The Blind Spot in EU Technology Policy? Why SAFENet Wants to Put Routers on the Agenda

Routers are the most widely used component in the European internet – and the only one without a dedicated EU security framework. The SAFENet alliance, founded on 15 June 2026, aims to change that: with three concrete demands, it is pressing Brussels to adopt a network policy modelled on the established 5G Toolbox.

What is SAFENet – and who is behind it?

The Sovereignty Alliance for European Network Technology, or SAFENet, was founded in Berlin on 15 June 2026. Four companies with European roots stand behind the alliance: devolo from Aachen, FRITZ! from Berlin, LANCOM Systems also from Aachen, and TDT AG from Lower Bavaria.

TDT AG specialises in professional VPN routers and gateways and, according to its own statements, is the first router manufacturer in the world to have its entire organisation certified to ISO 27001 on the basis of BSI IT-Grundschutz – an accreditation renewed in 2025. All four are active in the European market for routers, Wi-Fi systems and network infrastructure.

The alliance explicitly sees itself as open to additional European members.

Early wire reports had spoken of five founding members, naming Teltonika Networks from Lithuania. On enquiry from WeSpeakIoT, SAFENet confirmed that Teltonika had not yet formally joined at the time of the founding – though the signature was said to be imminent.

FRITZ!, known as AVM until August 2025, generated revenue of 630 million euros in 2024 with around 900 employees. The company has developed all its products at its Berlin site since 1986; manufacturing takes place, according to its own statements, with a focus in Europe. LANCOM Systems has long served the professional network infrastructure market – including federal authorities and police forces at high-security level, among them the Federal Chancellery. This foothold in the public sector is no coincidence, as a look at the alliance’s demands makes clear.

Why does the router count as the blind spot of EU technology policy?

The situation SAFENet describes is structural: according to a study by the Innovate Europe Foundation cited by the alliance, 93 percent of European internet traffic runs through routers and home network gateways – the devices that, in homes, businesses and public authorities, form the bridge between the public network and internal infrastructure.

Only seven percent of data traffic flows via mobile networks. Mobile networks are regulated. Routers are not – at least not in the sense that matters from a security perspective. Chinese manufacturers control around 40 percent of the European market for these devices, according to SAFENet data. The problem the alliance identifies: routers can be supplied with firmware updates and maintained remotely over the network.

Whoever controls the software supply chain potentially has access to the devices themselves – and therefore to the data stream flowing through them. This is not a purely theoretical scenario.

European security authorities have repeatedly pointed to compromised routers as an entry point for state-sponsored threat actors in recent years. Germany’s BSI – the Federal Office for Information Security – regularly warns against attacks on SOHO routers, meaning consumer and small-office devices that are frequently operated with default passwords or left without security updates.

What does SAFENet specifically demand?

The alliance has formulated three demands, intentionally packaged as a political whole. First, a transparency obligation: manufacturers and internet service providers must disclose where their devices and the associated firmware are developed and produced. This sounds like a basic requirement, but is anything but straightforward in practice – supply chains in network technology are complex, and the development location of firmware is barely traceable for end customers or public procurement teams today.

Second, a procurement rule for the public sector: authorities, operators of critical infrastructure and publicly funded institutions should prefer European products when purchasing network technology. This mirrors the principle already applied in mobile communications: those who depend on public funds should not incur dependencies on potentially high-risk suppliers.

Third – and this is the structurally most ambitious element – a Router Security Toolbox at EU level, modelled on the existing 5G Toolbox.

What is the EU 5G Toolbox – and why does it work as a model?

The EU 5G Cybersecurity Toolbox is a coordinated framework that supports EU member states in assessing and mitigating risks in their 5G networks. The outcome in practice: Germany has mandated that 5G mobile operators stop deploying core network components from Chinese manufacturers Huawei and ZTE by 2026. Other EU countries have taken similar steps.

The Toolbox model works because it does not impose blanket import bans but follows a risk-based approach: suppliers classified as high-risk may not be deployed in security-critical contexts. This mechanism is politically viable because it builds on existing EU law and avoids WTO-relevant market restrictions. For routers, an analogous toolbox would mean: manufacturers that fail to meet certain transparency or security criteria could be excluded from public procurement processes.

