Consumers look at Huawei products at a trade fair in Berlin on September 6, 2019 | Tobias Schwarz/AFP via Getty Images EU spells out rules for ‘high risk’ 5G suppliers ‘Ensuring the cybersecurity of 5G networks is an issue of strategic importance for the Union,’ says Commission.

European cybersecurity officials agreed on a series of measures to downsize Huawei's presence in Europe due to concerns that it poses serious risks to the security of future 5G telecom networks.

The EU's so-called 5G security toolbox marks the end of a year-long debate between Western security officials and the telecom industry on how to handle "high risk" suppliers from China, during which European governments were urged by U.S. officials to ban Huawei.

"Ensuring the cybersecurity of 5G networks is an issue of strategic importance for the Union," the Commission wrote in a document accompanying the toolbox. Europe faces attacks from "a wide range of threat actors, in particular non-EU state or state-backed actors," it added.

EU countries "agreed on the need to assess the risk profile of individual suppliers and, as a consequence, to apply relevant restrictions for suppliers considered to be high risk, including necessary exclusions," it said.

The toolbox in principle allows countries to slap blanket bans on Huawei. But EU countries are likely to take a more measured approach, imposing partial bans on Chinese equipment in "critical or sensitive" parts of 5G networks.

The U.K. on Tuesday announced such measures, banning Huawei from "core" networks and capping its footprint at 35 percent in other parts. France passed a law last summer that also includes geographical restrictions, while other countries are following suit.

The toolbox sets out technical measures that would allow European governments to limit the risk associated with Chinese vendors, as well as strategic measures aimed at beefing up Europe's political control over 5G supply chains and technology.

It is a follow-up to European cyber agencies' joint "risk assessment" that was released in October. The assessment called out foreign states with "cyber offensive initiatives" as a big threat, and said suppliers pose a higher risk if they are close to a foreign government or are based in a country where there are "no legislative or democratic checks and balances in place" or there is an "absence of security or data protection agreements" with the EU.

National governments are asked to report back on "concrete and measurable steps" to implement the measures by end-April, and report back to the EU's cooperation group of cybersecurity authorities by end-June.