{"id":205476,"date":"2026-04-24T09:05:00","date_gmt":"2026-04-24T13:05:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/24\/cybersecurity-meets-geopolitics-at-top-eu-court\/"},"modified":"2026-04-24T09:20:10","modified_gmt":"2026-04-24T13:20:10","slug":"cybersecurity-meets-geopolitics-at-top-eu-court","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/24\/cybersecurity-meets-geopolitics-at-top-eu-court\/","title":{"rendered":"Cybersecurity Meets Geopolitics at Top EU Court"},"content":{"rendered":"

Cybersecurity Meets Geopolitics at Top EU Court<\/a><\/p>\n

https:\/\/www.justsecurity.org\/135240\/cybersecurity-geopolitics-eu-court\/<\/a><\/p>\n

Publish Date: 2026-04-24 09:05:00<\/a><\/p>\n

Source Domain: www.justsecurity.org<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. On March 19, Advocate General Tamara \u0106apeta of the Court of Justice of the European Union (CJEU) issued an advisory opinion in Case C\u2011354\/24, Elisa Eesti AS v. Estonian Government Security Committee. The case concerns whether the Estonian government could lawfully compel Elisa Eesti AS, a mid-sized Baltic operator, to remove Huawei products from its network due to national security concerns. \u0106apeta found that, under EU law, it could. The Advocate General\u2019s opinion is non-binding and intended to help the Court reach a judgment grounded in its existing jurisprudence, so while the final judgement is still pending, the advisory opinion may play an important role in shaping the European Union\u2019s cyber and information and communications technology (ICT) supply chain security regulation\u2014especially the future of high-risk vendors across Europe.
\nWhen Telecom Services Become a National Security Flashpoint
\nElisa Eesti AS is a subsidiary of the Finnish telecommunications company Elisa Oyj and one of three nationwide mobile network operators in Estonia. Its core network is composed of hardware and software from Ericsson and Nokia, both companies based in Europe, but its mobile radio network is manufactured by Huawei, a major Chinese ICT infrastructure provider. In 2022, Elisa Eesti AS applied to Estonia\u2019s Office of Consumer Protection and Technical Supervision (TTJA) for ex ante authorization to use Huawei hardware and software in its 2G-4G and 5G mobile networks deployed in Estonia.
\nThe Estonian Electronic Communications Act, which establishes requirements for the provision of electronic communications services in the country, mandates that hardware and software used in communications networks must not pose a risk to national security. After consulting with the Estonian Security Committee\u2019s Cybersecurity Council (as required by the act), the TTJA issued a time\u2011limited usage permit, effectively preventing Elisa Eesti AS from continuing to deploy the Huawei products in question beyond a limited transitional period. The central justification was not the specific technical features of each component, but the fact that all of them were manufactured by Huawei, which Estonian authorities classified as a high\u2011risk supplier.
\nElisa Eesti AS challenged the decision before the Tallinn Administrative Court, one of the two first instance courts in Estonia hearing administrative matters, arguing that Estonian authorities did not demonstrate the existence of a risk to national security, the likelihood of the alleged risk materializing, or the potential damage arising from the deployment of the equipment at issue. The Estonian court then referred several questions to the CJEU. Elisa Eesti AS has become a test case on how far EU member States may go under EU law in excluding certain foreign vendors from critical digital infrastructure on national security grounds, including relying on non-binding guidance as justification, such as the EU coordinated risk assessment of 5G network cybersecurity.
\n\u0106apeta\u2019s March 19 advisory opinion in Elisa Eesti proposes that EU member States may, in principle, exclude hardware and software from their 2G-4G and 5G telecom networks when the manufacturer is considered to pose a risk to national security. In other words, \u0106apeta found that EU law does not preclude vendor\u2011based restrictions directed at companies such as Huawei, even when those restrictions affect currently deployed equipment. Although the opinions issued by Advocates General are formally non-binding, they influence both outcome of cases and development of the European Union\u2019s legal doctrine.
\nDivergent Member\u2011State Approaches to High\u2011Risk Providers
\nAcross the European Union, member States have taken markedly different approaches to high\u2011risk telecom suppliers, which has made Elisa Eesti AS a significant focal point. In addition to Estonia and the European Commission, Czechia, Denmark, France, Italy, Finland, Spain and Sweden submitted written observations to the CJEU.
\nWhile some governments, such as Sweden and Latvia, have moved early to effectively ban Huawei and ZTE (a company partially owned by the Chinese government) from core 5G networks, others have opted for partial restrictions or have been slow to act upon the European Commission\u2019s recommendation. In the case of the Estonian Electronic Communications Act (ESS), the high-risk nature of a company is assessed on the basis of 12 criteria, including whether the producer\u2019s country of domicile 1) does not observe or respect democratic and human rights principles, 2) exhibits aggressive behavior in cyberspace, 3) has conducted cyberattacks against EU member States, and 4) subjects the producer to government or State authority with no independent judicial control. All four of these conditions are met in the case of Huawei, which a variety of intelligence and cybersecurity agencies have labeled as a national security risk due to the company\u2019s links to Chinese authorities.
