The Regulatory Context
The proposed Digital Networks Act (“DNA“), adopted by the European Commission (“EC“) as a legislative proposal on 21 January 2026[1], would, if enacted in its current form, mark a significant evolution of the European Union’s (“EU“) regulatory framework for electronic communications. Together with the Digital Omnibus Package[2] (“DOP“) simplification agenda and the January 2026 Cybersecurity Package, including the proposed revision of the Cybersecurity Act (“CSA2“), the DNA forms part of a broader legislative strategy aimed at enhancing the resilience, security and competitiveness of Europe’s digital infrastructure.
It represents the most comprehensive reform of the EU’s regulatory framework for electronic communications since the adoption of the European Electronic Communications Code (“EECC“).
One of its stated objectives is to strengthen the security of the European supply chain for electronic communications networks (“ECNs”). In Europe, a common layer is combined with diverse national networks to enable cross-border interoperability and secure, auditable data exchange. This is done within a significantly revised regulatory architecture.
The DNA establishes the regulatory conditions governing the provision of electronic communications networks and services, including the regime applicable to general authorisations and rights of use of radio spectrum. CSA2, by contrast, introduces a horizontal framework for managing Information and Communication Technology (“ICT”) supply-chain risks, including mechanisms for identifying key ICT assets, assessing supply-chain risks and adopting mitigation measures in relation to high-risk suppliers.
Of particular concern in this respect is the prospect that the DNA, together with CSA2, may link supply-chain security requirements to telecom operators’ general authorisations. Currently, under the EECC, authorisation conditions are limited to those exhaustively listed in Annex I and must be non-discriminatory, proportionate and transparent.
The proposed DNA, if approved as mentioned, would change that approach. It would make compliance with applicable cybersecurity rules, including ICT supply-chain security requirements imposed under the CSA2, a condition of both the general authorisation to provide electronic communications networks and services[3] and rights of use of radio spectrum[4].
The practical implications of this legislative design may nevertheless be significant. Under the proposed legislation, the Commission would be empowered to identify key ICT assets, conduct Union-level ICT supply-chain risk assessments and adopt implementing measures addressing both technical and non-technical risks, including risks associated with ownership structures, foreign interference, strategic dependencies and high-risk suppliers. Where appropriate, those measures could include restrictions on the use of ICT components supplied by designated high-risk suppliers in key ICT assets, together with complementary obligations relating to audits, diversification of supply, transparency and transition measures.
The combined effect of the two proposals is therefore to establish a closer relationship between cybersecurity regulation and the regulatory framework governing electronic communications. If the DNA is adopted in its present form, compliance with certain ICT supply-chain security obligations may become relevant not only for operational cybersecurity purposes but also for obtaining or maintaining the regulatory authorisations required to provide electronic communications networks and services or to exercise rights of use of radio spectrum.
It is this interaction between the proposed authorisation regime and the emerging Union framework for establishing ICT supply-chain security that gives rise to concern, considering the legal questions examined in the following sections.
Security-Based Restriction under EU Law: Competence, Proportionality and Procedural Safeguards
Invoking national or European security cannot suffice to justify the adoption of restrictive administrative or legislative measures. Furthermore, it does not provide a lawful basis for acting in a discriminatory and arbitrary manner that would harm fundamental citizens’ rights, the integrity of the internal market, or legal and economic certainty.
As one of us wrote in an article published in EU Law Live a year ago, although national security remains the sole responsibility of each Member State, as recognised in Article 4(2) of the Treaty on European Union (“TEU”), this responsibility must be exercised in accordance with the general principles of EU law, particularly with regard to the integrity of the internal market. Any restriction of the fundamental freedoms must be duly justified and, as an exception to a general principle, interpreted strictly[5].
That reservation of competence, therefore, does not place national security measures beyond the reach of EU law where those measures affect fields governed by Union law. National security may justify restrictions in appropriate cases, but it does not create a general exemption from the requirements of legality, proportionality, non-discrimination, effective judicial protection or respect for fundamental rights.
These principles have been consistently reaffirmed by the Court of Justice of the European Union (“CJEU”). In Privacy International[6] and Ministrstvo za obrambo[7], the Court made clear that the mere fact that a measure is taken for the purpose of protecting national security cannot render the EU law inapplicable. This is particularly the case with Article 36 of the Treaty on the Functioning of the European Union (“TFEU”)[8], Article 5(4) TEU[9] and the Charter of Fundamental Rights of the European Union (“CFREU”).
