The European Commission proposal for a second Cybersecurity Act ("CSA2" or "CSA2 Proposal") represents a decisive development in the European Union's approach to regulating digital infrastructure.
At the heart of CSA2 lies the idea of a Union‑level mechanism capable of classifying ICT vendors, manufacturers or entire supply chains as security risks, combined with binding exclusionary effects across the internal market.
Although formally presented as a measure aimed at strengthening the internal market for ICT products and services, the proposal goes far beyond technical harmonisation. This applies, in particular, to the rules on high-risk vendors in Title IV of the CSA2 Proposal. These rules do not merely coordinate national regulatory practices, but empower the European Commission to designate high-risk suppliers, in particular if they originate from a third country which is classified as high-risk. Designation as a high-risk supplier has far-reaching implications both for the designated entity and for customers (such as network operators) who have integrated the designated entity's components into their systems.
In centralising the designation of high-risk suppliers, the CSA2 Proposal also directly affects the allocation of regulatory authority between the Union and its Member States. The legal framework governing such allocation is shaped by the interaction of three core Treaty provisions. Article 114 TFEU confers on the Union a competence to harmonise national laws for the purposes of establishing and ensuring the functioning of the internal market. Article 4(2) TEU expressly reserves national security to the sole responsibility of the Member States. Article 5 TEU, in turn, limits the exercise of Union competences through the principles of subsidiarity and proportionality.
From an EU constitutional perspective, the decisive issue is therefore not whether cybersecurity is a legitimate and important policy objective. Rather, it is whether the Treaties permit the Union to assume responsibility for security risk determinations as such, or whether those determinations remain constitutionally reserved to the Member States.
Article 4(2) TEU: National Security as a Reserved Responsibility
The Court of Justice has characterised national security as an essential State function, closely linked to the constitutional identity and fundamental political responsibilities of the Member States. In view of this, national security interests have long enjoyed protection under EU law, and may in particular be invoked to justify interferences by EU Member States with rights and freedoms guaranteed by the EU.
Article 4(2) TEU, which was introduced by the Treaty of Lisbon in 2009, further enshrines this protection. This provision obliges the EU to "respect" a number of interests, such as the equality of Member States and their national identities. In addition, Article 4(2) explicitly provides that national security remains the "sole responsibility" of each Member State. This attribution of sole responsibility is interpreted by leading authorities as reserving the competence to legislate on national security matters to the Member States: legislation by the EU in such matters is excluded.
While the European Courts have yet to rule on the exact scope of the jurisdictional limits imposed by Article 4(2) TEU, case law from other areas allows for some insights as to the scope of the national security reservation. In data protection cases, the CJEU has held that activities having the aim of safeguarding national security, to which the GDPR does not apply, encompass in particular activities that are intended to protect essential State functions and fundamental interests of society. Where national security is concerned, the EU's legislative competences, in particular those of a horizontal nature, must be interpreted in a manner such as to ensure that they do not impinge on the sole responsibility of Member States under Article 4(2) TEU.
In recent years, the EU has discovered resilience as significant policy imperative. A number of policies aimed at strengthening resilience, which have been enacted based on the internal market competence of Art 114 TFEU, are clearly relevant to national security. This applies e.g. to legislation in the area of cybersecurity (NIS2 Directve (EU) 2022/2555), on the resilience of critical infrastructures (Directive (EU) 2022/2557) and to the recent proposal for increased harmonisation in the area of foreign direct investment screening (Council of the EU 6254/26). In these areas, the EU's legislation seeks to establish minimum standards and provides for coordination between Member States in order to ensure a consistent application.
By allocating to the European Commission the competence to designate third countries and individual suppliers as high-risk, the CSA2 Proposal goes further than these examples. Given the explicit reservation of competence for national security to the Member States, it remains to be seen whether Art 114 TFEU can be interpreted as authorising such a delegation of powers to the Commission.
Article 114 TFEU: Internal Market Competence
CSA2 is formally based on Article 114 TFEU, which the EU Commission relies upon as the legal basis for harmonising national rules in order to ensure the establishment and functioning of the internal market for ICT products, services and supply chains.
Article 114 TFEU enables the Union to approximate national laws where such measures genuinely pursue the establishment and functioning of the internal market. The Court of Justice has consistently recognised the breadth of this competence, particularly in sectors characterised by technological complexity and regulatory fragmentation.
Within those parameters, the Union legislature enjoys a wide margin of discretion, including the ability to impose far‑reaching regulatory constraints or even marketing prohibitions, provided that such measures remove genuine obstacles to trade or prevent serious distortions of competition. At the same time, Article 114 TFEU is not a residual or general regulatory power. The Court has repeatedly emphasised that it cannot be relied upon where the essential object of a measure lies outside market integration.
While Article 114 TFEU therefore does not require that market integration be the exclusive objective of Union action, it cannot serve as a legal basis where the essential object of the measure lies in another policy field.
Security risks are not objective facts that exist independently of legal judgment. They are the result of normative, situational and forward‑looking assessments integrating technical characteristics, systemic relevance, governance structures, geopolitical dependencies and national threat perceptions.
The classification of an ICT vendor, product or supply chain as a security risk therefore constitutes a paradigmatic exercise of national security responsibility. It necessarily involves decisions about probability, severity and acceptable risk in light of the specific national security environment. Moreover, the criteria for third-country risk assessments in Article 100 of the CSA2 Proposal clearly indicate that the designation is not intended to merely reflect the risk of technical vulnerabilities. Rather, vendors will be designated as high-risk by virtue of their country of origin if that country "poses a serious and structural non-technical risk to ICT supply chains".
