In a move that defies warnings from its own intelligence agencies and the European Union, Spain awarded a €12.3 million ($14 million) contract to the Chinese telecommunications giant Huawei.
The deal involves the provision of high-performance Huawei OceanStor 6800 V5 servers and support services for Spain’s Integrated Telecommunications Interception System (SITEL), the central repository for lawful wiretap recordings in investigations of grave crimes, including terrorism and organized crime.
This decision is particularly jarring, given that the European Commission formally identified Huawei as a “high-risk vendor,” citing the potential for interference by non-EU state actors and concluding that the company represents “materially higher risks than other 5G suppliers.”
[…]
The Spanish case is not an isolated incident, paralleled by a contentious contract awarded to Hikvision, another Chinese technology firm, for surveillance cameras at the highly sensitive southern European border enclaves of Ceuta and Melilla, crucial for managing migration and counter-terrorism.
[…]
China’s legal mandate and hardware vulnerabilities
The designation of Huawei as a “high-risk” vendor is rooted in a specific and interlocking set of legal, geopolitical, and technical realities. The primary non-technical risk factor is China’s legal framework: Article 7 of China’s 2017 National Intelligence Law explicitly states that “any organization or citizen shall support, assist, and cooperate with state intelligence work in accordance with the law,” with a subsequent article compelling secrecy about such cooperation.
[…]
This means any Chinese company, regardless of its corporate structure, can be legally compelled to serve Beijing’s intelligence apparatus, rendering contractual assurances of data privacy subordinate to its obligations to the Chinese state. Furthermore, the threat landscape includes the inherent vulnerabilities of the global ICT supply chain.
The European Union Agency for Cybersecurity (ENISA) has identified supply chain attacks as the top emerging cybersecurity threat for the next decade. A prime example is the 2021 Kaseya VSA ransomware attack, in which attackers injected malicious code into a software patch, resulting in devastating effects for thousands of downstream customers.
[…]
An organization’s security, therefore, is only as strong as the weakest link in its supply chain
[…]
It emphasizes the necessity of the “Zero Trust” security philosophy, a core premise of the EU’s cybersecurity approach, which mandates that no component, internal or external, can be implicitly trusted.
[…]
The European Commission later clarified that decisions to restrict or exclude Huawei and ZTE from 5G networks were “justified and compliant with the 5G Toolbox”.
The NIS 2 Directive, which entered into force in January 2023, is legally binding and mandates that member states transpose its provisions into national law by October 2024. It imposes stricter cybersecurity obligations, including those related to supply chain security, and embodies the “Zero Trust” philosophy.
Similarly, the Cyber Resilience Act (CRA) targets the security of products themselves, mandating “security-by-design” for all “products with digital elements” sold in the EU, requiring manufacturers to integrate cybersecurity throughout a product’s lifecycle.
Despite this robust framework, a “critical flaw” exists: the 5G Toolbox remains a non-binding recommendation, while NIS 2 and CRA, though binding, are broader and do not explicitly ban specific vendors.
[…]
The Spanish government’s decision, despite widespread warnings and the clear policy direction of its allies, underscores the critical “implementation gap” within the EU.
As the NIS 2 Directive awaits full transposition into Spanish law, the incident serves as a stark reminder that short-term budgetary considerations, if unchecked, can override long-term strategic security, potentially undermining the integrity of essential alliances and the collective digital sovereignty of the European Union.