It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal. Several attempts were made to streamline the merger, but she wouldn't budge.
As a result, CRCC continues to win contracts abroad, largely (it is believed) by undercutting competition. IP theft is known to be one objective of their at-loss or low-profit contracts (I've been involved in fighting that, specifically).
It's hardly a stretch to imagine that having control of the rail in countries that might oppose you militarily is strategically huge.
This article is about busways, but the parallels are obvious.
Surveillance tech in products doesn't necessarily imply grey zone warfare. But that doesn't make it a good thing either.
Poland put out a separate bid for manufacturing and servicing of their locomotives and one company won the manufacturing bid while another won the servicing bid.
The servicing company was unable to get the trains into working order and after hiring hackers accused the manufactoring company of bricking the software on purpose by including geo-fences where the trains would no longer work after arriving at the servicing company's property.
Perhaps the interesting part to me was Dragon Sector's (the hackers) claims that the software needs to be blessed so although they discovered problems they never changed anything because they don't have the authority to bless it and heavily imply that the fact that the manufactoring company is changing the software at will is illegal.
The changes by the manufactoring company had an (undisclosed) activation sequence added to it so you didn't need to modify the software in order to get the train working so the servicing company never actually modified the software.
https://www.youtube.com/watch?v=XrlrbfGZo2k
https://www.ifixit.com/News/112008/polish-train-maker-is-sui...
It's really confusing that the EU don't consider this "dumping". I thought that was this big thing that they cared about.
And that competitive advantage could presumably give them more scale?
Your second sentence is quite a jump, however: "It won't be as big, so there's no point in trying to compete at all."
The things you see in EU public tenders is just amazing, especially when they's little to no competition.
Can you give examples of what you (obviously, since you're commenting) have seen, and how typical it is?
People employed there optimize for winning them (at any cost - quid-pro-quo agreements aren't rare in my experience). It's common for several such companies to collude in a way that they get awarded the tenders in a circle ("I get this one, next one is for you.")
Afterwards, they outsource the work to the cheapest lowest bidder (usually IT studends in the cases I've seen for software development, but essentially they'll be bottom of the barrel juniors). The quality of such products is about the same as the quality of any outsourced product which is built only to satisfy a checklist at the end. The US equivalent of that would be a corporation getting a defense contract and then basically have everything built by the cheapest outsourcer in India or similar location. Funny enough, university labs (or spinoffs) tend to be major part of this ecosystem, using grad students as workforce - their credentials tend to give them legitimacy over smaller companies.
The results are as disastrous as you can expect - companies a HNer could expect to win usually don't (due to lack of specialized knowledge on how to game the tender process, lack of connections and cost) and those that do are really there to do the bare minimum, shed the work as much as possible and deliver something they can't get sued over.
It's also not uncommon to see whole chains of such companies - the winner sometimes shares some outsourcing work with "losers" they outsource work further, skimming the funds on top and essentially outsourcing everything to the cheapest engineer they can find.
Dealing with any public EU project has been nothing but misery for me personally (as you can imagine from this post :) and this environment bred some of the most toxic workplaces I've worked with. The products were universally terrible and rarely actually useful for the purpose.
As much as I want independent EU software ecosystem, I don't think using public funding can breed anything but more corruption.
Well, you described what happens when you outsource everything.
Governments used to ... gasp ... employ people to do tasks so that you didn't have to outsource every single piddly task. And since those employees could do the tasks, there was a floor such that selecting nobody and doing it in house was always an option.
Yes, that has different failure modes. However, you have more levers over those failure modes as opposed to a single lever of "Head to court and try to win a legal case."
I mean, if you’re at a place that uses staff aug and managing a project it’s just something you have to watch out from your vendors as table stakes. Whenever a new vendor was hired my fellow low level managers would be making bets on how long before they switched out their best guys with some fresh out of college junior that they’d give a fancy title to.
You create a political class full of lawyers, and you get a country where lawyers thrive, who would have thought?
https://academic.oup.com/yel/article/doi/10.1093/yel/yeac009...
Hitchen's Razor.
"Everyone knows" is always a dangerous place to stand in any argument.
If you have two large, slow, bureaucratic and uncompetitive companies, then merging them together won't make the resulting giant less so, but the contrary, it'll be even more inefficient and uncompetitive, and then expect government bailouts because now they're too big to fail.