\nA series of Commission and independent stock\u2011taking reports found that only around 10 to 11 member States had adopted concrete legal measures to restrict or exclude high\u2011risk vendors, with many others still relying on general framework powers or pending legislation, leading to a patchwork of national regimes across the European Union. For example, Germany\u2014which has engaged in direct negotiations with telecom companies and has been criticized for lagging in implementation of the European Union\u2019s 5G security recommendations\u2014 announced in 2024 that it would remove Huawei and ZTE components from core 5G networks by the end of 2026. Other EU member States face similar lengthy processes to implement the multi-billion-euro \u201crip and replace\u201d programs in markets heavily dependent on Chinese radio access equipment, especially in the absence of U.S.-style assistance funds. Ultimately, domestic courts in EU member States may be called upon to decide if 5G security measures conflict with the telecom companies\u2019 right to property established by the EU Charter of Fundamental Rights\u2014even if such measures might be justified and necessary\u2014and whether they might have recourse to fair compensation. That point matters for the broader political economy of 5G policies.
\n\u201cYes\u201d to Exclusions, But Not Without Conditions
\nAgainst this backdrop, \u0106apeta\u2019s advisory opinion offers a common EU\u2011law template that can discipline both aggressive and reluctant national approaches: it validates the possibility of vendor\u2011based exclusions, but demands that each member State articulate specific risk assessments rather than hiding behind blanket bans on grounds of national security\u2014a conclusion confirmed by earlier cases (e.g. Kadi, C\u2011402\/05 P and C\u2011415\/05 P).
\nThe opinion sets out several key constraints. First, exclusionary measures must remain proportionate under EU law, even when justified by national security. Authorities must show that exclusions are suitable, necessary, and not excessive in light of the assessed national risks. Second, member States may treat third\u2011country manufacturers differently from EU\u2011based suppliers, but cannot rely on general suspicion or broad geopolitical distrust alone. Third, authorities must carry out a specific assessment of the intended use of the equipment, its functionality, location, and importance in the network, and of the concrete risks associated with that use. Finally, impacted operators must have access to effective judicial review, including review of whether the risk assessment and proportionality analysis satisfy EU\u2011law requirements.
\nBeyond Elisa Eesti AS, \u0106apeta\u2019s opinion sits atop a solid body of EU law that treats national security as a real but reviewable constraint rather than a carte blanche. The CJEU has already made clear that although the European Union cannot decide what is necessary for, and how to protect the security of, its members, the invocation of national security when regulating does not exempt them from the need to comply with EU law (Protectus, C\u2011185\/23). In the 1980s, the European Union\u2019s highest court recognized that the concept of public security goes beyond just law and order. The CJEU held that the concept may also attach to other kinds of threats to a member State\u2019s institutions, its essential public services, and the needs of society more generally (Campus Oil Limited and Others, Case 72\/83). Later, the CJEU also recognized that the security of telecom infrastructure may constitute an element of a state\u2019s public security (Radiosistemi, Case C\u2011388\/00 and C\u2011429\/00). Elisa Eesti AS extends that logic into the specific context of vendor\u2011based exclusions in telecom networks: it accepts that States may act on the basis of broader geopolitical and intelligence\u2011driven concerns, but insists they translate those concerns into specific, equipment\u2011 and use\u2011based risk assessments that courts and operators can actually test.
\nNotably, there is no prior CJEU judgment that squarely addresses 5G vendor bans, which explains why this opinion is an important one. Instead, prior to this case, CJEU guidance had to be reconstructed from adjacent fields such as data retention, investment screening, golden shares and restrictive measures, where the CJEU has consistently refused to treat national security as automatically trumping internal\u2011market obligations and fundamental rights. This case is therefore poised to become the reference point for future litigation on vendor bans and supply\u2011chain exclusions in critical infrastructure.
\nFrom the 5G Toolbox to the ICT Supply Chain Security Toolbox
\nThe opinion arrives just as the European Union launches a broader Toolbox that provides a common approach on how to identify, assess, and mitigate cybersecurity risks in ICT supply chains, and a proposal for a revised Cybersecurity Act. That toolbox explicitly pushes governments to look beyond purely technical vulnerabilities to non\u2011technical risks such as foreign interference, ownership structures, and political pressure\u2014precisely the factors that led Estonia to treat Huawei as a high\u2011risk vendor in Elisa Eesti AS.
