National Security

On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation.

AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property.

Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here.

Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required

After passing the House the preceding week, the National Defense Authorization Act for Fiscal Year 2026 (FY 2026 NDAA) passed the Senate on December 17 by a vote of 77-20 and was signed into law by President Trump the following day. As is frequently the case, this annual “must pass”

Continue Reading New Sanctions Authorities in the FY 2026 NDAA

On September 24, 2025, Covington’s tech industry experts explored what legal teams, government affairs professionals, and business leaders at tech companies need to know during this pivotal period and offered insights into anticipated challenges and emerging opportunities in the year ahead. Eight Covington attorneys shared their insights during a 60-minute session moderated by Covington partner Holly Fechner. Key takeaways from the Forum are outlined below.

Continue Reading Covington Tech Briefing Spotlight: Impact of Latest Policy Developments on the Tech Industry

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.

Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill

On October 29, 2025, the Federal Communications Commission (“FCC”) released its Second Report and Order (the “R&O”) and Second Further Notice of Proposed Rulemaking (“FNPRM”) concerning changes to its equipment authorization rules.  The R&O and FNPRM continue the FCC’s ongoing efforts to update the agency’s equipment authorization rules to “protect

Continue Reading FCC Modifies Equipment Authorization Rules to Address National Security Concerns

The government is officially closed, and the House of Representatives is in an extended recess, but the Senate keeps working. 

On Wednesday October 22, the Senate Foreign Relations Committee held a business meeting to consider 19 bills and approve two nominations (Joel Rayburn to be Assistant Secretary of State for Near Eastern Affairs and Andrew Veprek to be Assistant Secretary of State for Population, Refugees and Migration).  The bills focused mostly on Russia’s war in Ukraine, and on security concerns relating to China, and generally commanded bipartisan support.  All of the bills were approved, though some were amended.

One of the more consequential bills was the “REPO Implementation Act”, S. 2918, sponsored by Sen. Whitehouse, and co-sponsored by, among others, Foreign Relations Committee Chairman Risch.  This bill seeks to build on last year’s “Rebuilding Economic Prosperity and Opportunity for Ukrainians Act”, or “REPO Act”.  That legislation granted authority to the President to confiscate the approximately $5 billion in immobilized Russian sovereign assets in the United States and provide that money to Ukraine and Ukrainian claimants as compensation for the injuries inflicted on them by the war. 

Continue Reading Senate Foreign Relations Committee Action on Russia and China-related Legislation

The war in Ukraine, and other recent geopolitical conflicts, has underscored the need for EU-based defence capabilities to scale up to face these challenges. Several EU initiatives which have sought to stimulate investment are starting to bear fruit, as the European Defence Agency recently reported record high defence spendings in the EU (€350bn for 2024, a 19% increase to 2023). Political support for the sector has been demonstrated by Commission President Von Der Leyen proclaiming “a new era for European Defence and Security” in her latest State of the European Union address.

In this context, understanding the regulatory framework applicable to investments in the EU defence sector is proving increasingly important. Foreign direct investment (“FDI”) screening regimes represent one of the most important regulatory checks to clear for investors.

This blog post reviews five key points for investors to consider when making investments in the defence sector given the current geopolitical context.

Continue Reading Five Key Points on FDI Screening in the EU Defence Sector

Earlier this month on September 8, the Federal Communications Commission (FCC) announced that it was taking an initial set of actions to address threats posed by so-called “bad labs.”  “Bad labs” consist of test labs that review and approve radio frequency emitting devices for use in the U.S. but are

Continue Reading FCC Takes Action on Certain “Bad Labs”

The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.

Continue Reading European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence Regulation

On July 23, the White House released its AI Action Plan, outlining the key priorities of the Trump Administration’s AI policy agenda.  In parallel, President Trump signed three AI executive orders directing the Executive Branch to implement the AI Action Plan’s policies on “Preventing Woke AI in

Continue Reading Trump Administration Issues AI Action Plan and Series of AI Executive Orders