making it clear, it’s the same implication for everyone. And therefore, we are trying to find the right path. We too want then the resilience and balancing over time, but these things take time.”
The transcript demonstrates that Vodafone already understood in early 2020 that the company would eventually have to comply with the EU’s 5G Toolbox. Strand Consult interpreted Nick Read’s comments at the time as an indication that Vodafone hoped to secure financial compensation while simultaneously lobbying against stricter national implementation measures, particularly in countries such as Germany where the company had substantial exposure to Huawei equipment in its RAN.
Taken together, the investor call transcripts suggest that Vodafone’s primary concern in 2020 was to protect profitability and manage capital expenditure, while other European operators placed greater emphasis on reducing national security risks through supplier diversification. Strand Consult notes that this difference in priorities remains relevant when assessing current industry arguments regarding the costs of implementing the European Commission’s proposed Cybersecurity Act (CSA2).
What shareholders should understand before assessing the significance of CSA2
Some telecommunications operators continue to argue that the use of High-Risk Suppliers does not constitute a national security issue. However, governments and national security authorities in an increasing number of countries have reached a different conclusion based on their own risk assessments.
The European Union has conducted some of the most comprehensive assessments of these risks. This work began with the development of the EU 5G Toolbox and has been further strengthened through the preparation of the Cybersecurity Act (CSA2) and the risk assessments carried out under the NIS Cooperation Group.
In practical terms, NATO and European policymakers already understand which countries and operators face structural challenges in providing armed forces and public authorities with communications services based exclusively on trusted suppliers.
Operators that continue to rely on High-Risk Suppliers therefore face two strategic challenges. First, they increase Europe’s exposure to national security risks. Second, they limit their own ability to compete for new commercial opportunities in defense, public safety, and mission-critical communications that increasingly require trusted network infrastructure.
Today, approximately 60 operators across Europe are already positioned to provide the level of trusted infrastructure that future defense and security requirements will demand. These operators have effectively become Europe’s trusted network providers.
Shareholders should also consider whether important customer segments share the same assessment of High-Risk Suppliers as governments and NATO. Large enterprises, critical infrastructure operators, defense forces, and public authorities increasingly evaluate communications providers through the same national security lens adopted by policymakers.
From a shareholder perspective, the relevant question is not only whether operators complied with evolving regulatory expectations, but whether they correctly assessed the long-term commercial risks of maintaining dependence on High-Risk Suppliers. Operators that chose not to align with the direction of government policy may have preserved short-term capital expenditure, but they also increased regulatory risk and potentially limited future revenue opportunities in markets where trusted communications infrastructure is becoming a prerequisite.
Conclusion
In Strand Consult’s assessment, many of the cost estimates presented in the media regarding the economic impact of the European Union’s Cybersecurity Act (CSA2) are significantly overstated. A substantial share of the remaining High-Risk Supplier equipment in Europe is concentrated in three countries—Germany, Spain, and Italy—and primarily affects three operator groups: Deutsche Telekom, Telefónica, and Vodafone.
Germany illustrates the scale of the issue. Based on Strand Consult’s analysis, as well as estimates from other sources, the total cost of replacing High-Risk Supplier equipment is approximately €2.5 billion, of which €1.1 billion relates to Deutsche Telekom, €0.7 billion to Vodafone Germany, and €0.7 billion to Telefónica Germany. Deutsche Telekom alone invests an estimated €300 million annually in RAN infrastructure in Germany. Viewed in this context, the replacement represents a one-time investment equivalent to approximately €29 per German citizen.
Large multinational operators routinely make strategic investment decisions involving significant commercial risk. It is therefore reasonable to assume that these operators understood the implications of choosing not to align fully with the objectives of the EU’s 5G Toolbox when those decisions were made.
The experience of operators that have implemented the EU’s 5G Toolbox demonstrates that replacing High-Risk Suppliers has neither delayed 5G deployment nor significantly increased the long-term cost of network modernization. Denmark, Sweden, and Norway were all major markets for untrusted suppliers, yet they were among Europe’s earliest adopters of 5G and today rank among the continent’s leading countries in terms of 5G network quality and performance.
The United Kingdom provides another important example. For years, operators argued that restricting High-Risk Suppliers would significantly increase costs and delay 5G deployment. However, once the restrictions were implemented, investor call transcripts showed that the actual costs of replacing equipment across both fixed and mobile networks were modest compared with the estimates operators had previously presented.
It is true that the United Kingdom does not rank among Europe’s strongest 5G markets today. However, this outcome is not attributable to restrictions on High-Risk Suppliers. Instead, the UK’s slower rollout primarily reflects a prolonged period of industry consolidation and merger reviews, which delayed network investment and deployment.
Over the past eight years, Strand Consult has published extensive research on the security, economic, and competitive implications of relying on High-Risk Suppliers. That research has consistently challenged many claims made by both certain operators and High-Risk Suppliers regarding the costs and consequences of supplier replacement.
The evidence from Europe is clear. Countries and operators that implemented the EU’s 5G Toolbox have successfully transitioned to trusted suppliers while maintaining competitive 5G deployment and network performance. At the same time, some operators continue to argue that they play a critical role in national security while choosing to retain High-Risk Suppliers in their networks. As national security becomes an increasingly important consideration for governments, regulators, investors, and enterprise customers, that position is becoming progressively more difficult to justify. Strand Consult












You must be logged in to post a comment Login