The New Era of Digital Sovereignty: Moving Beyond Blanket Bans
The landscape of European telecommunications is shifting. For years, the debate around “high-risk vendors” was a binary struggle: either a company was allowed in the network, or it was banned entirely. Though, recent legal developments at the Court of Justice of the European Union (CJEU) suggest a more nuanced future.
The advisory opinion in Elisa Eesti AS v. Estonian Government Security Committee signals a move toward “granular security.” While the CJEU acknowledges that Member States can exclude hardware and software based on national security risks, the era of the opaque “blacklist” may be ending.
From Blacklists to Risk Maps
Future trends indicate that governments will be required to move away from blanket bans. Instead, they must provide specific, equipment-and-use-based risk assessments. This means regulators cannot simply say a manufacturer is “high-risk”; they must articulate why a specific component in a specific part of the network poses an unacceptable threat.
This shift forces a translation of classified intelligence into contestable legal reasoning. For operators, this means a move toward more detailed documentation and a higher burden of proof for regulators who wish to compel the removal of existing infrastructure.
The High Cost of Security: The “Rip and Replace” Challenge
As the EU pushes for a more secure ICT supply chain, the industry is facing a massive financial hurdle: the “rip and replace” phenomenon. Removing deeply integrated hardware from a live network is not just a technical challenge—it is a multi-billion-euro operational nightmare.
We are seeing a fragmented implementation across the bloc. While countries like Sweden and Latvia moved early to exclude vendors like Huawei and ZTE from core 5G networks, others have lagged. Germany, for instance, has announced plans to remove these components from its core 5G networks by the end of 2026.
A critical trend to watch is the fight over compensation. As operators are forced to swap out equipment, the question of the “right to property” under the EU Charter of Fundamental Rights becomes central. Without U.S.-style assistance funds, the financial burden on mid-sized operators could lead to increased litigation over fair compensation.
When Courts Meet Classified Intelligence
One of the most significant future trends is the “judicialization” of national security. Historically, “national security” was often treated as a carte blanche—a magic phrase that stopped further legal inquiry. That is changing.
The CJEU is establishing that while the EU cannot decide what is necessary for a Member State’s security, the invocation of national security does not exempt a state from complying with EU law. This creates a tension: how do courts review a decision based on classified intelligence without compromising that very intelligence?
One can expect a growing body of case law focusing on proportionality. Courts will increasingly probe how hybrid administrative bodies translate secret threats into public, reviewable decisions. This will likely lead to new judicial techniques for handling secret evidence while still protecting the rights of private companies.
Expanding the Perimeter: Beyond 5G
The logic applied to 5G towers is rapidly expanding to other critical digital arteries. The EU’s broader ICT Supply Chain Security Toolbox encourages governments to appear beyond technical vulnerabilities to “non-technical risks,” such as ownership structures and political pressure.
This “security-first” methodology is now bleeding into other sectors:
- Satellite Connectivity: Ensuring that the space-based internet of the future isn’t dependent on adversarial infrastructure.
- Submarine Cables: Applying the same risk-assessment logic to the physical cables that carry the bulk of global internet traffic.
- Global Gateway: Integrating ICT risk management into the EU’s international infrastructure investments.
The Regulatory Shift: Consumer Protection as National Defense
Perhaps the most surprising trend is the institutional migration of security. In the Elisa Eesti case, the decision didn’t come from a Ministry of Defense, but from the TTJA—an office for consumer protection and technical supervision.
Cybersecurity is no longer just a military concern; it has migrated into the realm of consumer and competition law. This means that the regulators of tomorrow will be “hybrid” agents, balancing technical standards, consumer rights, and geopolitical intelligence. This shift may lead to more frequent intersections between competition law (antitrust) and national security mandates.
FAQ: High-Risk Vendors and EU Law
Can EU countries legally ban specific telecom vendors?
Yes, in principle. According to recent advisory opinions, Member States may exclude hardware and software if the manufacturer poses a risk to national security, provided the decision is based on a specific risk assessment.
What is “rip and replace”?
It is the process of removing existing high-risk vendor equipment from a network and replacing it with gear from trusted suppliers.
Is the Advocate General’s opinion legally binding?
No, the opinions of Advocates General are non-binding, but they are highly influential in shaping the final judgments of the CJEU and the development of EU legal doctrine.
Who determines if a vendor is “high-risk”?
What we have is typically determined by national authorities (such as security committees or technical supervision offices) using criteria that may include the vendor’s country of origin and its relationship with foreign governments.
Join the Conversation
How should the EU balance national security with the financial burden on telecom operators? Do you believe “granular” risk assessments are enough to protect digital infrastructure?
Share your thoughts in the comments below or subscribe to our newsletter for the latest insights on digital sovereignty.