A Union‑level mechanism that determines foreign policy and intelligence-related risks does not merely approximate national cybersecurity approaches. It substitutes them. There may be questions whether such a measure can indeed be based on the internal market competence of Article 114 TFEU, or whether it falls under the European Council's competences as set out in Chapter 2 TEU on the Common Foreign and Security Policy.
Article 5 TEU: Proportionality and Subsidiarity as Structural Constraints
In addition, the exercise of Union competences remains subject to the general constraints laid down in Article 5 TEU, in particular the principles of subsidiarity and proportionality.
According to settled case law, EU measures must be suitable, necessary and proportionate stricto sensu. In matters touching upon public or national security, the Court has held that derogations and exceptions must be justified by concrete and context‑specific considerations, rather than by abstract or merely presumptive reasoning Union‑level vendor classifications eliminate individualised assessment at the legislative level. The proportionality deficit therefore arises already at the legislative design stage. While this conclusion is a doctrinal inference rather than an express holding of the Court, it follows from the Court's insistence that essential elements of risk assessment cannot be eliminated ex ante where highly sensitive interests are concerned.
Under Article 5(3) TEU, Union action is (further) permissible only where the objectives pursued cannot be sufficiently achieved by the Member States. National threat landscapes, network architectures and exposure profiles differ significantly. Suppressing this diversity through centralised classification risks undermining, rather than enhancing, effective security governance.
Decisive Clarification by Advocate General Ćapeta in Elisa Eesti (C‑354/24)
The Opinion of Advocate General Ćapeta in Elisa Eesti provides a doctrinally precise articulation of the interaction between internal market law and national security under EU constitutional law.
The AG confirms, first, that measures adopted for national security purposes are not excluded from the scope of EU law merely by virtue of that objective. Article 4(2) TEU preserves responsibility, not legal isolation. National security measures thus remain subject to EU law proportionality review where they affect harmonised fields (Opinion, paras 54-57).
Secondly, the Advocate General makes clear that the protection afforded by Article 4(2) TEU is conditional upon individualised, equipment‑specific and context‑sensitive risk assessments (paras 101-111). A genuine, present and sufficiently serious risk must be established, linked to the specific hardware or software, its function, deployment and role within the network. Abstract supplier‑based presumptions are constitutionally insufficient (paras 108-110).
Thirdly, proportionality requires that competent authorities be able to substantiate and explain their risk assessments, even where sensitive information is involved (paras 114-115). Judicial review cannot be reduced to deference.
The logic of Elisa Eesti therefore excludes Union‑level categorical vendor classifications. Such mechanisms eliminate individual assessment, replace national responsibility and fail to satisfy the proportionality requirements inherent in Articles 4(2) and 5 TEU.
Conclusion: Constitutional Questions raised by the CSA2 Proposal
When assessed against the constitutional framework described above, CSA2 gives rise to complex questions beyond questions of regulatory intensity or technical design.
First, what is the nature and scope of the reservation of responsibility for "national security" to the Member States in Article 4(2) TEU? While this reservation does not relieve the EU of its competence to harmonise national laws even if they are relevant to national security, can the EU centralize the risk assessment and designation of high-risk suppliers by allocating this power to the European Commission? By empowering the European Commission to make binding determinations concerning geopolitical and intelligence-related security risks, the CSA2 Proposal arguably moves beyond harmonisation of the internal market and into the constitutionally sensitive domain of national security governance reserved to the Member States under Article 4(2) TEU.
Secondly, although Article 114 TFEU has previously served as a legal basis for cybersecurity‑related legislation, its applicability is contingent upon the measure's centre of gravity genuinely lying in internal market harmonisation. Article 114 TFEU is therefore typically engaged by concerns regarding uniformity, efficiency or the avoidance of regulatory fragmentation. Such arguments may support harmonisation of technical requirements or procedural coordination.
CSA2, by contrast, is not triggered primarily by market fragmentation or divergent national technical standards. Its operative logic is grounded in the attribution of security risk. Its primary function of such a measure is to preclude risks to critical infrastructure. The risks taken into account are of non-technical nature and primarily relate to the foreign policy and intelligence-risks posed by the provider's country of origin. It appears plausible that the centre of gravity therefore lies in national security, not in the internal market.
Thirdly, the CSA2 Proposal gives rise to questions regarding the principles which the Union is bound to when exercising its competences, namely the principles of proportionality and subsidiarity guaranteed by Article 5 TEU.
Subsidiarity concerns arise with particular force. Under the principle of subsidiarity, the EU shall act only if and in so far as the objectives of the proposed action cannot be sufficiently achieved by the Member States, but can rather be better achieved at Union level. In accordance with that principle, Community measures should leave as much scope for national decisions as possible, consistent with securing the aim of the measure and observing the requirements of EU primary law. Whether action at EU level would indeed be better suited to achieve the goal of avoiding the risk of dependencies on high-risk suppliers may indeed be questionable, given inter alia the well-known reluctance of Member States intelligence services to share their intelligence with the EU institutions.
With regard to proportionality, AG Ćapeta's recent opinion on high-risk vendor designations by the Member States makes it clear that such decisions have to be made on an individualised assessment, taking account of the equipment at issue, the manufacturer, and its country of origin. By contrast, the assessment under the CSA2 Proposal primarily is country-based. While the EU legislature enjoys a broader discretion under the proportionality test of Article 5 TEU, it is nonetheless questionable whether a national security designation mechanism which would fail the proportionality test if enacted by a Member State can be validly enacted by the EU.