Proposals circulating in Brussels to remove components and equipment supplied by firms designated as "high-risk" from critical infrastructure could carry a heavy price tag for the European Union, according to an analysis commissioned by a Chinese business group.
The study, conducted by KPMG for China’s Chamber of Commerce to the EU (CCCEU), calculates the cost of forced replacement of Chinese suppliers across 18 critical sectors at 367.8 billion euros, equivalent to $432.83 billion, for the period 2026 through 2030. Broadly summarized in public comments from the CCCEU, the headline figure has also been expressed as more than $400 billion over the next five years.
Under the draft cybersecurity rules, the EU would seek to phase out hardware and other equipment from suppliers it classifies as posing elevated cybersecurity risks. The KPMG analysis says costs would include replacing physical hardware, writing down assets that become unusable, and coping with lower operational efficiency and delayed digitalisation in affected systems.
According to the report, the energy and telecommunications sectors would bear some of the heaviest burdens - both sectors central to the EU’s planned transitions to cleaner power and expanded digital services. The analysis also highlights that six member states would see losses exceeding 10 billion euros: Germany, France, Italy, Spain, Poland and the Netherlands. Germany’s estimated bill is singled out at 170.8 billion euros, nearly half of the total figure cited.
The proposals have drawn direct critique from affected vendors. China’s telecoms company Huawei has been identified among firms likely to be impacted, and Beijing has publicly called for the removal of clauses in the draft rules that define "countries posing cybersecurity concerns" and the meaning of "high risk." Chinese authorities last week warned that countermeasures against the EU could follow if the legislation is not substantially revised.
For its part, the European Commission has moved to limit use of EU funds in certain contexts; on Monday it recommended constraints on projects involving power inverters from suppliers designated as "high-risk," citing a theoretical risk of a remote shutdown of a member state’s electricity networks.
At present the new cybersecurity regulation is at the early stages of the EU legislative process, with member-state governments and the European Parliament debating amendments that could alter the final scope and obligations. The CCCEU study assumes a forced replacement scenario as its baseline and quantifies the associated direct and indirect costs under that premise.
The estimates published in the KPMG report present a quantified view of the potential economic consequences of sweeping supplier restrictions. How those calculations will interact with ongoing legislative negotiations in Brussels remains uncertain, and the eventual legal text may reduce, increase or otherwise change the pathways of cost identified by the analysis.