That would be a significant lever – particularly since public institutions are among the largest buyers of network infrastructure. Where the comparison falls short: 5G core networks are highly centralised infrastructures with a manageable and well-documented set of suppliers. The router market is more fragmented, supply chains are more complex, and millions of devices are already deployed. A Router Security Toolbox would likely prove considerably more demanding to implement than its 5G equivalent.

Does the approach hold up – and what remains unsolved?

SAFENet addresses a real problem: the absence of an EU-wide security framework for routers is not an invented gap but a documented policy vacuum. The demands are well-conceived and build on a proven model. The transparency approach is the strongest element, because it is market-friendly while still creating a basis for informed decision-making.

That the initiative comes from manufacturers with a direct economic interest is not a flaw – it is the expected pattern when a policy gap exists that neither the EU nor national regulators have yet filled. The more relevant caveat is technical: SAFENet regulates origin, not operations. The primary attack vector in documented router incidents is not hardware origin but unpatched firmware, default passwords and missing network segmentation.

A European-built router that has not received a security update in three years is just as vulnerable as its Chinese counterpart. Solving this problem requires mandatory update mechanisms and minimum operational standards – topics addressed by the EU Cyber Resilience Act, but not placed at the centre of SAFENet’s agenda.

Context: A global trend with a European accent

SAFENet is not the first initiative to examine network hardware through the lens of digital sovereignty. Other economic blocs have also begun tightening access for foreign manufacturers to their network infrastructure. What distinguishes SAFENet from comparable initiatives: the alliance is calling for a regulatory framework, not a ban such as the one imposed by the FCC in the United States. That is the decisive difference between industrial policy and security policy – even if the two are intertwined here.

Whether the initiative gains sufficient political weight to be heard at EU level will depend on how quickly additional European manufacturers join and whether SAFENet manages to build support beyond its own sector – from civil society and academia. A manufacturers’ alliance alone rarely travels far in Brussels.

Conclusion

SAFENet fills a real gap. The political diagnosis – routers as critical infrastructure without a dedicated EU security instrument – is correct, and the 5G Toolbox model is a pragmatic starting point. That the alliance is carried by manufacturers who stand to benefit from stronger regulation does not diminish the substance of the demands. The broader question – how Europe improves the operational security of routers, through patching obligations, update deadlines and minimum operational standards – remains unanswered by SAFENet.

That is not a criticism of the alliance, but a task the EU Cyber Resilience Act must still deliver on. Both together – supply chain transparency and operational security – would constitute the complete approach. SAFENet delivers the first half.

Frequently Asked Questions about SAFENet and Router Security

What is SAFENet and who is behind it?

SAFENet stands for Sovereignty Alliance for European Network Technology and was founded on 15 June 2026. The alliance brings together four European network manufacturers: devolo and LANCOM Systems from Aachen, FRITZ! from Berlin, and TDT AG from Lower Bavaria. Its goal is to establish an EU security framework for routers and home network gateways modelled on the existing 5G Toolbox.

Why is the router considered critical infrastructure?

According to a study cited by SAFENet, 93 percent of European internet traffic runs through routers and home network gateways. These devices form the bridge between the public network and private or business infrastructure. Because routers can be supplied with firmware updates remotely, the software supplier potentially has access to the entire data stream – a risk that security authorities across Europe increasingly regard as significant.

What is the EU 5G Toolbox and why does SAFENet use it as a model?

The EU 5G Cybersecurity Toolbox is a coordinated framework that supports EU member states in assessing 5G network risks using a risk-based approach. In practice, it led Germany to mandate the removal of Huawei and ZTE core network components from 5G infrastructure by 2026. SAFENet is calling for an equivalent instrument for routers: not a blanket import ban, but transparency obligations and risk-based procurement rules.

What specific measures does SAFENet demand from the EU?

SAFENet has three demands: first, a transparency obligation requiring manufacturers and internet service providers to disclose where devices and firmware are developed and produced. Second, a procurement rule obliging public authorities and critical infrastructure operators to prefer European network technology. Third, a Router Security Toolbox at EU level as a counterpart to the existing 5G Toolbox.

Is a European router automatically more secure?

Not necessarily. SAFENet addresses supply chain risks – the question of who develops and potentially controls the firmware. The actual primary attack vector in documented router incidents is unpatched firmware and poor operational security, regardless of where the device was manufactured. A European router without regular security updates is just as vulnerable as a device from outside Europe. Mandatory update mechanisms are addressed by the EU Cyber Resilience Act, not by SAFENet.