Tinker, Tailor, Soldier, Semiconductor: Accusations of Cyber Espionage Threaten to Further Disrupt Global Semiconductor Supply Chains

Following fresh reports from China implying that researchers have managed to replicate ASML’s 13.5 Nanometer (nm) production of light within its semiconductor chips, the Dutch defense minister, Ruben Brekelmans, has accused the Chinese government of using cyber espionage techniques to steal ASML Intellectual Property (IP), via zero-day exploits and endpoint device compromises. This latest allegation comes on the back of repeated claims from Dutch intelligence agencies regarding China’s cyber espionage activities within the Dutch semiconductor industry, attesting that state-backed spies infiltrated Dutch military servers and NXP’s network via cyber means in 2023, including using a Remote Access Trojan (RAT) to maintain persistent system access. Later, in February 2024, Dutch intelligence services publicly attributed these cyber espionage activities to the Chinese government; however, the first restrictions on Chinese buyers of Dutch semiconductors were introduced as early as September 2023, demanding that Dutch companies hold a license to export technology used in advanced semiconductor production to China, i.e., Extreme Ultraviolet (EUV) and Deep Ultraviolet (DUV) lithography tools, including ASML’s NXT:2000 series. These controls were expanded in September 2024 to include ASML’s TWINSCAN NXT:1970i and 1980i DUV immersion lithography systems and again in April 2025 to include defect detection technology in wafers, and post-deposition and etching measurement technologies in the wake of the ongoing U.S.-China tariff war.

The Dutch government’s Chinese trade policies are reflective of the surge of nationalist-protectionist economic policies, increasing fragmentation of global supply chains, and the shift toward deglobalization. While both the Chinese foreign ministry and Chinese conglomerate Huawei have rebuffed the Dutch government’s attempt to attribute recent technological advancements to state-backed cyber espionage, the allegations alone have far-reaching effects across the semiconductor supply chain. Export controls have already contributed to the regionalization of semiconductor manufacture and additional restrictions will further reshape trade dynamics, forcing vendors to adapt their market strategies to match shifting supply chains and an increasingly fractious market. Although ASML does not directly rely on China for raw materials, supply chain disruptions may impact raw material availability globally, particularly of gallium and germanium, which are produced by China and used in chip manufacturing. Additionally, as retaliatory economic action becomes an increasingly hallmark feature of deepening international trade tensions, cost increases, delays, and restrictions on raw materials exports will detrimentally affect ASML’s semiconductor production, and as the Netherlands holds a major share of the global semiconductor market, this will affect semiconductor availability both regionally in Europe and on an international scale. The indispensable nature of semiconductors across electronic devices means that potential scarcities or delays have widespread effects throughout the technological ecosystem, leaking out beyond the semiconductor market to other subsegments, with dire consequences for states’ economies and technological innovation.

Notwithstanding the newest export controls themselves, the public attribution of cyber espionage activities to the Chinese state has legal and political consequences in the international arena. International law is generally prohibitive, following the principle of presumptive legality. Thus, actions not expressly prohibited via custom or treaties are generally presumed legal. As no state consensus has been achieved on the legality of cyber espionage, no customary law prohibiting it has yet been crystallized, rendering the legality of China’s alleged activities dependent on the espionage amounting to a use of force or an armed attack. Reaching either of these thresholds would trigger the international law of state responsibility or the right to self-defense, enabling the Netherlands to resort to either proportionate countermeasures or use force to counter the “armed attack.” Yet, questions continue to swirl regarding whether cyber operations can meet the severity, immediacy, directness, and invasiveness requirements to constitute a use of force or whether the damage and destruction caused by cyber espionage are grave enough to warrant an armed attack. Moreover, to legally attribute the alleged espionage to the Chinese government, the Dutch would have to meet the overall control test, proving that those conducting the espionage were acting on the instructions or under the direction and control of China in carrying out that conduct. Thus, for now, the Dutch allegations remain a political, rather than legal attribution, especially given the technical complexities involved with the latter. Despite lacking legal consequences, this political attribution is likely to exacerbate state tensions and prompt additional country-specific tariffs, undermining the principles of equal and non-differential treatment that underline the multilateral trading regime, and further weakening the security and predictability that comes with that regime.

Given the continuing uncertainty within international law regarding cyber espionage, national legal regimes are expected to fill the existing gaps; for example, the Dutch government has already approved new legislation criminalizing cyber espionage and expanded existing laws governing sensitive information sharing and leaks. While this new legislation applies beyond the nationality principle, affecting all citizens acting within the Netherlands’ physical and digital territory, its penalties are limited criminal proceedings against individuals in breach of these provisions. Only international law provides recourse against the state itself, limiting the effectiveness of national law against state-backed espionage or cyberattacks. Close continued collaboration between nation states, Non-Governmental Organizations (NGOs), critical infrastructure operators, and vendors is required to push closer toward increased clarity on the international legal stance on cyber operations and espionage. Reaching consensus between states, however, is a long, uphill battle, particularly in the cyber domain where no state wants to preemptively concede prospective cyber weaponry.

Thus, in the meantime, vendors must prioritize flexibility across supply chains; reconfiguring these to reduce dependencies on any one state or vendor and to maximize reactivity to dynamic market fluctuations. Vendors should integrate proactive analysis of potential vulnerabilities and contextualization of all prospective risks within their specific business context into their market strategies, leaning on both external analytical support and Artificial Intelligence (AI)-enhanced data analytics to assist with shifting market dynamics and to retain market competitiveness. European chip vendors that want to retain their lead on semiconductor production must continue to prioritize the IP of chip juggernauts like ASML, NXP, Infineon, and STMicroelectronics. However, despite remaining legal uncertainties, the legality of any protectionary measures remains paramount. While attribution is inherently politicized, working alongside states to improve the technical attribution of cyber interference or attacks and to limit disproportionate or punitive retaliatory measures is key to curbing over-politicization and worsening state relations. Deglobalization is not a foregone conclusion. Rather, vendors and state actors alike must work to secure continued adherence to the principles of equality and mutual respect that underpin successful world trading.