HiSilicon in the US vs EU Compliance and Certifications

Manufacturers often ask about using HiSilicon components for new products. The answer is clear. Developing new products with HiSilicon chips for the US or EU market is generally not feasible.

Key Takeaway 📝 The US has direct supply chain bans. The European Union imposes severe scrutiny related to security and data privacy. These challenges create significant compliance and certifications risks that are difficult to overcome.

Key Takeaways

• It is very hard to use HiSilicon chips for new products in the US or EU.
• The US has laws that stop products with HiSilicon chips from being sold.
• The EU does not ban HiSilicon chips directly, but it has many strict rules about security and data.
• These rules make it very risky and hard to get products with HiSilicon chips approved in the EU.
• It is best to choose other chip suppliers to avoid these problems in both the US and EU.

US Compliance and Certifications: A Closed Door

The United States presents a regulatory environment that effectively closes the door on new products incorporating HiSilicon components. A series of legal and administrative actions create insurmountable barriers. These measures target the company directly and disrupt the entire supply chain, making market entry practically impossible.

The Entity List Ban

The U.S. Department of Commerce maintains the Entity List. This list identifies foreign entities subject to specific license requirements for the export or transfer of specified items. The government placed HiSilicon and its parent company, Huawei, on this list due to national security concerns. This action severely restricts their ability to acquire U.S. technology and goods.

The Department of Commerce added several HiSilicon entities to this list in 2019.

Obtaining a license for any trade with these entities is exceptionally difficult. The U.S. government operates with a "presumption of denial" policy for license applications related to these sanctions. This makes any form of trade unreliable and functionally blocked.

Semiconductor Supply Chain Impact

The Entity List sanctions have a profound impact on the semiconductor industry. They prevent HiSilicon from accessing critical U.S. technology needed for modern semiconductor design and fabrication. For example, HiSilicon cannot license essential Electronic Design Automation (EDA) software from U.S. suppliers. This software is fundamental for designing a new semiconductor.

These trade restrictions extend beyond direct transactions. The 'Affiliates Rule' complicates supply chain management even further.

• It extends export restrictions to foreign affiliates that are 50% or more owned by entities on the list.
• The 'Rule of Most Restrictiveness' applies the strictest license policy to an affiliate if any of its owners are on the list.

This framework effectively isolates HiSilicon from key parts of the global semiconductor market and global supply chains. It blocks access to both the tools to design a new semiconductor and the partners needed to manufacture it.

The FCC 'Covered List'

The Federal Communications Commission (FCC) maintains a separate but related list called the 'Covered List'. This list identifies communications equipment and services that pose an unacceptable risk to U.S. national security. As a subsidiary of Huawei, HiSilicon's components fall under this designation. Any product containing a HiSilicon semiconductor is therefore considered 'covered equipment'.

The FCC's list includes several companies whose equipment is restricted for security reasons.

What is Covered Equipment? 📝 The FCC's rules apply to equipment from listed companies, including their subsidiaries and affiliates. This means a product cannot gain market access if it contains a core semiconductor from a company like HiSilicon.

Secure Networks Act Rules

The Secure and Trusted Communications Networks Act of 2019 gives the FCC its authority to regulate this equipment. The rules create two major hurdles for compliance and certifications.

1. Ban on New Equipment Authorization: The FCC will not review or approve any new equipment authorization applications for products on the Covered List. This ban, effective since February 2023, prevents any new device containing a HiSilicon semiconductor from getting the required certification to be legally marketed or sold in the U.S. This applies to both formal certification processes and the simpler Supplier’s Declaration of Conformity (SDoC).

2. "Rip and Replace" Program: The Act also established a reimbursement program to remove, replace, and destroy existing equipment from covered suppliers like Huawei and ZTE from U.S. networks. With total funding of $4.98 billion, this program shows a clear federal commitment to eliminating this technology from the country's infrastructure. This aggressive policy underscores the high level of security risk associated with this trade.

These rules make the required FCC certification unattainable for any new product using a HiSilicon semiconductor.

The Verdict for the US Market

The combination of these regulations creates a complete blockade.

• Supply Chain Block: The Department of Commerce's Entity List sanctions prevent manufacturers from reliably sourcing HiSilicon semiconductor chips and the technology to integrate them.
• Market Access Block: The FCC's Covered List and Secure Networks Act rules prohibit the final product from receiving the necessary certification for legal sale.

For any company developing a new product for the U.S. market, the path for compliance and certifications is closed. Choosing a HiSilicon component is not a viable strategy due to these direct and comprehensive legal prohibitions.

EU Market: A Complex Web of Regulations

The European Union market presents a different challenge compared to the United States. The EU does not have a single, outright ban on HiSilicon. Instead, it uses a complex web of regulations, high-level scrutiny, and risk-based assessments. This approach creates significant hurdles for compliance and certifications, making HiSilicon a high-risk choice for manufacturers.

