4 May 2026
- China objects to the European Commission’s Proposal for the revision of the EU’s Cybersecurity Act, citing discrimination against Chinese suppliers
- Uncorking the bottle: Thailand’s Ministry of Finance eases regulatory barriers on imports of alcoholic beverages
- The questionable exclusion of novel foods from regulatory sandboxes under the proposed European Biotech Act
- Recently adopted EU legislation
China objects to the European Commission’s Proposal for the revision of the EU’s Cybersecurity Act, citing discrimination against Chinese suppliers
By Amanda Carlota, Stella Nalwoga, and Tobias Dolle
On 17 April 2026, the Government of China expressed “serious concerns” regarding the European Commission’s (hereinafter, the Commission) Proposal for the revision of the EU’s Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (hereinafter, the Proposal). A spokesperson for China’s Ministry of Commerce stated that the proposed amendments were “suspected of violating” basic principles of the World Trade Organization (hereinafter, WTO).
This article provides an overview of the EU’s Cybersecurity Act and the key changes foreseen in the Proposal, examines China’s objections, and analyses whether the proposed amendments are compatible with the EU’s WTO obligations.
Growth of cyber threats
The Council of the EU defines ‘cybersecurity’ as “the practice of protecting computers, servers, networks, data and systems from malicious attacks, unauthorised access and damage”, collectively known as “cyber threats”. The Council notes that, due to digitalisation, cyber threats to the EU have been “not only increasing in volume but also evolving in complexity”, leading to the adoption of the EU’s Cybersecurity Act, which entered into force on 27 June 2019. The EU’sCybersecurity Act strengthened the EU Agency for Cybersecurity (ENISA) and established a cybersecurity certification framework for information and communication technologies (hereinafter, ICT) products and services.
In January 2020, the European Commission published the EU 5G Security Toolbox, which laid out voluntary measures intended to lessen the EU’s dependence on third-country suppliers in ‘fifth-generation’ (hereinafter, 5G) mobile electronic communications networks. However, over the past five years, EU Member States have been relatively slow to implement the EU 5G Security Toolbox. Therefore, on 20 January 2026, the Commission presented its Cybersecurity Package, which foresees measures to strengthen the EU’s cybersecurity resilience and capabilities, including the Proposal to revise the EU’s Cybersecurity Act and to transform the voluntary measures in the EU 5G Security Toolbox into legally binding obligations.
Securing the EU’s ICT supply chains by excluding “high-risk suppliers”
With the Proposal for the revision of the Cybersecurity Act, the European Commission seeks to secure the EU’s ICT supply chains by excluding “third countries posing cybersecurity concerns”. This refers to third countries that are deemed to pose “serious and structural non-technical” risks, based on certain criteria, such as whether they require entities within their jurisdiction to report software or hardware vulnerabilities before those vulnerabilities are known to have been exploited.
The Proposal also foresees to exclude “high-risk suppliers” that are “established in, or controlled by, a third country posing cybersecurity concerns” from applying for or holding European cybersecurity certificates and from providing ICT components to public or private entities in the “sectors of high criticality” or in “other critical sectors” as listed in Annexes I and II to Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (known as the Directive on Network and Information Systems (NIS) 2). These critical sectors include energy, transport, banking, public administration, and digital infrastructure.
High-risk suppliers would also be prohibited from participating in public procurement procedures for the provision of ICT components to the State, regional or local authorities of EU Member States for use in key ICT assets. The Proposal for the revision of the Cybersecurity Act also foresees a mandatory phase-out period of 36 months for ICT components from high-risk suppliers that are currently being used in 5G networks.
Identifying and mitigating “non-technical risks”
Under the Proposal for the revision of the Cybersecurity Act, the exclusion of third countries posing cybersecurity concerns is not automatic. Rather, it follows a multi-step process, which begins with either an EU-level coordinated security risk assessment or a public statement on behalf of the EU or an EU Member State. The Commission will then verify whether the third country indeed poses a “serious and structural non-technical” risk, and if so, will adopt an implementing act to formally designate that third country as a country posing cybersecurity concerns.
Similarly, the identification of high-risk suppliers starts with an assessment by the Commission of suppliers established in, or controlled by, a third country posing cybersecurity concerns, or an entity or national of such third country. The Commission would assess the supplier’s establishment, control, and ownership structure, give the supplier an opportunity to be heard, and thereby determine whether the supplier poses a high risk. Identified high-risk suppliers may request a re-assessment “upon provision of evidence that there have been relevant changes”. They may also make a “reasoned request” to the Commission to be exempt from the prohibition on supplying ICT components and/or participating in public procurement procedures.
