Cullen International’s latest benchmarks on national frameworks addressing security concerns associated with high-risk suppliers (HRS) survey:

• The scope of the frameworks, whether limited to 5G networks or also extending to other telecoms networks or critical sectors.
• The measures implemented to restrict or ban HRS in 5G networks, including concrete restrictions in practice.

The Benchmarks cover the 27 EU Member States, as well as Norway, Switzerland and the UK.

All countries have established national frameworks for HRS, except for Bulgaria, Greece, Hungary and Switzerland. In Croatia, a framework has been proposed.

As part of the proposed Cybersecurity Act 2 (CSA2), in January 2026, the European Commission proposed a mechanism at EU level to designate and restrict the use of ICT components from high-risk suppliers (HRS) in critical sectors. 

For mobile communication networks, the draft CSA2 sets out concrete measures targeting the use of ICT components from HRS in key 5G network assets (e.g. the core network), requiring their phase-out within three years of the Commission designating an HRS.

Sectors in scope

In most countries observed, the frameworks are not limited to 5G networks.

In five countries, the frameworks also extend to critical sectors falling under the Directive on measures for a high common level of cybersecurity across the EU (NIS2).

The Czech Republic (e.g. electronic communications networks) and Italy (e.g. cloud) include only NIS2 sectors considered strategic, whereas Germany covers those NIS2 entities identified as critical. In Poland and Slovakia, the security frameworks apply to all NIS2 sectors.

Moreover, in ten countries national frameworks apply more broadly to all network generations (e.g. 4G).

Restrictions in 5G networks

The vast majority of European countries have proposed or adopted a framework for potentially restricting HRS. However, Cullen International has only identified ten countries (nine of which in the EU) that are, in practice, restricting the use of equipment from certain vendors, namely Huawei and ZTE.

Belgium is the only country where, while no bans on HRS were identified, a specific timeline was established for MNOs to remove HRS equipment. 

Concrete timelines for the removal of HRS equipment were identified in Belgium, Denmark, Estonia, France, Germany, Portugal, Romania, Sweden and the UK. In other countries, minimum or maximum deadlines were set in the event that HRS are designated.

Additionally, in Croatia, Denmark, Finland, France and the Netherlands, it is explicitly foreseen that MNOs required to remove HRS equipment may request state compensation.

For more information and access to the benchmarks, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.