5G and Connected Vehicles: the EU takes precautions against the risk of sabotage, but between billion-dollar costs and risk incentives, “gray areas” remain regarding energy and critical infrastructure

The European Union is currently facing a fundamental shift in its national security architecture. The proposal of January 20, 2026, for a new policy package centered on the recast of Regulation (EU) 2019/881, known as "The Cybersecurity Act 2" (document COM(2026) 11 final), will mark the definitive transition from a logic of voluntary recommendations to a regime of "mandatory risk reduction" for supply chains originating from high-risk third countries. The following analysis examines the scope of this regulatory turning point, highlighting its operational criticalities, economic costs, and strategic omissions in light of the EUROPE UNDER ATTACK 2025 report by Extrema Ratio and official European Commission documents.

Background and the Fragility of the 5G Toolbox

The need for binding legislative intervention is rooted in the partial failure of the previous approach based on voluntary coordination. As analyzed by Extrema Ratio in the report "EUROPE UNDER ATTACK 2025: Beijing's silent war in Europe", China has implemented a strategy of "Liminal Warfare"—an incremental war where control over digital infrastructure becomes a non-conventional military operation.

The report highlights how the EU has remained significantly dependent on Chinese 5G for years. Despite the 2020 5G Security Toolbox recommending restrictions, implementation has been fragmented, with countries like Germany maintaining shares of Chinese equipment close to 60%. This dependency is not only technological but legislative: the 2017 Chinese National Intelligence Law obliges citizens and companies to cooperate with Beijing's security services, making every Chinese supplier, by law, a potential operational arm of the Chinese Communist Party (CCP) intelligence.

The Paradox of Connected Vehicles: Risk Incentives and Dual-Use

The Cybersecurity Act 2 will identify connected and automated vehicles as one of 18 critical sectors (Annex III), but legislative intervention will have to face a paradoxical market reality and already consolidated damage. In recent years, Chinese electric vehicles have entered the single market en masse, often paradoxically supported by European public resources.

A striking example is represented by Germany, where approximately 3 billion euros in incentives (environmental bonuses) were allocated, from which Chinese manufacturers or vehicles produced in China will have largely benefited. This has created a situation of structural vulnerability: Europe has used public money to fund the entry of mobile "data terminals" that, under Chinese law, are obliged to collaborate with Beijing's intelligence. A Chinese connected vehicle on European roads will not just be a means of transport, but a mobile sensor capable of mapping territory and collecting biometric data via LiDAR systems and high-resolution cameras. The "Dual-Use" risk will be evident: these fleets could be remotely transformed into tools for mass surveillance or, in crisis scenarios, into vectors for kinetic sabotage to block road arteries through coordinated attacks on Electronic Control Units (ECUs).

Network Remediation: Financial Burdens and Sanctions

The regulation will appear belated in many respects. Network remediation will involve enormous costs: the Commission's Impact Assessment Report (document SWD(2026) 11 final) estimates that replacing high-risk equipment in mobile networks alone will cost between 3.4 and 4.3 billion euros per year for a three-year period (Option D.3).

The main doubt will concern who will bear these costs: the risk is that they will fall on the citizen through increased phone tariffs or the use of further public funds. However, the Cybersecurity Act 2 will finally introduce a rigorous sanctions system. According to Article 115 of the proposal, Member States will be obliged to establish "effective, proportionate, and dissuasive" penalties for non-compliant entities. Being a Regulation, non-compliance will directly expose States to EU infringement procedures, eliminating the discretion that characterized the previous era.

The Strategic Delay on Energy and Sabotage

The Extrema Ratio analysis "In addition to photovoltaics, China's wind power also poses intolerable risks" warns that the strategic delay will extend to other critical fronts where doubts about the pre-positioning of Chinese equipment for sabotage are concrete.

• Inverters and Solar Panels. China controls almost the entire supply chain. Inverters, which are bidirectional devices connected to the grid via firmware, could be manipulated to induce frequency instability and cause coordinated blackouts, acting as energetic "Trojan horses" ready to be activated.

• Wind Farms. The acquisition of stakes in European wind farms by Chinese giants lwill offer Beijing access to detailed grid maps (SCADA) and the possibility of installing signal interference devices (SIGINT). The case of the "Waterkant" offshore wind farm in Germany, blocked for reasons of national security and alliance defense, demonstrates that the risk of physical sabotage is now a current threat.

In conclusion, the Commission's proposal of January 20, 2026, will attempt to stem a systemic vulnerability. However, the question remains regarding the consistency of a Union that, on one hand, will impose "mandatory risk reduction" and, on the other, has funded the entry of potentially hostile technologies into its critical sectors with billions of euros. The challenge for the next 36 months will be to implement real remediation, while trying to ensure that the price of national security does not weigh exclusively on the pockets of European taxpayers.