On March 19, Advocate General Tamara Ćapeta of the Court of Justice of the European Union (CJEU) issued an advisory opinion in Case C‑354/24, Elisa Eesti AS v. Estonian Government Security Committee. The case concerns whether the Estonian government could lawfully compel Elisa Eesti AS, a mid-sized Baltic operator, to remove Huawei products from its network due to national security concerns. Ćapeta found that, under EU law, it could. The Advocate General’s opinion is non-binding and intended to help the Court reach a judgment grounded in its existing jurisprudence, so while the final judgement is still pending, the advisory opinion may play an important role in shaping the European Union’s cyber and information and communications technology (ICT) supply chain security regulation—especially the future of high-risk vendors across Europe.
When Telecom Services Become a National Security Flashpoint
Elisa Eesti AS is a subsidiary of the Finnish telecommunications company Elisa Oyj and one of three nationwide mobile network operators in Estonia. Its core network is composed of hardware and software from Ericsson and Nokia, both companies based in Europe, but its mobile radio network is manufactured by Huawei, a major Chinese ICT infrastructure provider. In 2022, Elisa Eesti AS applied to Estonia’s Office of Consumer Protection and Technical Supervision (TTJA) for ex ante authorization to use Huawei hardware and software in its 2G-4G and 5G mobile networks deployed in Estonia.
The Estonian Electronic Communications Act, which establishes requirements for the provision of electronic communications services in the country, mandates that hardware and software used in communications networks must not pose a risk to national security. After consulting with the Estonian Security Committee’s Cybersecurity Council (as required by the act), the TTJA issued a time‑limited usage permit, effectively preventing Elisa Eesti AS from continuing to deploy the Huawei products in question beyond a limited transitional period. The central justification was not the specific technical features of each component, but the fact that all of them were manufactured by Huawei, which Estonian authorities classified as a high‑risk supplier.
Elisa Eesti AS challenged the decision before the Tallinn Administrative Court, one of the two first instance courts in Estonia hearing administrative matters, arguing that Estonian authorities did not demonstrate the existence of a risk to national security, the likelihood of the alleged risk materializing, or the potential damage arising from the deployment of the equipment at issue. The Estonian court then referred several questions to the CJEU. Elisa Eesti AS has become a test case on how far EU member States may go under EU law in excluding certain foreign vendors from critical digital infrastructure on national security grounds, including relying on non-binding guidance as justification, such as the EU coordinated risk assessment of 5G network cybersecurity.
Ćapeta’s March 19 advisory opinion in Elisa Eesti proposes that EU member States may, in principle, exclude hardware and software from their 2G-4G and 5G telecom networks when the manufacturer is considered to pose a risk to national security. In other words, Ćapeta found that EU law does not preclude vendor‑based restrictions directed at companies such as Huawei, even when those restrictions affect currently deployed equipment. Although the opinions issued by Advocates General are formally non-binding, they influence both outcome of cases and development of the European Union’s legal doctrine.
Divergent Member‑State Approaches to High‑Risk Providers
Across the European Union, member States have taken markedly different approaches to high‑risk telecom suppliers, which has made Elisa Eesti AS a significant focal point. In addition to Estonia and the European Commission, Czechia, Denmark, France, Italy, Finland, Spain and Sweden submitted written observations to the CJEU.
While some governments, such as Sweden and Latvia, have moved early to effectively ban Huawei and ZTE (a company partially owned by the Chinese government) from core 5G networks, others have opted for partial restrictions or have been slow to act upon the European Commission’s recommendation. In the case of the Estonian Electronic Communications Act (ESS), the high-risk nature of a company is assessed on the basis of 12 criteria, including whether the producer’s country of domicile 1) does not observe or respect democratic and human rights principles, 2) exhibits aggressive behavior in cyberspace, 3) has conducted cyberattacks against EU member States, and 4) subjects the producer to government or State authority with no independent judicial control. All four of these conditions are met in the case of Huawei, which a variety of intelligence and cybersecurity agencies have labeled as a national security risk due to the company’s links to Chinese authorities.
