On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation.

AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property.

Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here.

Estonia’s implementation of the EECC included an ex ante authorisation system requiring ECN providers to obtain government approval for hardware and software prior to deploying it in their networks. Under this framework, the Estonian government concluded that Huawei, among others, was a “high‑risk” vendor on the basis that use of its equipment could harm national security. The Estonian government therefore only granted permits for Elisa Eesti AS to use Huawei equipment in its networks for a limited time only—effectively requiring it to strip Huawei equipment from its networks by set dates.

Elisa Eesti AS challenged these decisions and the underlying regime, which led the Estonian courts to refer several questions to the CJEU. AG Capeta’s main conclusions were:

  1. EU law applies to national 5G security authorization schemes. The AG first determined that the CJEU does have jurisdiction to hear this case because the Estonian law framework derives from EU law. Specifically, she noted that Article 40(1) of the EECC requires Member States to adopt rules to ensure the “security of networks and services,” which the Estonian regime clearly aimed to do. She also concluded that even though the Estonian authorization regime is designed to protect national security, that does not take it outside the scope of European law. This is consistent with prior CJEU jurisprudence holding that Member States have sole competence to determine how to protect national security, but “the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable.”
  2. Estonia’s prior authorization regime is a restriction on the freedom to provide an ECN. Article 12(1) EECC establishes an organization’s freedom to provide an ECN subject to the conditions set out in the EECC, and prohibits Member States from preventing organizations from providing an ECN unless necessary for one of the reasons set out in Article 52(1) of the Treaty on the Functioning of the European Union (“TFEU”). The key question here was whether Estonia’s prior authorization regime was a “condition” of providing an ECN or a “restriction” on Elisa Eesti’s AS’s freedom to provide one. AG Capeta concluded that it was a restriction, on the basis that characterizing a regime intended to ensure the security of ECNs as a condition (which would not be subject to the same level of judicial review) would make it much easier for Member States to restrict the freedom to provide an ECN. This would undermine the one of the key purposes of the EECC—to promote a single market for ECNs. She also noted that requirements for prior authorization before offering goods and services, or transferring capital, are typically treated as restrictions on rights to free movement of goods, services, and capital.
  3. Non-notification of the prior authorization regime did not mean it was inapplicable. Elisa Eesti AS argued before the Court that the Estonian government should have, and failed to, notify the European Commission of its prior authorization regime. AG Capeta noted that whether the Estonian Government did make such a notification is not clear from the facts, but concluded that even if it did not, this should not render the regime inapplicable. She noted in particular that the EECC does not require the Commission to, for example, approve any Member State limitations on the freedom to provide an ECN, so non-notification would not mean that the regime cannot take effect.
  4. Estonia’s prior authorization regime will be a lawful restriction if it is proportionate. AG Capeta reiterated that restrictions on the freedom to provide an ECN will only be lawful if they are proportionate to meet one or more of the aims set out in Article 52(1) TFEU. The TFEU refers to national security as a valid aim, and AG Capeta noted that protecting the security of ECNs is an element of a Member State’s public security. She went on to state that the referring court must establish whether the regime provides for a sufficiently robust risk assessment to be carried out, and that this must assess (among other things) whether the specific equipment at issue genuinely presents a risk to national security. This assessment should take into account “the use for which such equipment is intended, whether the risks associated with the State in which the manufacturer is established are projected onto the manufacturer, and whether the risks associated with the manufacturer are projected onto the specific hardware and software.” However, it cannot be based solely on geopolitical concerns. While AG Capeta stated that it should be left to the Estonian courts to conclude whether this standard is met, she expressed a broad approval of the level of detail required for risk assessments carried out under the Estonian regime.
  5. The Estonian government’s order did not constitute a “deprivation” of property requiring compensation. Finally, AG Capeta considered whether the Estonian government’s order against Elisa Eesti AS “deprived” the ECN provider of property such that it infringed Elisa Eesti AS’s rights under Article 17 of the Charter. She concluded that it did not, because the orders in question allowed Elisa Eesti AS to use Huawei equipment until specified dates (31 December 2029 for equipment used in 2G-4G networks, and 31 December 2025 for equipment used in 5G networks).

The CJEU’s final judgment in this case will be one for ECN providers to watch closely, particularly in light of the ongoing negotiations on revisions to the Cybersecurity Act, which would provide for an EU-wide mechanism to remove high-risk providers’ components from ECNs.

*              *              *

Covington’s Privacy and Cybersecurity team continues to monitor developments in this case and on the proposed changes to the Cybersecurity Act. If you would like support assessing how this case or changes to the law may affect your organization, please let us know.

Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Read more about Paul Maynard
Show more Show less