Considerations for the restriction of technology on national security

On 19 March 2026, an Opinion of the Advocate General of the European Court of Justice was published in the case Elisa Eesti v TTJA, C-354/24, addressing the question: within which legal framework can an EU Member State rely on the security exception when imposing trade restrictions?

Estonian telecommunications operator Elisa filed a complaint on 1 December 2022 against a decision of the Consumer Protection and Technical Regulatory Authority (“TTJA”), which refused to grant permission for the use of certain hardware and software in Estonian communications networks, as the technology was considered by TTJA to pose a security risk. In the course of the national proceedings, the Tallinn Administrative Court decided to request a preliminary ruling from the Court of Justice of the European Union, in which Advocate General Tamara Ćapeta also delivered an Opinion.

In summary, the Advocate General explained the following:

• Member State autonomy in security matters. Based on earlier case law of the Court of Justice, security issues do not fall outside the scope of EU law. The Advocate General referred to previous case law concerning the retention of communications data, explaining that the same principles apply to restrictions on technology.
• Proportionality of measures. While restrictions are possible on security grounds, such restrictions must be proportionate. According to the Advocate General, this requires that the Member State identify, in each specific case, a genuine, present, and sufficiently serious threat.
• Right to compensation. If the burden imposed on businesses by such restrictions is disproportionately high, this may entail the need to compensate the affected undertaking, even where the restriction itself may be permissible.

Although the Advocate General’s Opinion is not binding on the Court of Justice, it provides insight into the possible reasoning of the Court, which often follows such Opinions. The forthcoming judgment is expected to be significant for the functioning of the EU internal market, as it clarifies, among other things, the extent of Member States’ autonomy in security matters under the EU Treaties.

COBALT is advising clients regarding the implementation of government proposed security requirements regarding technology used in critical infrastructure.