National Security

On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation. AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property. Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here. Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required

In late December 2025, the FCC updated its “Covered List” to add foreign-produced unmanned aircraft systems (UAS), commonly known as drones, and their critical components after an Executive Branch interagency body determined that they pose “unacceptable risks to the national security of the United States and to the safety and security of U.S. persons.” Subsequently

Continue Reading FCC “Covered List” Updated to Include Certain Drones and Related Components, Subject to an Exception

On September 24, 2025, Covington’s tech industry experts explored what legal teams, government affairs professionals, and business leaders at tech companies need to know during this pivotal period and offered insights into anticipated challenges and emerging opportunities in the year ahead. Eight Covington attorneys shared their insights during a 60-minute session moderated by Covington partner

Continue Reading Covington Tech Briefing Spotlight: Impact of Latest Policy Developments on the Tech Industry

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.

Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill

Updated December 4, 2025.  Originally posted November 26, 2025

On October 29, 2025, the Federal Communications Commission (“FCC”) released its Second Report and Order (the “R&O”) and Second Further Notice of Proposed Rulemaking (“FNPRM”) concerning changes to its equipment authorization rules.  The R&O and FNPRM continue the FCC’s ongoing efforts to update the agency’s equipment

Continue Reading FCC Modifies Equipment Authorization Rules to Address National Security Concerns

Earlier this month on September 8, the Federal Communications Commission (FCC) announced that it was taking an initial set of actions to address threats posed by so-called “bad labs.”  “Bad labs” consist of test labs that review and approve radio frequency emitting devices for use in the U.S. but are “ultimately owned or controlled by

Continue Reading FCC Takes Action on Certain “Bad Labs”

The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.

Continue Reading European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence Regulation

On July 23, the White House released its AI Action Plan, outlining the key priorities of the Trump Administration’s AI policy agenda.  In parallel, President Trump signed three AI executive orders directing the Executive Branch to implement the AI Action Plan’s policies on “Preventing Woke AI in the Federal Government,” “Accelerating Federal Permitting of

Continue Reading Trump Administration Issues AI Action Plan and Series of AI Executive Orders

This is part of an ongoing series of Covington blogs on the AI policies, executive orders, and other actions of the Trump Administration.  This blog describes AI actions taken by the Trump Administration in April 2025, and prior articles in this series are available here.

White House OMB Issues AI Use & Procurement Requirements for Federal Agencies

On April 3, the White House Office of Management & Budget (“OMB”) issued two memoranda on the use and procurement of AI by federal agencies: Memorandum M-25-21 on Accelerating Federal Use of AI through Innovation, Governance, and Public Trust (“OMB AI Use Memo“) and Memorandum M-25-22 on Driving Efficient Acquisition of Artificial Intelligence in Government (“OMB AI Procurement Memo”).  The two memos partially implement President Trump’s January 23 Executive Order 14179 on “Removing Barriers to American Leadership in Artificial Intelligence,” which, among other things, directs OMB to revise the Biden OMB AI Memos to align with the AI EO’s policy of “sustain[ing] and enhance[ing] America’s global AI dominance.”  The OMB AI Use Memo outlines agency governance and risk management requirements for the use of AI, including AI use case inventories and generative AI policies, and establishes “minimum risk management practices” for “high-impact AI use cases.”  The OMB AI Procurement Memo establishes requirements for agency AI procurement, including preferences for AI “developed and produced in the United States” and contract terms to protect government data and prevent vendor lock-in.  According to the White House’s fact sheet, the OMB Memos, which rescind and replace AI use and procurement memos issued under President Biden’s Executive Order 14110, shift U.S. AI policy to a “forward-leaning, pro-innovation, and pro-competition mindset” that will make agencies “more agile, cost-effective, and efficient.”

Continue Reading April 2025 AI Developments Under the Trump Administration

Since taking office, President Trump has issued dozens of executive orders, many addressing key technology policy areas that include international trade and investment, artificial intelligence (AI),  connected vehicles and drones, and trade controls.  Some of these executive actions reverse the previous administration’s efforts on these issues—such as the order revoking President Biden’s October 2023 executive order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence—and others initiate a formal review process, suggesting the Trump Administration will preserve, and perhaps strengthen or enhance, key tech policies implemented by the Biden Administration and the first Trump term.  

Several of the executive actions President Trump has taken so far offer important opportunities for stakeholders to weigh in with Executive Branch agencies as they consider next steps, including whether to revoke, expand, or retain tech policies initiated under President Biden. Key initiatives include: 

Continue Reading Flurry of Trump Administration Executive Orders Shakes Up Tech Policy, Creates Industry Opportunities