A series of Commission and independent stock‑taking reports found that only around 10 to 11 member States had adopted concrete legal measures to restrict or exclude high‑risk vendors, with many others still relying on general framework powers or pending legislation, leading to a patchwork of national regimes across the European Union. For example, Germany—which has engaged in direct negotiations with telecom companies and has been criticized for lagging in implementation of the European Union’s 5G security recommendations— announced in 2024 that it would remove Huawei and ZTE components from core 5G networks by the end of 2026. Other EU member States face similar lengthy processes to implement the multi-billion-euro “rip and replace” programs in markets heavily dependent on Chinese radio access equipment, especially in the absence of U.S.-style assistance funds. Ultimately, domestic courts in EU member States may be called upon to decide if 5G security measures conflict with the telecom companies’ right to property established by the EU Charter of Fundamental Rights—even if such measures might be justified and necessary—and whether they might have recourse to fair compensation. That point matters for the broader political economy of 5G policies.
“Yes” to Exclusions, But Not Without Conditions
Against this backdrop, Ćapeta’s advisory opinion offers a common EU‑law template that can discipline both aggressive and reluctant national approaches: it validates the possibility of vendor‑based exclusions, but demands that each member State articulate specific risk assessments rather than hiding behind blanket bans on grounds of national security—a conclusion confirmed by earlier cases (e.g. Kadi, C‑402/05 P and C‑415/05 P).
The opinion sets out several key constraints. First, exclusionary measures must remain proportionate under EU law, even when justified by national security. Authorities must show that exclusions are suitable, necessary, and not excessive in light of the assessed national risks. Second, member States may treat third‑country manufacturers differently from EU‑based suppliers, but cannot rely on general suspicion or broad geopolitical distrust alone. Third, authorities must carry out a specific assessment of the intended use of the equipment, its functionality, location, and importance in the network, and of the concrete risks associated with that use. Finally, impacted operators must have access to effective judicial review, including review of whether the risk assessment and proportionality analysis satisfy EU‑law requirements.
Beyond Elisa Eesti AS, Ćapeta’s opinion sits atop a solid body of EU law that treats national security as a real but reviewable constraint rather than a carte blanche. The CJEU has already made clear that although the European Union cannot decide what is necessary for, and how to protect the security of, its members, the invocation of national security when regulating does not exempt them from the need to comply with EU law (Protectus, C‑185/23). In the 1980s, the European Union’s highest court recognized that the concept of public security goes beyond just law and order. The CJEU held that the concept may also attach to other kinds of threats to a member State’s institutions, its essential public services, and the needs of society more generally (Campus Oil Limited and Others, Case 72/83). Later, the CJEU also recognized that the security of telecom infrastructure may constitute an element of a state’s public security (Radiosistemi, Case C‑388/00 and C‑429/00). Elisa Eesti AS extends that logic into the specific context of vendor‑based exclusions in telecom networks: it accepts that States may act on the basis of broader geopolitical and intelligence‑driven concerns, but insists they translate those concerns into specific, equipment‑ and use‑based risk assessments that courts and operators can actually test.
Notably, there is no prior CJEU judgment that squarely addresses 5G vendor bans, which explains why this opinion is an important one. Instead, prior to this case, CJEU guidance had to be reconstructed from adjacent fields such as data retention, investment screening, golden shares and restrictive measures, where the CJEU has consistently refused to treat national security as automatically trumping internal‑market obligations and fundamental rights. This case is therefore poised to become the reference point for future litigation on vendor bans and supply‑chain exclusions in critical infrastructure.
From the 5G Toolbox to the ICT Supply Chain Security Toolbox
The opinion arrives just as the European Union launches a broader Toolbox that provides a common approach on how to identify, assess, and mitigate cybersecurity risks in ICT supply chains, and a proposal for a revised Cybersecurity Act. That toolbox explicitly pushes governments to look beyond purely technical vulnerabilities to non‑technical risks such as foreign interference, ownership structures, and political pressure—precisely the factors that led Estonia to treat Huawei as a high‑risk vendor in Elisa Eesti AS.