No Outright Ban, High Scrutiny

The EU's strategy focuses on risk mitigation rather than a complete blockade. There is no EU-wide law that explicitly bans HiSilicon components. However, the European Commission has strongly encouraged member states to restrict or exclude high-risk vendors from their critical infrastructure, especially 5G networks. This has led to a fragmented but challenging landscape where individual countries implement their own rules.

Several member states have already taken action based on this guidance:

• Sweden: Banned Huawei equipment from its 5G networks. It also ordered the removal of existing equipment by January 1, 2025.
• Germany: Mandated the removal of Huawei and ZTE components from 5G core networks by the end of 2026.
• Denmark: Implemented a law to assess telecommunications equipment and remove gear from non-trusted vendors.
• Italy: Does not have a blanket ban but evaluates each case. The government blocked a telecom operator from using Huawei for its 5G network.

This country-by-country approach means manufacturers face unpredictable market access and a high degree of scrutiny.

The EU 5G Toolbox

A key driver of this scrutiny is the "EU Cybersecurity Toolbox for 5G". This set of recommendations guides member states on how to secure their 5G networks. It does not name specific companies but establishes criteria for assessing the risk profile of suppliers. A supplier's links to a non-EU government are a major factor.

The Toolbox recommends a mix of strategic and technical measures to mitigate risks. Strategic measures give authorities more power to scrutinize network procurement. Technical measures strengthen the security of 5G networks and equipment.

Key recommendations for member states include:

• Assessing the risk profiles of all suppliers.
• Applying restrictions on suppliers considered high-risk, including excluding them from core network functions.
• Developing strategies to diversify vendors and avoid long-term dependency on a single supplier, which impacts global supply chains.
• Ensuring high security standards in suppliers' processes through strict procurement conditions.

This framework pressures telecom operators and infrastructure providers to avoid components from vendors deemed high-risk, indirectly affecting the entire technology supply chain.

Mandatory CE Marking

All electronic products sold in the EU market must bear the CE mark. This mark signifies that a product complies with EU safety, health, and environmental protection requirements. Obtaining a CE marking is a mandatory step for market access. The process is the manufacturer's responsibility.

A manufacturer must:

• Prepare detailed technical documentation to justify the product's compliance.
• Draw up and sign an EU Declaration of Conformity (DoC), taking full responsibility for the product's quality and adherence to EU law.
• Appoint an EU-based representative if the manufacturer is outside the EU.

For a product containing a HiSilicon component, the technical file would face intense review. Regulators would closely examine how a component from a high-risk vendor meets the EU's stringent safety and security standards. This makes the certification process much more difficult.

Radio Equipment Directive (RED)

The Radio Equipment Directive (2014/53/EU) is a critical part of the CE marking process for any wireless device. The RED sets essential requirements for radio equipment to ensure safety and prevent interference. Recent updates have added specific cybersecurity obligations. These new rules directly impact devices using components from high-risk suppliers.

The key articles mandating cybersecurity include:

• Article 3.3(d): Requires that equipment will not harm the network.
• Article 3.3(e): Mandates safeguards to protect personal data and user privacy.
• Article 3.3(f): Includes features to protect against fraud.

A product using a HiSilicon chip must demonstrate compliance with these security articles. This requires a thorough risk assessment and proof that the component does not introduce vulnerabilities related to data privacy or network security. Achieving this certification is a major challenge.

GDPR and Data Privacy

The General Data Protection Regulation (GDPR) governs how companies collect, process, and protect the personal data of EU citizens. Any device that processes personal data must comply with GDPR. This is especially relevant for IoT devices, cameras, and routers that might use HiSilicon chips.

A major concern is the transfer of data outside the EU. Chapter V of GDPR strictly regulates this type of trade. Data can only be transferred to a non-EU country if that country provides an adequate level of data protection. If a HiSilicon component processes personal data and sends it to servers in a country without an adequacy decision from the EU, it creates a serious compliance breach. This risk forces manufacturers to prove that no unauthorized data trade occurs, a difficult task that adds another layer of scrutiny.

EU Cyber Resilience Act (CRA)

The upcoming EU Cyber Resilience Act (CRA) will introduce mandatory cybersecurity requirements for all products with digital elements. This new law will shift the responsibility for security from the consumer to the manufacturer for the entire product lifecycle. The CRA will require a new CE certification for cybersecurity.

Key obligations for manufacturers will include:

1. Cybersecurity Risk Assessment: Performing a thorough assessment and documenting it.
2. Declaration of Conformity: Issuing a DoC to declare the product meets essential security requirements.
3. Technical Documentation: Providing a Software Bill of Materials (SBOM) to list all software components, including those within a HiSilicon chip.
4. Vulnerability Handling: Reporting actively exploited vulnerabilities to a certification body and providing security updates for a reasonable period.