\n\u0106apeta\u2019s emphasis on specificity and proportionality effectively becomes a legal design principle for the toolbox. It suggests that national or EU\u2011level lists of high\u2011risk suppliers will only withstand scrutiny if they are tied to clear, context\u2011specific explanations of why particular products, in particular parts of a network or supply chain, pose unacceptable risks. In that sense, the Elisa Eesti AS case functions as an early stress test for the toolbox: it shows what may happen when high\u2011level toolbox guidance and national intelligence lead to\u00a0 binding vendor exclusions and are then subjected to CJEU\u2011level review. For operators, that means more litigation and more documentation; for regulators, it means that intelligence\u2011driven concerns must be translated into reason\u2011giving, contestable decisions rather than implemented through opaque black\u2011lists. In addition, decisions about who is allowed or excluded from the European market will likely carry implications for the European Union\u2019s international cyber partnerships and digital infrastructure investments under Global Gateway. Addressing ICT risks to such investments is increasingly part of the EU\u2019s broader risk management methodology in international cooperation and will only gain importance, including in projects concerning satellite connectivity and submarine cables. It will also provide additional guidance for EU policymakers as they define the EU tech business offer, aimed to promote European companies among international partners.
\nBalancing Legal and Technical Expertise\u00a0
\nOne striking feature of Elisa Eesti AS is institutional: the core decision originated with TTJA, a consumer protection and technical supervision authority, not with a defense ministry or intelligence service. This institutional design reflects how cybersecurity regulation has migrated into sectors once dominated by consumer and competition logics, even as the underlying drivers are increasingly geopolitical and intelligence\u2011driven.
\nThe opinion raises an important point about the capacity of courts to intervene in highly technical cases. \u0106apeta makes it clear that given the requirement of \u201cdeep knowledge of the technical, political and security aspects\u201d of the case, the assessment of a potential risk posed by a specific manufacturer, its equipment, or the use of that equipment \u201ccannot be made by the EU Courts.\u201d It does not mean, however, that courts cannot rely on existing judicial techniques and methods to assess the explanation and rationale provided by other competent authorities.
\n\u0106apeta\u2019s opinion effectively invites courts to probe how these hybrid administrative bodies translate national security assessments\u2014often informed by classified intelligence\u2014into concrete, reviewable decisions affecting private operators. The requirement of a specific equipment\u2011and\u2011use\u2011based risk assessment acts as a legal check on the temptation to simply transpose high\u2011level geopolitical distrust into blanket vendor exclusions. It also highlights practical questions raised for many years now about how much underlying intelligence must be disclosed or summarized to allow meaningful judicial review, how courts should evaluate proportionality when they cannot fully see the evidence base, and how much discretion national authorities should enjoy when threat landscapes and alliance politics evolve rapidly.
\nIndeed, the most important long\u2011term implication of Elisa Eesti AS may be the way it forces European courts and regulators to grapple with intelligence\u2011driven risk assessments. Telecom operators are being asked to absorb significant costs and operational risks based on national security determinations they cannot fully see, let alone effectively contest. \u0106apeta\u2019s insistence on specificity and proportionality creates a legal vocabulary for pushing back: not against the idea of security\u2011based exclusions as such, but against opacity and over\u2011breadth.
\nLooking Ahead
\nAlthough Advocates General exercise multifaceted influence over the CJEU case law and play an important role in the European Union\u2019s legal system, politically salient cases like Elisa Eesti AS constitute a real test of their powers. In this sense, \u0106apeta\u2019s opinion does not predetermine how far the CJEU will go eventually in endorsing her intensity of review over national\u2011security and intelligence\u2011driven risk assessments.
\nIf the CJEU follows the opinion, more litigation by operators challenging vendor bans and phase\u2011out orders is likely to follow, contributing to a growing body of case law on how to review security decisions that rely on classified intelligence, and an enhanced role for consumer protection and sectoral regulators as front\u2011line implementers of national security policy. Elisa Eesti AS is thus more than a technical dispute about Huawei base stations in a small Baltic market; it is an early template for how liberal legal orders will try to discipline their own security states as geopolitical rivalry hardens into long\u2011term technology decoupling.
\nFEATURED IMAGE: Wooden gavel on European Union flag.
<\/p>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity Meets Geopolitics at Top EU Court https:\/\/www.justsecurity.org\/135240\/cybersecurity-geopolitics-eu-court\/ Publish Date: 2026-04-24 09:05:00 Source Domain: www.justsecurity.org…<\/p>\n","protected":false},"author":1,"featured_media":205477,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.justsecurity.org\/wp-content\/uploads\/2026\/03\/GettyImages-1575772176.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-205476","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205476"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=205476"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205476\/revisions"}],"predecessor-version":[{"id":205478,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205476\/revisions\/205478"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/205477"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=205476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=205476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=205476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}