If you believe it, the "I know they are bad" -> "but we need to complete with the boogie man" -> "we need to build our own monopoly" argument is just confusing. So we should make worse products to be competitive?
If you don't believe it, you should be explaining why monopolies make better products, not arguing that desperate times call for desperate abandonment of logic.
Who the fuck invented that logic of "those companies prices are too high, we have to let them consolidate into a monopoly so they lower their prices"?
Civilian transportation has numerous vital roles in supporting a nation during a war.
The two train companies that couldn't merge can still make trains, and still sell them to whomever they want. European purchasers can still buy them. And after reading articles like this one, these two companies have a big competitive advantage: they don't include Chinese backdoors. Maybe they're small now, but if the Chinese train/bus/etc. manufacturing companies end up being blacklisted in the EU, these two companies will grow. And, better yet, there will still be some healthy competition in the space.
I'd like to post some questions for thought:
1. What is exactly the bidding process of that particular transaction the OP described?
2. What is exactly in the contract? Does it force the Chinese company to use a lot of local companies for sub-contracting, at the same time keeping a very low profit? In essence, this basically means the EU companies grabbed the biggest share while the Chinese company just got the job. I'm not saying this is the case, but I highly doubt it IS the case as I heard similar stories from other companies.
Just like someone has the capability to do with virtually everything we have running software.
Siemens (Germany) and Alstom (France)
> It fell down to an anti-monopoly decision by a single person in the EU ministry, who killed the proposal
Margrethe Vestager, the European Commissioner for Competition at the time (2019). At the time of the decision, she said "No Chinese supplier has ever participated in a signaling tender in Europe or delivered a single very high speed train outside China. There is no prospect of Chinese entry in the European market in the foreseeable future." This has since been proven to be a bad prognostication, as China Railway Signal & Communication (CRSC) is actively deploying its ETCS Level 2 signaling system on the Budapest–Beograd railway line in Hungary[1]; and China has delivered trains to Serbia, leased trains to Austria's Westbahn, acquired German locomotive manufacturer Vossloh Locomotives, and participated in a public tender in Bulgaria for electric trains.
She is no longer in that position. She has as of 2024 become "tough on China,"[2] acknowledging mistakes made in the past and touting how "China came to dominate the solar panel industry... and is running the same game now, across strategic industries including electric vehicles, wind turbines and microchips."
She now says Biden's IRA was a mistake, that Europe has been de-industrializing and that is not a good thing, and that Europe has been too afraid to impose tariffs on China out of fear of retaliation from China.
It sounds remarkably similar to the MAGA playbook on trade and re-industrialization.
[1]https://www.railwaygazette.com/infrastructure/china-railway-...
[2]https://www.politico.eu/newsletter/brussels-playbook/vestage...
> ...acknowledging mistakes made in the past "
That's falling somewhat short of admitting she alone fucked that situation up. The US and Canada had already given permission for the merge to bypass antitrust laws.
I do agree that the global market is causing quite some trouble, although that could be avoided by most (all?) countries being nice to each other. Or even excellent to each other!
That still would come at a hefty price for china as that means no or way lower income for quite a lot of chinese companies and people.
The remark stands as yet another regrettable instance of history echoing itself – a lamentable parallel to that uttered by Sir Claude Maxwell MacDonald, whose acquisition of a 99-year lease over the New Territories of Hong Kong on behalf of the British Crown from the Qing dynasty was justified with the breathtakingly short-sighted assertion that it was «as good as forever».
One observes, with increasing weariness, that politicians – regardless of generation or supposed pedigree – remain obstinately immune to the most elementary of truths: history is neither linear nor predictable. It twists, recoils, and devours the complacent. Political decision-making, therefore, ought never be entrusted to those governed by the ephemeral whims of populism – it demands the discipline, foresight, and cold precision of a strategist trained not merely to react, but to foresee. Alas – such minds are in tragically short supply.
If the problem is that Chinese companies are shipping train firmware with backdoors, then you need to ban those companies. Problem is, given the Newag situation[0], I don't think they can actually do this at the level of individual procurements. So they need specific EU directives banning this behavior and explicitly adding a process by which procurement can ban suppliers for prior noncompliance. What facilitating an illegal merger will do is reduce the EU's bargaining power with industry, ensuring that we get more backdoored trains and more risk.
