Brussels’ proposed cybersecurity overhaul risks constitutional red flags
“Europe cannot be naive anymore” – with that blunt warning, the European Commission framed the EU’s proposed overhaul of the Cybersecurity Act (CSA2) as a decisive step towards greater strategic autonomy.
The proposal would allow Brussels to list “high-risk third countries”, identify high-risk companies linked to them, and ultimately exclude those companies from Europe’s information and communications technology (ICT) supply chains.
The Commission presents CSA2 as a necessary response to a deteriorating threat landscape and fragmented national approaches following the voluntary 5G Toolbox. Yet behind that narrative lies a deeper legal and geopolitical fault line.
Politically charged assessments
At the centre of the debate is the new ICT supply chain security mechanism. For the first time, the EU would formally assess “non-technical risks” tied to a country’s legal system, governance and political environment, potentially leading to binding prohibitions on suppliers operating in sectors covered under NIS2.
For Michel Petite, avocat of counsel at Clifford Chance, this would mark a structural shift from technical certification to geopolitical risk designation, raising constitutional red flags.
“Determining that a third country poses a ‘serious and structural non-technical risk’, (i.e. a security risk) requires an assessment of its legal system, governance and political environment. Such assessment will necessarily be highly subjective and political,” he tells Euractiv.
“A decision in that field should much more naturally fall in the realm of foreign policy and security interests than be treated as a mere matter of harmonisation of internal market rules,” Petite argues.
Deep legal tensions
The legal tension is not academic. Article 4(2) of the Treaty on European Union states that national security remains the sole responsibility of Member States. CSA2 relies on Article 114 TFEU – the internal market legal basis.
A detailed legal analysis warns that grounding a measure whose “main predominant purpose” is security on Article 114 may be constitutionally fragile. The paper argues that if the principal objective of CSA2 is national security, the chosen legal basis could be challenged before the Court of Justice of the European Union.
The authors also caution that vague concepts such as “high-risk supplier” or “country of risk” require objective criteria and clear reasoning, given the duty to state reasons under Article 296 TFEU. Generic references to geopolitical concerns would not suffice.
Binding exclusions
CSA2 would make mandatory what the 5G Toolbox only recommended: excluding suppliers deemed high risk from critical network components. The proposal explicitly requires the phase-out of certain ICT components in 5G networks listed in Annex II.
Industry reaction has been swift. Telecom groups have warned that forced removal of Chinese equipment could cost billions and disrupt networks. Replacement costs, they argue, would divert capital away from expanding 5G and future 6G coverage.
Petite makes the same point bluntly: “If components from certain suppliers had to be phased out, this would create additional costs which could not be invested into expanding the 5G and future 6G networks […] The EU might fall further behind the US and China.”
In other words, the pursuit of strategic autonomy could paradoxically weaken Europe’s competitiveness.
CSA2’s defenders counter that fragmentation leaves the Union vulnerable. The Commission’s impact assessment claims EU-level action will produce better results than Member States alone.
Geopolitical positioning and retaliation
The Commission’s position leaves little doubt about the political direction, with explicit references to past recommendations to exclude Huawei and ZTE, presenting CSA2 as a framework to make such decisions mandatory.
That clarity may come at a diplomatic cost.
“A country-designation regime will be perceived internationally as geopolitical positioning and retaliation is rather likely as the Chinese reaction to the Dutch government’s seizure of control over Nexperia has shown,” Petite warns.
Recent tensions involving Chinese investments in European technology firms demonstrate how quickly regulatory measures can provoke countermeasures. A binding EU-level exclusion mechanism could attract scrutiny under WTO rules or trigger retaliatory trade measures.
The broader geostrategic dimension merits highlighting: CSA2 unfolds amid global competition over critical technologies, US tariffs and strained alliances. The EU seeks to reduce external dependencies – but in doing so may deepen geopolitical fault lines.
A constitutional stress test
CSA2 is more than a cybersecurity update. It is a test of how far Brussels can stretch internal market law to achieve strategic aims.
Supporters argue that hybrid threats and cascading supply-chain vulnerabilities justify centralised action. Critics see an overreach that risks blurring the line between market regulation and foreign policy, while exposing Europe to economic and legal blowback.
Europe may choose not to be naive. The question is whether, in fortifying its digital infrastructure, it is redefining the constitutional balance between Brussels and the capitals – and stepping into geopolitical terrain from which there may be no easy retreat.
[BM]
