Brussels has a flair for lofty rhetoric. It speaks in velvety phrases about openness, multilateralism and the moral high ground of rules. It urges others to keep markets open, avoid discrimination and play by the book. And then, just when the sermon reaches its pitch, the European Union produces a draft law that demolishes the house of cards.

Enter the proposed revision of the EU Cybersecurity Act, now causing a diplomatic flutter worthy of a Paris runway. The draft doesn’t just tighten technical standards, as China’s Ministry of Commerce observed, it introduces a curious new category: “nontechnical risks”. That sounds less like cybersecurity and more like a Rorschach test for geopolitical anxiety.

Who defines these risks? On what basis? And — this is the fun part — who gets to label who is a “high-risk supplier” or a “country posing cybersecurity concerns”?

The proposal looks suspiciously like discrimination dressed up in digital jargon. The draft may run afoul of World Trade Organization rules, including the sacred principles of most-favored-nation treatment and national treatment — essential guardrails that keep global trade from devolving into a playground of arbitrary exclusions.

Brussels might insist this is all about “security”. But “security” has the Swiss Army knife of modern policymaking — it can justify almost anything. In this case, “security” has been expanded to include subjective, nontechnical criteria, and it starts to look less like a shield and more like a velvet rope beyond which only the invited are allowed to pass. And behind that rope, one suspects, stand Europe’s own industries, hoping for a little breathing room from global competition.

The irony is rich. The EU has spent years positioning itself as the adult in the room of globalization — rules-based, predictable, allergic to the unilateralism of others. Yet here it is, flirting with a framework that could exclude entire countries and companies from supply chains spanning energy, transport and ICT. If this is multilateralism, it comes with a very selective guest list.

China’s response, delivered through its Ministry of Commerce, has been to urge Brussels to reconsider and return to something closer to the rulebook. If the bloc persists down its problematic path with a draft that harms the legal rights and interests of Chinese entities, China’s countermeasures might arrive at its doorstep without delay.

It is also consistent with the tone struck by Chinese Foreign Minister Wang Yi in his recent call with the EU’s top diplomat Kaja Kallas. China’s development, Wang said, is an opportunity for Europe, not its problem. Protectionism will not make Europe more competitive; decoupling from China is simply disconnecting from opportunity.

Kallas stated that the EU sees China as an important partner, does not seek decoupling, and values dialogue.

Lovely words.

But words, like “nontechnical risks”, can be wonderfully elastic. The question is whether Brussels’ deeds will match its declarations.

Many of the EU’s major economies are not clamoring for a techno-economic cold war. They want pragmatic cooperation, stable supply chains and access to growth. When EU-level legislation appears to veer into exclusionary territory, it risks drifting away from the preferences of its own members — an elite policy conversation untethered from commercial reality.

After the bruising debates over electric vehicles, where protectionist instincts began to peek through, the logic now seems to be migrating into cyberspace. First cars, now cybersecurity code. The rationale is similar: defend domestic competitiveness. The risk that it will undermine it is also similar. A cyber sector fenced off by subjective criteria may feel safer, but it is unlikely to become more innovative or globally competitive.

This is less about China than it is the EU’s own identity. Is it the principled champion of an open global economy it claims to be? Or gradually adopt measures that lean toward protectionism under the guise of "cybersecurity"?