Reducing dependence on third-country suppliers, especially China
The Proposal for the revision of the Cybersecurity Act is worded neutrally and does not single out specific countries or companies. However, China claims that the Proposal for the revision of the Cybersecurity Act introduces “highly subjective and arbitrary” non-technical risk criteria, which allegedly target China and Chinese companies. As such, China argues that the Proposal is “suspected of violating fundamental WTO principles”, such as ‘Most-Favoured-Nation’ (hereinafter, MFN) treatment and national treatment, which prohibit WTO Members from discriminating between their trading partners. China, therefore, urges the Commission to delete the provisions on “third countries posing cybersecurity concerns” and “non-technical risks” and to either delete or “substantially” modify the criteria for identifying “high-risk suppliers”.
Given the introduction of “non-technical risk” criteria in designating third countries posing cybersecurity concerns and the possible identification of high-risk suppliers connected to such countries, the revision of the Cybersecurity Act may have a significant impact on trade. It raises interesting questions as to which areas of WTO law could be invoked in an attempt to scrutinise or challenge the proposed legislation. A country could avail itself of some of the typical pathways used in challenging product-based measures under the General Agreement on Tariffs and Trade (GATT) and in relation to trade in services under the General Agreement on Trade in Services (GATS).
The EU measure could potentially be challenged for breaching obligations relating to the MFN treatment (under Article I:1 of the GATT and Article II of the GATS) and national treatment (under Article III:4 of the GATT and Article XVII of the GATS), which require WTO Members to treat foreign suppliers equally and no less favourably than domestic ones, and/or as part of a claim that a given measure represents a ‘quantitative restriction’ on imports (under Article XI:1 of the GATT). In such a scenario, the EU could seek to justify such measures under relevant WTO exceptions.
In the context of services, Article XIV(a) of the GATS allows Members to adopt measures necessary to “maintain public order”, which could arguably encompass cybersecurity concerns. With respect to trade in goods, the EU could rely on Article XX(d) of the GATT, to the extent that the proposed measures are framed as “necessary to secure compliance” with existing EU cybersecurity laws and regulations.
Next steps
The Proposal for the revision of the Cybersecurity Act has been submitted to the European Parliament and the Council of the EU for their agreement of a common text. Once the final text has been agreed upon and adopted, EU Member States will have one year to transpose the revised Cybersecurity Act into their national legislation. Businesses in critical sectors, which source ICT components from third countries, are advised to closely monitor developments.
For any additional information or legal advice on this matter, please contact Tobias Dolle
Uncorking the bottle: Thailand’s Ministry of Finance eases regulatory barriers on imports of alcoholic beverages
By Joanna Christy, Pattranit Chantaplaboon, and Paolo R. Vergano
On 27 March 2026, Thailand took a significant step towards modernising its import regime for alcoholic beverages. Ministerial Regulation on the Importation of Alcoholic Beverages (No. 3) B.E. 2569 (2026) (hereinafter, Ministerial Regulation No. 3) amends Ministerial Regulation on the Importation of Alcoholic Beverages B.E. 2560 (2017) (hereinafter, Ministerial Regulation of 2017), which governs the licensing and control of imports of alcoholic beverages into Thailand. The new Ministerial Regulation No. 3 seeks to streamline import procedures, remove unnecessary regulatory barriers, and support tourism-related economic activities through greater product diversity of wine products.
This article provides an overview of Thailand’s import regime for alcoholic beverages, examines the key amendments introduced by Ministerial Regulation No. 3, and discusses its commercial implications.
Thailand’s framework for the importation of alcoholic beverages
The importation of alcoholic beverages into Thailand is subject to a licensing regime under the Excise Tax Act B.E. 2560(2017). Section 152 thereof defines ‘alcoholic beverages’ as all beverages containing alcohol exceeding 0.5% alcohol by volume. Pursuant to Section 154, imports of alcoholic beverages into Thailand must obtain an import licence from Thailand’s Excise Department, with the detailed rules and procedures set out in the Ministerial Regulation of 2017. According to Clause 2(1) to (5) of the Ministerial Regulation of 2017, there are five types of import licences for the importation of alcoholic beverages, depending on where the alcoholic beverages are to be sold or used in the Thai market, namely: Type 1) For domestic sale (e.g., at restaurants and supermarkets); Type 2) For sale in duty‑free shops; Type 3) For use as samples or for non‑commercial purposes; Type 4) For use as raw materials in the manufacture of alcoholic beverages; and Type 5) For purposes “other than those falling under Types 1 to 4”.