[0] Short version: they got caught shipping firmware that bricks the train if you take it to a third-party repair shop, even though the contract specifically mandated Newag provide repair manuals. EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones, so they keep winning contracts
> EU agencies and member states do not have the power to disqualify Newag from future tenders for failing to adhere to prior ones
That seems like a problem that can be fixed, given the political will to do so.
You can write whatever you want into a contract, but if you have no way to validate it, it's meaningless.
Also, the state-owned (and subsidized) Chinese company that doesn't have to play by the West's antitrust rules doesn't need to worry about your "contagion" concerns.
3rd party audit like everything else?
I'm not talking about checking a compliance box, I'm talking about actually confirming no backdoor exists.
So what's the point of a regulation that can't be enforced?
I think this is especially not that big a deal considering the national security implications. I expect Norway would contract with a non-Chinese company for bus, rail, everything from now on due to that, regardless of whether or not they are smaller than the CRCC.
First, merging firms reduce the number of products they sell, with the effects materializing one year after the M&A and accelerating over the next several years.
Second, merging firms tend to drop and add products at the periphery of their joint product portfolio.
Third, the net effect is an increase in the similarity among the products that firms offer following a merger or acquisition.
This finding has been consistently true since people have started measuring merger outcomes, "we find that each merger is associated with a quality decrease (increase) in markets where the merging firms had (had no) pre-merger competition with each other, and the quality change can have a U-shaped relationship with pre-merger competition intensity. Consumer gains/losses associated with quality changes, which we monetize, are substantial " – https://www.sciencedirect.com/science/article/abs/pii/S01677...
It is doubtful that merging two companies would have improved the EU's capability to compete with Chinese state operators. On the other hand, lowering the capital threshold to create a new entrant would definitely improve the EU's competitive position and capabilities, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=cele...
But if you're more consequentialist, you might take it on a case-by-case basis.
This will probably get fixed with software audits necessary for compliance under the NIS2 directive. The EU fixed the problem with more regulation and bureaucracy, ensuring that only the big boys can comply. Protect us from China by becoming China?
Our companies meanwhile are all turning in John Deere, and I'm glad the merger was blocked.
The security part, obviously I do care but this article says very little about it.
https://ec.europa.eu/commission/presscorner/detail/es/ip_19_...
"A slap in the face is more effective than ten lectures. It makes you understand very quickly." —Leopold van Sacher-Masoch
Siemens received the slap in the form of Stuxnet. Industrial controls and transport are not the same business unit, but enough of the message got around internally.
I firmly believe Alstom would not be making such garbage today, at least not from a cybersecurity perspective, had this merger gone ahead. And, let's say, I know quite well exactly what type of hot garbage they unfortunately continue to make.
It's a shame.
Also, why would they purchase busses that they thought couldn't be remotely monitored or controlled?! That seems like a very valuable feature for public transport.
The ones at the top, assuming they're not asleep/drunk at the wheel/there at all, don't have to do much. The machine operates itself.
Here in the US, all of our vehicles have SIM cards and they have for decades. They sent off God knows what data, to God knows who, and they remotely receive commands, too. Could you car be hacked? If it was, would you ever be able to find out? Both of those questions are not easy to answer.
Really, ALL of our tech works this way. That Android phone? It has countless binary blobs doing who-knows-what. It runs proprietary code at ring 0, and has access to the cellular bands. If it was compromised, you wouldn't know, especially if the attack was targeted. The people making the software and hardware are already "exploiting" it right now - mostly to gather data for advertising, ostensibly. But how do you know these systems are secure? We're talking millions of lines of C code, interfacing directly with the hardware, running at maximum privileges, written by people you don't know, which cannot be audited.
Trucks and busses remain with the parent Volvo AB.
The only difference is who could potentially use the backdoor, and yes Sweden seems slightly less poised to attack Norway than China. At least these days. Because, let's face it, the Swedes owned Norway back in the day and them wanting their oil-rich lucky cousin back at home is deranged but not as much as the Chinese wanting the fjords....
See: https://cyberdefence24.pl/cyberbezpieczenstwo/blokady-w-poci...
Here, an article (from June 2025) about Chinese buses full of cameras and other sensors driven regularly inside secret Norwegian army bases. Those buses are to be used during a war or a crisis.
