EU Court to Clarify EU Boundaries on National Security Measures Following Elisa Eesti Opinion
On 19 March 2026, EU Advocate General Ćapeta issued her opinion in Elisa Eesti (C-354/24), confirming that Estonian measures requiring mobile operators to remove non-EU 5G equipment from their networks, while grounded in national security, remain subject to strict proportionality review under EU law.
This case concerns the applicability of EU law to a Member State (Estonia) law based on national security requiring telecom operators to obtain prior authorization for the use of 5G hardware and software in their networks allowing for the exclusion of equipment manufactured by companies deemed high-risk suppliers. The referring court asked the Court of Justice of the EU to clarify the extent to which such measures must comply with EU law, including fundamental right protections. In summary, the opinion emphasizes:
- No immunity from EU law for national security measures. National security remains the sole responsibility of each Member State. However, measures adopted on security grounds do not render EU law inapplicable or exempt Member States from their obligations under the Treaties.
- Full proportionality review required. Any measure restricting the freedom to provide network equipment and services is subject to judicial review and must satisfy a rigorous proportionality assessment. Such a measure may be imposed only where a Member State demonstrates a security risk that is "genuine, present, and sufficiently serious." A Member State cannot rely on a "general suspicion" based solely on the origin of the equipment manufacturer. Rather, national authorities must conduct a "specific assessment of the intended equipment and its associated risks," establishing a clear link between those risks and the State in which the manufacturer is established.
- Right to fair compensation. The opinion also recognizes that where the burden arising from such restrictions is disproportionately heavy, affected companies may be entitled to "fair compensation" under Article 17(1) of the Charter of Fundamental Rights of the EU.
While the Advocate General's opinion is not binding, it frequently signals the direction of the EU court's ultimate reasoning. A judgment by the court is anticipated before year-end.
The outcome will be closely watched by all industrial sectors as the relevance of this case spans beyond the field of electronic communications. It will notably serve as an early test of the EU's proposed overhaul of the Cybersecurity Act, potentially shaping how the envisaged framework to strengthen the security of information and communication technology, or ICT, supply chains across critical sectors may be interpreted going forward.
