A new legal opinion by leading international investment law expert Professor Christoph Schreuer warns that the European Commission’s proposed Cybersecurity Act (CSA) could place EU member states in a difficult legal position, potentially exposing them to compensation claims from Chinese investors under existing bilateral investment treaties (BITs).
The opinion, commissioned by international law firm Gaillard Banifatemi Shelbaya Disputes and dated 4 May 2026, examines the legal consequences of a potential conflict between the proposed EU cybersecurity legislation and investment protection agreements that almost all EU member states maintain with China.
Under the draft legislation, the European Commission would gain extensive powers to identify and exclude so-called “high-risk suppliers” from European information and communications technology (ICT) markets. The proposed measures could affect suppliers involved in key digital infrastructure, including 5G networks, telecommunications systems and other strategic ICT assets.
Potential legal collision
According to Schreuer, the central issue is that while the Cybersecurity Act would be directly applicable across the European Union, EU member states remain bound by their separate bilateral investment treaties with China. These treaties generally guarantee protections against expropriation, discriminatory treatment and unfair treatment of Chinese investments.
The opinion concludes that compliance with EU legislation would not automatically shield member states from liability under international law.
“Member States would remain bound by their respective BITs with China in the event of a conflict between their obligations under the CSA and those arising under the BITs,” Schreuer writes.
The analysis argues that international law does not allow to invoke domestic legislation—including EU law—as a justification for breaching treaty obligations. As a result, if measures taken under the Cybersecurity Act adversely affect Chinese investors, member states could still face international arbitration claims.
Chinese investors could seek compensation
A key finding of the report is that Chinese investors may have access to binding arbitration mechanisms under existing investment treaties.
The opinion notes that all EU member states except Ireland currently have BITs in force with China, and most of these treaties provide avenues for investor-state arbitration. Successful claims could result in compensation for the Chinese investors who would be harmed by individual awards against the member states concerned.
Schreuer argues that the legal risk would not disappear even if EU member states attempted to terminate their investment treaties with China. Most of these agreements contain “sunset clauses” that continue protecting existing investments for periods ranging from 10 to 20 years after termination.
The report, therefore, concludes that terminating BITs would not provide a practical solution to any conflict between EU cybersecurity rules and international investment obligations.
EU law and international law operate at different levels and remain separate
The opinion also rejects arguments that European law automatically overrides the investment treaties or that the treaties can simply be interpreted in line with EU legislation.
According to Schreuer, China is a third state and not a party to EU treaties and therefore cannot be bound by EU legislation. He argues that from China’s perspective, EU law remains res inter alios acta—a legal arrangement between other parties that does not alter rights.
The report further notes that current EU law continues to allow member states to maintain investment treaties with third countries pending the negotiation of future EU-level agreements. However, this does not remove member states’ obligations either under EU law or under international treaty law.
Wider implications
The legal opinion arrives as Brussels seeks to strengthen Europe’s digital sovereignty and reduce perceived cybersecurity risks in critical infrastructure supply chains.
While the proposed Cybersecurity Act is intended to enhance the security of European networks and supply chains, the report suggests that policymakers may also need to consider the financial and legal consequences of measures affecting foreign investors.
Schreuer’s conclusion is stark: if the Cybersecurity Act is adopted in its current form and creates a conflict with existing investment treaties, EU member states could find themselves caught between two legal systems, facing potential liability if their international obligations are breached, whichever course of action they choose.
Photo by Lewis Kang’ethe Ngugi on Unsplash