The CRA does not label specific vendors as "high-risk." Instead, it classifies systems as high-risk based on their function. However, a product containing a component from a vendor under geopolitical scrutiny will face a difficult path to accreditation. The need to provide an SBOM and prove the quality and security of every component makes using a chip from a non-transparent supplier a significant liability. A certification body will heavily scrutinize such products.

RoHS and Environmental Rules

Beyond security and data privacy, manufacturers must also meet the EU's environmental regulations. The Restriction of Hazardous Substances (RoHS) Directive limits the use of specific hazardous materials in electrical and electronic equipment. This is another mandatory requirement for CE marking.

All components, including semiconductors, must prove their quality by adhering to these strict limits.

Manufacturers must obtain documentation from their component suppliers to prove RoHS compliance. While this is a standard part of trade, sourcing this documentation for a HiSilicon component could be complicated by the same supply chain disruptions affecting other areas of trade. Failure to provide this proof will block the product's compliance and certifications path.

Risk Assessment and Strategic Alternatives

Manufacturers need a clear risk assessment to navigate the complex regulatory landscape. Choosing a semiconductor supplier has major implications for global market access. A direct comparison of US and EU rules reveals different types of risk. The best strategy involves selecting alternative suppliers to avoid these challenges altogether.

Comparison: US vs. EU Rules

The US and EU take fundamentally different approaches to regulating HiSilicon. The US employs direct legal prohibitions. The EU uses a framework of high scrutiny and risk-based recommendations. This table summarizes the key differences.

Market Access: Blocked vs. Restricted

The US FCC's rules create a direct, legally binding prohibition. The FCC will not authorize any new equipment containing a HiSilicon semiconductor. This ban effectively blocks any new product from being placed on the market.

The EU's approach is more nuanced. The EU 5G Toolbox offers 'non-binding' recommendations that member states apply inconsistently. This creates a restricted, not blocked, market. A manufacturer might find a path for a product in one country but not another. The EU defines market entry in two stages:

• 'placing on the market': The first time a device is made available.
• 'making available on the market': Any subsequent supply or use.

A product with a HiSilicon semiconductor faces intense security scrutiny at both stages.

Role of ISO 9001 Certification

An ISO 9001 certification is a vital tool for evaluating supplier quality. This standard for quality management systems requires organizations to assess risks from external providers. An ISO 9001 certification helps vet a semiconductor supplier's processes and commitment to quality. However, an ISO 9001 certification does not override specific legal bans. The US government's prohibitions are based on national security, a factor outside the scope of a standard quality audit. While ISO 9001 certification is important, it cannot grant market access when a legal blockade exists. The ISO framework helps manage quality, not geopolitical bans.

Beyond ISO: Geopolitical Factors

Geopolitical security concerns are the primary driver behind these regulations. Even with a perfect ISO 9001 certification, a supplier like HiSilicon is deemed high-risk due to its country of origin and government ties. The ISO standard's Clause 8.4 on supplier control requires assessing a supplier's risk profile, which includes geopolitical factors. However, the ISO framework is a tool for a company's internal quality and risk management. It does not supersede national security directives. The security risks associated with the semiconductor are the main issue.

Viable Chipset Alternatives

The most effective risk mitigation strategy is to choose alternative semiconductor suppliers. Selecting a vendor without these geopolitical and regulatory burdens eliminates the root cause of the problem. This ensures a smoother path to certification and market entry. Major, trusted semiconductor alternatives include:

• Qualcomm
• MediaTek
• Nordic Semiconductor

These suppliers offer high-quality components and do not carry the same security and compliance risks.

---

Legal bans effectively close the US market to new products using HiSilicon chips. The EU market presents a different challenge. It is not technically closed, but high security scrutiny, GDPR rules, and new cybersecurity laws create major risks. These factors make HiSilicon an unadvisable choice for most manufacturers.

Final Recommendation 💡 Developers targeting US or EU markets should select alternative chipset suppliers. This strategy avoids insurmountable regulatory hurdles, supply chain disruptions, and potential reputational damage.

FAQ

Can manufacturers use existing stock of HiSilicon chips?

Using old stock for new products is not feasible in the US. The FCC ban applies to the authorization of new equipment. A product cannot get the required certification to enter the market, regardless of when the manufacturer acquired the semiconductor.

Do these rules apply to consumer electronics?

Yes. The US FCC's 'Covered List' rules apply to any equipment requiring authorization. This includes consumer products like smart cameras, routers, and IoT devices. The ban is not limited to critical infrastructure. A product with a HiSilicon chip will be denied market access.

Is it possible to get an exception or license?

Obtaining a license in the US is highly unlikely. The government operates with a "presumption of denial" for entities on the Entity List. Relying on a potential exception is not a viable business strategy for any new product development.

What is the key difference between US and EU regulations?

The main difference is the method of restriction.

• US 🇺🇸: Implements a direct, legal ban blocking market access.
• EU 🇪🇺: Uses a risk-based approach with high scrutiny, creating unpredictable compliance hurdles.

The US market is closed, while the EU market is severely restricted.