This principle is particularly relevant in the field of electronic communications, where telecommunications equipment constitutes goods under the TFEU, meaning that any national measures restricting its authorisation, deployment or use, may fall within the scope of Article 34 TFEU. Although such restrictions may be justified under Article 36 TFEU on public security ground[10], the Member State bears the burden of demonstrating that they respond to a concrete security concern and do not constitute arbitrary discrimination or a disguised restriction on trade within the internal market[11].This position was reinforced in Commission v. Poland [12], where the CJEU held that measures adopted in pursuit of a legitimate national interest cannot, simply because they are security-related, be entirely exempt from EU law.
The constitutional framework established by the Treaties and interpreted by the Court of Justice therefore provides the point of departure for assessing the legality of supply-chain security measures that may be adopted under the proposed DNA and CSA2. While security considerations are a legitimate objective of public policy, they do not override the principles of legality, proportionality, non-discrimination and effective judicial protection on which the European legal order is based.
These principles set out the standard for security-based restrictions affecting suppliers, telecommunications equipment, and access to the sectoral market under the proposed DNA and CSA2. While the Union and the Member States may pursue a high level of cybersecurity, the operative legal question is what justification is required before restrictive measures can be lawfully imposed.
The recent Opinion of Advocate General Ćapeta in Elisa Eesti[13] provides valuable guidance on this issue. While recognising that the security of Member States’ electronic communications networks and services is a fundamental societal interest at both the national and Union levels, the Advocate General makes clear that this goal does not justify unlimited regulatory discretion. In fact, restrictions on the freedom to provide electronic communications networks and services are only lawful where they satisfy the general requirements of EU law.
In paragraph 107 of the Opinion[14], the Advocate General recalls that restrictions may be justified only where the risk to the protected interest is “genuine, present and sufficiently serious in the particular case.” This standard reflects the settled case law of the Court concerning derogations from the internal market freedoms and requires that restrictions be based on actual rather than hypothetical or presumed risks.
The Opinion further emphasises[15] that the legality of such measures ultimately hinges on compliance with the principle of proportionality. Accordingly, the competent authority must demonstrate not only that the objective pursued is legitimate, but also that the adopted measure is appropriate and necessary to attain it.
Most significantly, the Opinion rejects the possibility of basing decisions on general assumptions about specific suppliers or countries of origin. Advocate General Ćapeta submits that a Member State cannot rely on general suspicions based solely on the origin of the equipment manufacturer[16]. Instead, it must undertake a specific assessment of the intended equipment and the risks associated with its deployment.
Such an assessment must consider the following: (i) the functionality, location and importance of the equipment within the communications network; (ii) whether concerns relating to the country in which the manufacturer is established can objectively be projected onto the manufacturer itself; and (iii) whether the risks associated with the manufacturer are projected onto the specific hardware and software in question.
Accordingly, the assessment should consider the particular equipment or software in question, its role within the network, the characteristics and control structure of the supplier, and the objective evidence linking these elements to the alleged security risk. While the manufacturer’s country of establishment may be a relevant factor, it cannot substitute reasoned analysis.
Rather than being presumed, the projection of risks between the geopolitical context, the supplier and the specific equipment must be objectively demonstrated. Doubts particularly arise in this regard concerning the possible link between the authorisation regime and the system for ensuring supply-chain security, as set out in the CSA2 and DNA proposals.
Also, the principle of proportionality requires the competent authorities to consider whether less restrictive measures would adequately address the identified risks. This approach is consistent with the Court’s judgment in Gebhard[17], which requires restrictions on fundamental freedoms not to exceed what is necessary. It is also consistent with the EECC, which presupposes “appropriate and proportionate” measures rather than a binary choice between unrestricted use and total exclusion. Therefore, the competent authority must consider less restrictive alternatives, such as enhanced monitoring, technical audits, incident reporting obligations or security-by-design requirements. Only where these measures are demonstrably insufficient may an outright exclusion be justified.