I’m arguing that crippled antitrust and anti-consumer practices are part of the problem that led to Chinese buses full of cameras being deployed in western countries.
I’ll go a step further and claim DMCA, anti-reverse engineering and other copyright-protection policies have further crippled the ability of the west to detect and prevent such foreign tech influence.
And those buses stink like inside of a plastic factory. Never been to a plastic factory, but rode these buses. And the smell is strong even a year into use. Makes you wonder if China has same rules for carcinogenic plastic in consumer goods.
If a state wants to hide strategic "war/espionage" control, they don't use eSims and open mobile communications, trivially discoverable and traceable. Sounds like some bs "IoT" / telemetry shit manufactures are shoving down our throats for over a decade.
The other side is feigning shock at common industry practices (don't all Tesla's require a net connection for example), to paint it as some unique issue, and kill their sales. In other words , just another episode in the trade war.
Not unlike the DJI drones, which added all kinds of shit because the regulators demanded it, and then they act surprised that it has that shit...
For context, for a short while I wrote SW for auto BCM's albeit the security stuff not the drive your batteries stuff.
BYD electric busses have recently rolled out where I live in Sweden.
It's not clear in the article how exactly they discovered it, but by the text that mentions it, I do get the impression they just came across the SIM ports/cards themselves:
> internal tests at a secure facility found Romanian SIM cards inside the buses
But it could also have been that they put the entire bus in a giant Faraday cage (or similar) and tried to see if it emits anything. If they did that, then eSIM or SIM wouldn't have matter, nor where on the bus it was, they'd eventually see it. But if they just physically came across it, then maybe eSIMs would allow them to place them in less accessible areas. But then maybe that wouldn't matter anyways, if the SIM cards are permanently attached anyways.
Bottom line, hopefully wouldn't have made a difference.
Press release (Norwegian): https://www.mynewsdesk.com/no/ruter/pressreleases/ruter-tar-...
And that's what they did. If that was necessary for the conclusions is not said in the article. Only that the remote access could
- Update software (well, that's pretty common)
- Diagnosis (ditto), and
- Manage the control system for battery and power supply.
China disabling our buses? Really? That would be insanely petty and useless. I think maybe we're straining at gnats and swallowing camels, considering virtually all our phones, computers, TVs etc. come with auto update features, usually giving someone in the US the theoretical capability to brick it. And considering what was done to Karim Khan, I'd say they're far more likely to actually use it.
- https://www.theregister.com/2021/02/12/supermicro_bloomberg_... - https://www.wired.com/story/gigabyte-motherboard-firmware-ba...
Soooo, yeah.
By tecchies.
That’s like adding “In Mice,” to headlines of biological breakthroughs.
It’s quite clear that a fairly significant majority of customers don’t hate Apple. They aren’t “brand slaves,” like Harley riders (anymore), but people clearly vote with their wallets.
Microsoft always had the “My work requires it” thing going, but only a couple of industries are majority Apple.
Like it or not, people pay personal money for Apple kit, and they are a demographic that marketers drool over.
It's all the other stuff made in China that is the worry, not the stuff designed by Apple, or Google.
Danish authorities in rush to close security loophole in Chinese electric buses
https://www.theguardian.com/world/2025/nov/05/danish-authori...
They don’t review Windows machines either after the Snowden revelations.
How many wars did the Chinese start in the past century?