Ćapeta’s emphasis on specificity and proportionality effectively becomes a legal design principle for the toolbox. It suggests that national or EU‑level lists of high‑risk suppliers will only withstand scrutiny if they are tied to clear, context‑specific explanations of why particular products, in particular parts of a network or supply chain, pose unacceptable risks. In that sense, the Elisa Eesti AS case functions as an early stress test for the toolbox: it shows what may happen when high‑level toolbox guidance and national intelligence lead to binding vendor exclusions and are then subjected to CJEU‑level review. For operators, that means more litigation and more documentation; for regulators, it means that intelligence‑driven concerns must be translated into reason‑giving, contestable decisions rather than implemented through opaque black‑lists. In addition, decisions about who is allowed or excluded from the European market will likely carry implications for the European Union’s international cyber partnerships and digital infrastructure investments under Global Gateway. Addressing ICT risks to such investments is increasingly part of the EU’s broader risk management methodology in international cooperation and will only gain importance, including in projects concerning satellite connectivity and submarine cables. It will also provide additional guidance for EU policymakers as they define the EU tech business offer, aimed to promote European companies among international partners.
Balancing Legal and Technical Expertise
One striking feature of Elisa Eesti AS is institutional: the core decision originated with TTJA, a consumer protection and technical supervision authority, not with a defense ministry or intelligence service. This institutional design reflects how cybersecurity regulation has migrated into sectors once dominated by consumer and competition logics, even as the underlying drivers are increasingly geopolitical and intelligence‑driven.
The opinion raises an important point about the capacity of courts to intervene in highly technical cases. Ćapeta makes it clear that given the requirement of “deep knowledge of the technical, political and security aspects” of the case, the assessment of a potential risk posed by a specific manufacturer, its equipment, or the use of that equipment “cannot be made by the EU Courts.” It does not mean, however, that courts cannot rely on existing judicial techniques and methods to assess the explanation and rationale provided by other competent authorities.
Ćapeta’s opinion effectively invites courts to probe how these hybrid administrative bodies translate national security assessments—often informed by classified intelligence—into concrete, reviewable decisions affecting private operators. The requirement of a specific equipment‑and‑use‑based risk assessment acts as a legal check on the temptation to simply transpose high‑level geopolitical distrust into blanket vendor exclusions. It also highlights practical questions raised for many years now about how much underlying intelligence must be disclosed or summarized to allow meaningful judicial review, how courts should evaluate proportionality when they cannot fully see the evidence base, and how much discretion national authorities should enjoy when threat landscapes and alliance politics evolve rapidly.
Indeed, the most important long‑term implication of Elisa Eesti AS may be the way it forces European courts and regulators to grapple with intelligence‑driven risk assessments. Telecom operators are being asked to absorb significant costs and operational risks based on national security determinations they cannot fully see, let alone effectively contest. Ćapeta’s insistence on specificity and proportionality creates a legal vocabulary for pushing back: not against the idea of security‑based exclusions as such, but against opacity and over‑breadth.
Looking Ahead
Although Advocates General exercise multifaceted influence over the CJEU case law and play an important role in the European Union’s legal system, politically salient cases like Elisa Eesti AS constitute a real test of their powers. In this sense, Ćapeta’s opinion does not predetermine how far the CJEU will go eventually in endorsing her intensity of review over national‑security and intelligence‑driven risk assessments.
If the CJEU follows the opinion, more litigation by operators challenging vendor bans and phase‑out orders is likely to follow, contributing to a growing body of case law on how to review security decisions that rely on classified intelligence, and an enhanced role for consumer protection and sectoral regulators as front‑line implementers of national security policy. Elisa Eesti AS is thus more than a technical dispute about Huawei base stations in a small Baltic market; it is an early template for how liberal legal orders will try to discipline their own security states as geopolitical rivalry hardens into long‑term technology decoupling.
FEATURED IMAGE: Wooden gavel on European Union flag.