The substantive requirements imposed by EU law are complemented by equally important procedural guarantees. Crucially, competent authorities cannot refuse to provide specific information to support their assessment, and national courts may be required to review the merits of a case. In Tele2 Sverige[18], the CJEU ruled that measures applicable to all parties without differentiation or exception are excessive and incompatible with EU law.
Similarly, in ZZ v Secretary of State for the Home Department[19], the CJEU held that, even when national security is invoked, the individual must be informed of the reasons for the decision, in order to enable effective judicial review. The same principle underlies the Court’s landmark judgment in Kadi [20], where it was held that restrictive measures adopted on security grounds must be supported by factual evidence and be opened to full judicial review. Thus, the principle that security-based restrictions require concrete justification and cannot be based on mere assertion is deeply embedded in the constitutional fabric of the Union.
Implications for the Future Digital Networks Act and CSA2
The aforementioned principles provide the legal framework within which the proposed DNA and the revised Cybersecurity Act must ultimately be assessed. Throughout the legislative process leading to a new, more resilient and robust EU cybersecurity framework, and particularly with regard to the DNA and CSA2, these constitutional requirements should serve as the benchmark against which any new regulatory measures are evaluated.
The requirement for individualised assessment has significant implications for the proposed interaction between the CSA2 and the DNA. If compliance with supply-chain security requirements becomes, where applicable, a condition for obtaining or maintaining the general authorisation to provide electronic communications networks or rights of use of radio spectrum, the resulting restrictions cannot be regarded as neutral regulatory conditions alone. Instead, they may affect market access for electronic communications providers in a given sector, impede the free movement of goods, and discourage the exercise of fundamental freedoms.
This raises important questions under EU law, particularly where decisions affecting third-country suppliers are based on country-related cybersecurity concerns, control links or alleged governmental influence. While these factors may be relevant to non-technical supply-chain risk, they must be assessed according to clear criteria and supported by evidence, rather than being treated as irrebuttable presumptions.
Accordingly, any restrictions placed on the deployment of equipment or software supplied by third-country vendors should be based on a concrete assessment of the risks associated with their intended use. This assessment should cover both technical vulnerabilities and non-technical risks, such as supplier control, dependency, and foreign interference.
General assumptions based on the origin of the supplier, the geopolitical context, or abstract references to national security cannot justify restrictive measures by themselves. Undertakings affected by that framework are entitled to fair, evidence-based, proportionate and reviewable treatment.
From this perspective, it is difficult to establish a sufficient legal nexus between threats to the security of electronic communications networks and a system of blanket authorisations or prohibitions based on general criteria such as the manufacturer’s country of origin, or unsubstantiated assumptions regarding the risks associated with particular suppliers.
Such an approach is difficult to reconcile with the requirements of EU law, which dictate that restrictions must be based on a specific, evidence-based assessment of the risks involved.
Conclusion
Protecting electronic communications networks and ensuring the resilience of Europe’s digital infrastructure have become central objectives of the EU’s digital policy.
In the face of a rapidly evolving geopolitical and technological landscape, and in light of considerations regarding competitiveness and the concept of “European strategic autonomy”, strengthening cybersecurity and reducing vulnerabilities within ICT supply chains are legitimate and necessary public policy objectives. Both the Union and its Member States must adopt appropriate measures to safeguard the integrity and security of critical communications infrastructure.
However, as the legislative process on the DNA, the CSA2 and the broader EU cybersecurity architecture progresses, pursuing these objectives must not diminish the constitutional requirements of EU law. If the DNA is to link supply-chain security to general authorisations and spectrum licences, this must comply with these fundamental requirements.
The Union’s task is to strengthen the resilience of Europe’s digital infrastructure while preserving the constitutional safeguards that give the internal market its legal coherence. The effectiveness of the future regulatory framework will depend on its ability to reconcile legitimate security objectives with proportionality, legal certainty, non-discrimination and effective judicial protection.
Any restrictions on equipment or software from third-country suppliers must be based on a concrete assessment of the specific risks posed by their deployment. All undertakings operating within the internal market are entitled to fair, individualised, evidence-based and proportionate treatment. Restrictions cannot be based on abstract suspicion, geopolitical assumptions or mere invocations of national security; they must be accompanied by concrete justifications of the risks involved.
The strength of the European legal order does not lie in its ability to exclude, but in its insistence that all power, regardless of how it is exercised or what its purpose is, must be accountable to the law.