1929 – Sino-Soviet Conflict (Chinese Eastern Railway) — ROC authorities moved to seize the CER in Manchuria; the USSR responded militarily. (Initiation: ROC seizure.) 1954–1955 – First Taiwan Strait Crisis — PRC began large-scale shelling of Kinmen/Matsu and amphibious operations (e.g., Yijiangshan). (Initiation: PRC artillery/offensives.) 1958 – Second Taiwan Strait Crisis — PRC opened intense bombardment of Kinmen/Matsu. (Initiation: PRC artillery.) 1962 – Sino-Indian War — PRC launched major offensives in October after a series of frontier incidents. (Initiation: PRC large-scale attack; India calls it unprovoked, PRC says “counter-attack.”) 1967 – Nathu La & Cho La clashes (India border) — Firefights erupted while India was fencing the pass; Chinese forces are generally assessed to have fired first at Nathu La. (Initiation: PRC fire in initial clash.) 1969 – Sino-Soviet Border Conflict — PLA ambushed Soviet troops on Zhenbao/Damansky Island in March; further clashes followed. (Initiation: PRC ambush.) 1974 – Battle of the Paracel Islands (vs South Vietnam) — PLAN/PLA forces expelled RVN units and took full control of the Paracels. (Initiation: PRC naval attack in contested area.) 1979 – Sino-Vietnamese War — PRC invaded northern Vietnam in February. (Initiation: PRC cross-border invasion.) 1984–1989 – Sino-Vietnamese Border War (post-1979 phase) — PRC mounted periodic offensives and artillery duels (e.g., Laoshan/Johnson Mountain). (Initiation: multiple PRC attacks in a protracted conflict.) 1988 – Johnson South Reef Skirmish (Spratlys, vs Vietnam) — PLAN engaged Vietnamese forces and seized the reef. (Initiation: PRC assault during standoff.)
Internal (civil/unification campaigns) 1926–1928 – Northern Expedition — ROC (KMT) launched a national unification war against warlords. (Initiation: ROC campaign.) 1930–1934 – Encirclement Campaigns against the Chinese Soviet — ROC initiated successive large operations against CCP base areas. (Initiation: ROC offensives.) 1949–1950 – Hainan & Zhoushan/Coastal-Islands Campaigns — PRC amphibious operations against ROC-held islands during the civil war endgame. (Initiation: PRC landings.) 1950–1951 – Tibet (Chamdo campaign → occupation) — PLA entered eastern Tibet and compelled the Seventeen-Point Agreement. (Initiation: PRC invasion; PRC frames as “peaceful liberation.”)
Regardless, not sure why any of this matters. I'm not one of those "China bad!" hand-wringers, but if you don't believe the Chinese government is a threat to western countries' sovereignty and economies, I've got a bridge I'd like to sell you.
And what's the going rate for posting this nonsense online?
Personally, I'd like to skip over all of the buildup and go straight to hoverboard mafia pizza delivery.
I need to re-read that book, one of my all time favourites.
Why Israel Just Banned 700 Chinese Cars from Its Military—And What It Means for Security - https://securityboulevard.com/2025/11/why-israel-just-banned...
IDF recalls 700 Chinese EVs used by senior officers over security concerns - https://www.thejc.com/news/israel/idf-recalls-chinese-evs-se...
next it will be cranes all sensored up to detect cable stretch or who know what
and didn't china just go ahead and hack the pentagon, but wooooo, Norwiegen bus hacking wooooo
For obvious reasons, non-CBTC trains are not remotely controllable (CBTC essentially means "remotely driven"). It's all or nothing; either a safety system that inherently accepts the risk, or no way to remotely control the speed, short of fully stopping the train.
If modern cars have been fully remotely controllable for years, why can't police stop often-deadly car chases?
Ditto on air traffic control and small planes; many don't even have in-plane automatic pilots. AFAIK no ultralights ever do.
Most boats are not remotely controllable; even the large container ship that recently damaged a major US bridge didn't.
They want to retain the power of discretionary action. If the powers that be employed their 1984 stuff all the time over trivial things people wouldn't support them. Part of this means they don't give the beat cops those toys.
Also, there's a difference between "can be" and "are". Like there's god knows how many numbers of compatibility layers and intermediary systems I bet even if the capability exists it's broken more often than it's not. Diverse software systems take a ton of constant work to maintain.
During the "last years of XP" era you probably could have theoretically taken down half the world's industry on paper but if you tried to do so at scale without literal years of prep and testing you'd have been foiled by the 50% of machines where you payload just didn't work for some obscure reason.
Every road vehicle sold today has a sim card, most for diagnostics, some for remote control.
Even you admit that most of them aren't for remote control, so what are you agreeing with?
Not putting this information in the fine print is fraudulent behaviour
Hm? Not a single bus on the road in my city can be turned off remotely. There's never been one ever, since bus transport started. So why should, no, must, that be a feature of new buses?
Do you imagine some benevolent authority sits in your town with a finger on the kill switch for every vehicle in motion?
If it were in the specs from the beginning, there would be no issue. This isn't a "click here to accept" thing; multiple people scan the technical data in these projects.