(Yicai) May 7 -- If the European Union’s proposed revision of the Cybersecurity Act is adopted, resulting in the mandatory replacement of Chinese suppliers in 18 critical sectors, the cost to the bloc could amount to EUR367.8 billion (USD433 billion) over five years, according to a new report.

The proposed new rules, known as CSA2, would cause direct losses of EUR146.2 billion from hardware replacement, dismantling costs, and asset writedowns, according to the report jointly released yesterday by the China Chamber of Commerce to the EU and accounting giant KPMG.

Social losses, including efficiency drops and delayed digitalization, could top EUR103 billion, system reconstruction and resource losses may reach EUR80.9 billion, and legal costs related to dispute resolution, recertification, and compliance could exceed EUR36.8 billion, the report said.

The European Council, which brings together the EU’s national leaders to set the bloc's overall political direction and priorities, introduced the Cybersecurity Act in December 2024 to strengthen the EU’s ability to resist cyber threats. This January, the European Commission, the EU’s executive, proposed revising the law to exclude “high-risk suppliers” from 18 critical sectors, including energy, telecoms, and transportation.

“The criteria for identifying so-called 'high-risk suppliers' appear to be politically targeted," said Liu Jiandong, chairman of the Brussels-based CCCEU. “This approach politicizes commercial decision-making and runs counter to the EU's own principles of equality and non-discrimination.

"We firmly oppose a one-size-fits-all, mandatory exclusion policy," Liu stressed. "Rational dialogue, not security-driven decoupling, should guide cooperation between China and the EU in key industries." 

Energy and telecoms, two foundational pillars of the EU's green and digital transitions, would bear nearly 40 percent of the losses and logistics and manufacturing 31 percent, with other segments, including financial infrastructure, health, and public services, bearing the rest, according to the report.

Germany would face the biggest hit at EUR171 billion, followed by France at EUR46 billion and Italy at EUR37 billion. Spain, Poland, and the Netherlands would also see over EUR10 billion in losses.

The impact of CSA2 would gradually intensify and fully materialize after 2028 as the rules take effect, the report noted. A loss of EUR39.1 billion would occur this year and EUR55.1 billion next year, jumping to EUR93 billion in 2028, EUR91 billion in 2029, and EUR89.6 billion in 2030.

Over recent decades, China and the EU have formed deep industrial ties in green transition, digital infrastructure, smart manufacturing, and energy efficiency, the report said, adding that these links have supported the EU’s goals of economic competitiveness, digital transformation, and the green transition, and added that there is no substantiated evidence that Chinese firms have violated EU cybersecurity rules.

The report called on EU institutions to return to technological neutrality, evidence-based regulation, proportionality, and non-discrimination. The EU should reject political screening, stop advancing mandatory exclusion based on country of origin, and return to international standards for cybersecurity governance, it noted.

Editors: Dou Shicong, Martin Kadiev