By José Luís da Cruz Vilaça, Paulo de Almeida Sande, Mariana Tavares, Practice Area – European Union Law and Competition
[1] Proposal for a Regulation of the European Parliament and of the Council on digital networks, of 21.01.2026, amending Regulation (EU) 2015/2120, Directive 2002/58/EC and Decision No 676/2002/EC and repealing Regulation (EU) 2018/1971, Directive (EU) 2018/1972 and Decision No 243/2012/EU (Digital Networks Act), COM (2026) 16 final.
[2] Commission Staff Working Document Proposal for a Regulation of the European Parliament and of the Council Amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) Amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI), SWD(2025) 836 final, 19.11.2025.
[3] Article 9 of the DNA project.
[4] Article 20, ibidem.
[5] J. L. da Cruz Vilaça, “EU Law and the Limits of Invoking National Security”. EU Law Live Weekend edition, n. 238, July 12, 2025.. (https://eulawlive.com/weekend-edition/weekend-edition-no238/): “(it) cannot be inferred that the Treaty contains an inherent general exception excluding all measures taken for reasons of law and order or public security from the scope of (Union) law. Indeed, to recognise the existence of such a general exception would undermine the binding nature of EU law and its uniform application (…)” (page 4).
[6] Judgment of the Court (Grand Chamber), 6 October 2020, Privacy International, C-623/17, ECLI:EU:C:2020:790, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62017CA0623&qid=1782715620497
https://curia.europa.eu/juris/document/document.jsf?docid=232083&doclang=en.
[7] Judgment of the Court (Grand Chamber) of 15 July 2021, B. K. v Republika Slovenija (Ministrstvo za obrambo), C-742/19, ECLI:EU:C:2021:597, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62019CJ0742.
[8] Prohibition of quantitative restrictions between Member States.
[9] Principle of Proportionality.
[10] Articles 34 and 36 TFEU are the foundational pillars of the EU’s single market, in respect to the free movement of goods. They build a level playing field by broadly prohibiting trade barriers while allowing limited and justified exceptions for specific public interests, including public security, through measures that must be proportionate and non-discriminatory.
[11] As aforementioned J. L. da Cruz Vilaça opinion “EU Law and the Limits of Invoking National Security”, in EU Law Live Weekend edition, n. 238, July 12, 2025.. (https://eulawlive.com/weekend-edition/weekend-edition-no238/) page 4.
[12] Judgment of the Court (First Chamber) of 7 September 2023, European Commission v Republic of Poland, C-601/21, ECLI:EU:C:2023:629, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62021CJ0601. “(…) according to settled case-law, the objective of protecting national security corresponds to the primary interest in protecting the essential functions of the State and the fundamental interests of society (…)” (paragraph 79); “However, measures adopted by the Member States in connection with the legitimate requirements of national interest are not excluded in their entirety from the application of EU law solely because they are taken in the interests of national security” (paragraph 80).
[13] Opinion of Advocate General Ćapeta delivered on 19 March 2026, Elisa Eesti AS v Vabariigi Valitsuse julgeolekukomisjoni küberjulgeoleku nõukogu, Tarbijakaitse ja Tehnilise Järelevalve Amet, C-354/24, available at: eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62024CC0354.
[14] Ibidem.
[15] Ibidem. At paragraph 57.
[16] Ibidem. In paragraphs 110 and 111.
[17] Judgment of the Court of 30 November 1995, Reinhard Gebhard v Consiglio dell’Ordine degli Avvocati e Procuratori di Milano, C-55/94, ECLI:EU:C:1995:411, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:61994CJ0055.
[18] Judgement of the Court (Grand Chamber) of 21 December 2016, Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, C-203/15, EU:C:2016:970, available at: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:62015CN0203
[19] Judgment of the Court (Grand Chamber) of 4 June 2013, ZZ v Secretary of State for the Home Department, C-300/11, ECLI:EU:C:2013:363, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62011CJ0300.
[20] Judgment of the Court (Grand Chamber) of 18 July 2013, European Commission and Others v Yassin Abdullah Kadi, Joined Cases C-584/10 P, C-593/10 P and C-595/10 P, ECLI:EU:C:2013:518, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62010CJ0584.


