CCCEU-KPMG report quantifies cost of EU's proposed cybersecurity overhaul

Energy (€79.9bn) and telecoms (€57.4bn) losses risk undermining the EU's twin transitions

Germany would bear nearly half of burden, followed by France and Italy

CCCEU calls for technology-neutral rules instead of origin-based supplier bans

BRUSSELS — May 6, 2026

The China Chamber of Commerce to the EU (CCCEU) and KPMG have issued a joint report warning that the EU's proposed revision of the Cybersecurity Act could carry a price tag of nearly €367.8 billion if it forces the replacement of Chinese suppliers across 18 critical sectors.

The proposed rules, known as CSA2, would introduce supplier restrictions based on country of origin rather than technical risk assessment. The report, titled "A Huge Cost of 'Guardrails': Security or Blockade? Economic Impact Assessment of EU CSA2 Proposal and the CCCEU Position Paper," estimates cumulative economic losses of €367.8 billion over five years for EU member states — equivalent to nearly two full years of the EU's annual budget — if mandatory replacement is enforced across sectors including energy, telecoms, manufacturing and financial infrastructure.

Liu Jiandong, Chairman of CCCEU, said the impact of CSA2 could extend far beyond the ICT sector, affecting energy, telecommunications and industrial manufacturing — all of which rely on secure, interoperable and continuously upgraded digital systems.

"The criteria for identifying so-called 'high-risk suppliers' appear to be politically targeted," Liu said. "This approach politicises commercial decision-making and runs counter to the EU's own principles of equality and non-discrimination."

He warned that the proposal could damage the EU's digital competitiveness and economic security. "We firmly oppose a one-size-fits-all, mandatory exclusion policy. Rational dialogue, not security-driven decoupling, should guide cooperation between China and the EU in key industries."

Behind the €367.8bn figure: energy and telecoms together account for nearly 40% of losses

The report breaks down the €367.8 billion total into four categories.

Direct losses — from replacing hardware, dismantling and asset write-downs — would account for the largest share: 40%, or €146.2 billion. Social losses, including efficiency drops and delayed digitalisation, would reach 28% (€102.1 billion). Indirect losses - from system reconstruction and resource reallocation - would follow at 22% (€81.5 billion), and legal costs related to dispute resolution, recertification and compliance at 10% (€38.1 billion).

The 18 affected sectors are grouped into six segments: energy, telecommunications, financial infrastructure, logistics and manufacturing, public services, and health and research.

Energy and telecommunications - the foundational pillars of the EU's twin green and digital transitions -  together would bear nearly 40% of the total economic loss — €79.9 billion for energy (€25.5 billion in direct costs) and €57.4 billion for telecoms (€27.6 billion in direct costs).

Logistics and manufacturing would bear 31% of the total shock, with losses of €114.6 billion.

Other segments include financial infrastructure (€49.9 billion), health and research (€33.8 billion), and public services (€32.2 billion).

The report stresses that the impact of mandatory supplier replacement would not be confined to telecommunications equipment, but would spread through network systems, supply-chain coordination, public services, financial infrastructure, and research and innovation systems, creating cross-sector and cross-departmental costs.

Most losses would hit after 2028 as rules take effect

While the €367.8 billion figure represents the cumulative five-year total, the report projects a sharp rise in annual losses: €39.1 billion in 2026, €55.1 billion in 2027, jumping to €93 billion in 2028, then €91 billion in 2029 and €89.6 billion in 2030.

The pattern reflects the report's assumption that the proposed rules would still be under legislative discussion in 2026-2027, with most operators taking a wait-and-see approach. Once implementation expands from 2028 onward, the full economic impact would materialise.

Asymmetric burden: Germany faces €171bn, France €46bn, Italy €37bn

The report warns that proposed CSA2's mandatory replacement provisions take no account of differences among member states in industrial structure, fiscal capacity and digital readiness. The result would be highly asymmetric economic pain.

Six countries would face losses above €10 billion: Germany, France, Italy, Spain, Poland and the Netherlands. Germany would bear the heaviest burden at €170.8 billion — reflecting the sheer scale of its industrial base and its deep integration with Chinese supply chains across manufacturing, telecoms and energy.

France would follow at €46.3 billion, then Italy at €36.5 billion, Spain at €25.7 billion, Poland at €21.3 billion and the Netherlands at €20.1 billion.

Other member states would face smaller but still significant losses, ranging from hundreds of millions to several billion euros. The report warns that these asymmetric burdens could worsen public debt positions in fiscally fragile countries, intensify political fragmentation within the EU, and ultimately undermine the competitiveness of the single market.

No evidence of "technical backdoor" found, report says

The report notes that there is no substantiated evidence to date of a "technical backdoor" or violation of EU cybersecurity rules by Chinese companies operating in the EU.

Over the past decades, China and the EU have developed extensive industrial linkages in green transition, digital infrastructure, intelligent manufacturing and energy efficiency. These linkages have contributed to the EU's goals of economic competitiveness, digital transformation and the green transition, the report says.

Chinese companies have consistently regarded compliance as fundamental to their presence in Europe, adhering to EU and member-state legal frameworks and cybersecurity standards throughout their operations.

Chinese firms have created tens of thousands of local jobs and helped accelerate digital infrastructure deployment across Europe, the report adds.

Origin-based restrictions may backfire, report warns

The report says CCCEU understands the EU's strategic concerns over supply-chain security. However, it warns that origin-based screening — rather than technical risk assessment — could steer cybersecurity governance away from effectiveness. The report argues that such restrictions would be difficult to implement and largely detached from industrial realities.

The report also highlights legal risks. Using country of origin as a substitute for technical risk assessment may violate the principles of proportionality and non-discrimination, it says. The proposal also reverses the burden of proof and provides insufficient rights of defence, casting doubt on its legality under EU law.

The report further notes that the measures may violate bilateral investment treaties between China and most EU member states, potentially triggering compensation claims and multi-level litigation. It also says the proposal could breach core WTO rules, risking further international trade frictions.

The report stresses that mandatory replacement is unlikely to achieve meaningful security gains. Instead, it warns of systemic negative effects: innovation budgets could be crowded out, fiscal burdens on member states increased, and household incomes eroded.

CCCEU sets out seven core recommendations for cybersecurity governance

The report calls on EU institutions to return to technological neutrality, evidence-based regulation, proportionality and non-discrimination. Its seven recommendations are:

Oppose non-technical criteria. CCCEU expresses grave concern over CSA2's introduction of non-technical criteria and mandatory, time-bound exclusion measures for enterprises.

Reject political screening. The assessment mechanism for "third countries posing cybersecurity concerns" in practice displays characteristics of political screening rather than a security-based framework.

No mandatory exclusions based on origin. Supplier origin should not replace security assessment based on products and services themselves.

Respect member-state competence. Cybersecurity is by nature a competence reserved to member states, not a uniform EU-level power.

No misuse of Article 114 TFEU. Introducing a "country designation mechanism" into internal-market legislation risks circumventing constitutional safeguards on EU foreign policy.

Stop advancing mandatory exclusions. CCCEU calls for an evidence-based, proportionate and WTO-consistent framework to safeguard Europe's competitiveness.

Return to international standards. ICT supply-chain security governance should be based on shared responsibility, risk management and industry cooperation, not origin-based restrictions.

CCCEU says it remains ready to engage constructively with EU institutions on a framework that balances security with openness and competitiveness.