EBM Newsdesk Analysis
BRUSSELS, May 7 — China’s Chamber of Commerce to the EU has commissioned KPMG to produce a study putting the cost of Brussels’ proposed Cybersecurity Act at €367.8 billion ($432.8 billion) between 2026 and 2030, with Germany alone facing €170.8 billion — nearly half the total bill. The study, released on Wednesday, claims forced replacement of Chinese suppliers across 18 critical sectors would cost the bloc €146.2 billion in hardware replacement alone, with the remainder from resource reallocation, service disruption, employment adjustment and legal fees. Six EU countries — Germany, France, Italy, Spain, Poland and the Netherlands — would face individual losses above €10 billion. Annual costs would peak at €93 billion in 2028.
The provenance matters. The CCCEU is the official chamber representing Chinese commercial interests in the EU. KPMG was engaged on its behalf. This is a self-interested lobbying document, not an independent cost projection. But the figures are not implausible — the EU’s own internal cost analysis, when the Commission eventually publishes it, is expected to produce a smaller but still large number. What the CCCEU has done is set the upper end of the price-tag range and put it into political circulation 48 hours after Beijing threatened formal countermeasures against the EU “Made in Europe” law. This is coordinated economic diplomacy, designed to force Brussels to soften the proposed binding regime before it becomes law.
What the Cybersecurity Act Actually Does
The revised EU Cybersecurity Act, proposed by the European Commission in January, moves Brussels’ soft restrictions on Chinese telecoms suppliers — Huawei and ZTE since 2020 — toward a binding regime. The Act covers 18 critical sectors including energy, telecoms, transport, healthcare, banking, digital networks and the space industry. Components and equipment from “high-risk” suppliers must be phased out, with high-risk defined as suppliers from “countries posing cybersecurity concerns.” That language captures China without naming it.
Join The European Business Briefing
New subscribers this quarter are entered into a draw to win a Rolex Submariner. Join 40,000+ founders, investors and executives who read EBM every day.
SubscribeThe Act was reissued days after the Commission strengthened its Huawei and ZTE recommendation. It also sits alongside a separate Commission proposal published Monday restricting EU funds for projects involving power inverters from “high-risk suppliers” — the Commission specifically warning these inverters could be used to remotely shut down national electricity networks.
Why the €368 Billion Figure Matters
The KPMG study’s headline number does three things politically.
It puts a price on European cybersecurity sovereignty that Beijing hopes Germany cannot stomach. The €170.8 billion German share of the cost is roughly equivalent to 5 per cent of German GDP spread over five years. For a country already facing a recession scenario from Trump’s 25 per cent auto tariffs, an additional €170 billion in cybersecurity-driven costs is politically toxic.
It anchors the debate at a high number before the Commission publishes its own impact assessment. If Brussels’ internal estimate lands meaningfully below €368 billion, the Commission can argue Beijing is exaggerating. If it lands close, the case for the binding regime weakens significantly. The CCCEU has effectively forced the Commission to either disprove the number or accept it as the framing.
It coordinates with the broader Chinese counter-pressure on EU industrial policy. Beijing is pushing back simultaneously on the Made in Europe law, the auto-tariff regime targeting Chinese EVs, and now the Cybersecurity Act. Each individually is contestable. Together they form a structural Chinese diplomatic-economic offensive that European member states are not yet responding to in unified fashion.
Why Brussels Will Probably Push Through Anyway
Three factors cut against Beijing’s lobbying effort.
The first is national-security framing. Cybersecurity rules sit in a different political category than industrial policy. Member states that resist trade-driven Made in Europe provisions tend not to resist cybersecurity-driven ones, because the security argument is harder to oppose publicly.
The second is the inverter precedent. The Commission’s Monday warning that Chinese power inverters could be used to remotely shut down national grids is a more visceral risk than abstract telecoms hardware concerns. Once a remote-shutdown scenario is in the political conversation, member states find it harder to soften the underlying law.
The third is the shifting capital rotation into European stocks and the Letta-Draghi reform agenda. The European Commission’s own Brussels-said-basta reform push is built on a positioning of European tech sovereignty as a competitive advantage. Backing down on the Cybersecurity Act under Chinese lobbying pressure would undermine the wider sovereignty narrative.
What This Means for European Business
For European corporate planners, three things matter for the next twelve months.
The legislative process is still in its early stages. Member-state amendments are coming. Companies dependent on Chinese components in covered sectors — particularly in energy, telecoms and transport — should be modelling two scenarios: full implementation by 2030, or a softened version with longer transition periods and carve-outs. Both are now plausible.
The Chinese countermeasure threat is no longer abstract. Beijing has now threatened retaliation on three EU industrial-policy files in three weeks. European companies with significant China exposure — automotive, machinery, luxury — should be running stress-tests on retaliatory scenarios that they were not running a month ago.
The next test arrives later this year, when the Commission publishes its own impact assessment. If the number lands at €100-150 billion, the binding regime survives intact. If it lands at €250-350 billion, member states will push for carve-outs. The CCCEU has set the high end of the range. Brussels now has to decide where to land — and how visibly to disagree with Beijing in doing it.
Related Analysis
