On March 19, 2026, Advocate General Tamara Ćapeta delivered her Opinion in Case C-354/24, Elisa Eesti AS, a preliminary ruling request concerning Estonia’s refusal to authorise the use of Huawei equipment in telecom networks.
Under the European Electronic Communications Code (EECC), Member States are expected to maintain open telecom markets. At the same time, they remain responsible for protecting national security, where they consider vendors to pose a risk. In Elisa Eesti, Advocate General Ćapeta’s Opinion offers an indication of how the Court of Justice of the European Union (CJEU) may weigh that balance.
Estonia’s Electronic Communications Act requires operators to get approval before using hardware or software that might jeopardise national security. In 2022, Elisa Eesti, an Estonian telecom operator, applied to use Huawei hardware and software in its 2G-4G and 5G networks. Estonian authorities refused the request, finding that Huawei was a “high-risk” vendor whose equipment could endanger national security.
Elisa Eesti challenged that decision before the Administrative Court in Tallinn, which referred several questions to the CJEU for a preliminary ruling. The central issue was whether Estonia’s ex-ante authorisation regime for certain telecom technologies falls within the scope of the EECC and, if so, whether it constitutes a restriction on the freedom to provide electronic communications networks and services under the EECC.
Although the EECC is designed to promote an internal market for electronic communications networks and services, it also expressly requires the protection of the “security of networks and services”. To that end, Member States must ensure that providers of public electronic communications networks and publicly available electronic communications services take appropriate and proportionate technical and organisational measures to manage security risks.
Against that background, Advocate General Ćapeta rejects the idea that a national measure automatically falls outside the scope of EU law simply because it is adopted on national security grounds. As she puts it, “the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the member states from the need to comply with EU law.”
Having established that the EECC applies, she concludes that a prior authorisation requirement of this kind does amount to a restriction on market access within the meaning of the Code. However, she also considers that such a restriction may be justified on grounds of public security, provided it is proportionate.
The Opinion confirms that Member States may exclude hardware and software from their telecom networks if the manufacturer is deemed a national security risk.
At the same time, such decisions cannot be based on general suspicion alone. They must rest on a specific assessment of the intended use of the equipment and the associated risks.
The Opinion also stresses that any such measure must be open to judicial review and comply with the principle of proportionality. It further clarifies that restrictions on the use of telecom equipment do not amount to a deprivation of property, but rather to a limitation on its use.
The Elisa Eesti case is part of a wider European push to deal with security risks in digital infrastructure, especially 5G networks. The issue of high-risk suppliers is now central to discussions about security, technological, and economic independence.
Although the Opinion of the Advocate General (AG) is not binding, it often signals the Court’s likely reasoning. A final judgment is expected from the CJEU before the end of 2026.
Authors: Anne MacGregor, Nina-Raluca Bucataru
