Caveats to national security block on telecoms components, says CJEU Advocate General

Experts in telecoms and cybersecurity law Dr. Marc Salevic and David McIlwaine of Pinsent Masons said the recent opinion issued by Advocate General Tamara Ćapeta in the Elisa Eesti case marks an important point of reference for the treatment under EU law of national 5G security measures. The opinion is non-binding. A formal judgment of the Court of Justice of the EU (CJEU) in the case is expected later this year.

At the core of the case is the question of how far member states can go, on grounds of national security, in restricting so‑called “high‑risk” telecommunications equipment – and where the limits of EU law lie.

The case originates from an Estonian authorisation regime requiring telecommunications companies to obtain prior administrative approval for the use of certain hardware and software in their mobile networks. In the specific case, Elisa Eesti AS – a subsidiary of the Finnish telecommunications group Elisa Oyj – was granted only a time‑limited authorisation to use components from Chinese supplier Huawei in its mobile access network (2G–5G). The Estonian authorities classified Huawei as a “high‑risk supplier” and relied, among other things, on “joint risk assessments both at EU level and at the level of the Member States”.

The Estonian administrative court hearing the case referred several questions to the CJEU for a preliminary ruling, in particular concerning the relationship between national security and the European Electronic Communications Code (EECC).

The advocate general first said that measures to ensure the security of telecommunications networks generally fall within the scope of the EECC. Articles 40 and 41 EECC expressly require EU member states to ensure the security of electronic communications networks and services. This also includes hardware and software components of mobile networks.

She further said that the risk assessment is primarily a matter of national security, under Article 4(2) of the Treaty on the EU, and therefore must be carried out by the competent national authorities and, in the event of a dispute, reviewed by the national courts. However, she said restrictions such as the time‑limited authorisation at issue must also comply with EU law requirements, including the freedom to provide services, the right to property and the principle of proportionality.

The advocate general said the Estonian authorisation regime constituted a restriction on the freedom to provide electronic communications networks and services within the meaning of Article 12(1) EECC. She said the need to obtain advice authorisation makes market access more difficult and renders the provision of services less attractive.Dr. Salevic and McIlwaine said the advocate general’s classification of the Estonian restriction is legally significant, as it means that such measures are subject to a mandatory justification and proportionality review under Article 52(1) TFEU.

The Advocate General formulated standards relevant for the justification of such restrictions.

She said national authorities may not rely on abstract or blanket security concerns. Instead, she said a specific, case‑by‑case risk assessment needs to be undertaken. This risk assessment needs to examine: whether risks associated with the supplier actually affect the specific hardware or software concerned; the function, network position and importance of the components in question; and whether and to what extent risks attributable to a third country can be imputed to the supplier.

McIlwaine said: “In other words: high‑risk classifications must not be applied schematically. The mere fact that a supplier originates from a third country is not sufficient.”

Should the CJEU follow the advocate general’s opinion, it would be for the national authorities to carry out the decisive risk assessment in a legally sound manner in the specific case, and for the national courts to ensure effective judicial protection in this respect.

Dr. Salevic added: “Since these fundamental requirements derive from EU primary law, they will also have to be observed in the context of the European Commission’s current proposals to amend the EU Cybersecurity Act with regard to the ICT supply chain.”

He said the Elisa Eesti case is therefore likely to have significance far beyond Estonia for the further development of European 5G security architecture.