In addition, Thailand has imposed a “sole‑agent” requirement in Clause 3(1) of Ministerial Regulation of 2017, under which only a single authorised importer is allowed to import and distribute a specific brand of alcoholic beverages into Thailand. Prior to importation, Type 1 licence applicants must obtain an approval from the Excise Department for Thai-language labels that are to be affixed to imported alcoholic beverage containers.
Key changes under Ministerial Regulation No. 3
According to Thailand’s Ministry of Finance, the Ministerial Regulation No. 3 aims to, inter alia, “reduce administrative procedures and legal barriers for importers, enhance tourism and business competitiveness, and improve the efficiency of excise tax supervision through legal reform and the adoption of digital tools”. In pursuit of these objectives, the Ministerial Regulation No. 3 amends the import licensing framework for alcoholic beverages by: 1) Clarifying the scope of the Type 5 import licence for other purposes; 2) Eliminating the sole‑agent requirement for the import of wine and sparkling wine made from grapes; 3) Replacing paper‑based administrative procedures for submitting import licence applications and relevant documents with fully electronic processes; and 4) Removing the requirement for Type 1 import licence applicants to obtain approval for the Thai-language label prior to importation. These amendments are implemented through four distinct notifications issued by Thailand’s Excise Department.
From legal ambiguity to defined import scenarios for the Type 5 import licence
Under the previous regime, the scope of a Type 5 import licence and the related issuance criteria were unclear. The Ministerial Regulation of 2017 did not specify what import purposes fell within the scope of purposes “other than those falling under Types 1 to 4”. Therefore, Excise officials had unguided discretion to determine whether or not to approve relevant applications. To address this issue, Clause 2 of the Ministerial Regulation No. 3 empowers Thailand’s Director‑General of the Excise Department to specify importation cases not falling within Types 1 to 4, as further elaborated in the Notification of the Excise Department Prescribing Type 5 Licence for the Importation of Alcoholic Beverages into the Kingdom.
Under this Notification, the Type 5 licence covers importation for, inter alia: 1) Re-export; 2) Use as raw materials or components in non‑alcoholic industrial activities (e.g., fuel ethanol, chemical, medicines); 3) Non‑commercial purposes, including product samples and personal consumption, in a quantity not exceeding 200 litres per importation; and 4) Use in bio‑ethylene industrial operations, limited to imported “Tri‑fold distilled spirits” (i.e., a distilled alcoholic beverages containing alcohol not less than 80% alcohol by volume).
The removal of the sole-agent requirement for wine and sparkling wine
Under the previous framework, the import of alcoholic beverages under the Type 1 licence was only granted to a single authorised importer to import and distribute a specific brand of alcoholic beverages into Thailand. Clause 3 of the Ministerial Regulation No. 3 empowers the Director‑General of the Excise Department to grant Type 1 import licences without this requirement. This amendment has been implemented through the issuance of the Notification of the Excise Department Prescribing Sole Distributors of Alcoholic Beverages to Be Imported into the Kingdom for Applicants for Type 1 Import Licences, which exempts wine and sparkling wine made from grapes. This limited exemption may be extended to other alcoholic beverage categories through the issuance of additional notifications by the Excise Department. The Director-General of the Excise Department within Thailand’s Ministry of Finance, Pornchai Thirawet, stated that the “reason we started with wine is because it is easy to implement, and domestic wine is still expensive. However, as competition increases, there is a chance prices will decrease”.
The exemption from the sole‑agent requirement for wines means a shift from exclusive distribution to allowing multiple importers to import and distribute the same wine brands without the brand owner’s chosen “official” importer, aiming to reduce monopolisation and boost competition. This is likely to lower entry barriers, expand supply, and exert downward pressure on prices. The exemption has led to criticism from certain industry stakeholders. In particular, the Thai Chamber of Commerce has argued that the previous framework served as an important trade‑governance mechanism by ensuring clear accountability for controlled importers on product safety, warning that liberalising imports of alcoholic beverages could, inter alia, make it more difficult to control product standards, increase the risk of counterfeit goods, weaken consumer protection, and undermine importer accountability. Implementation of the new rules will show whether these concerns are indeed justified.
Implications for businesses
The revision of Thailand’s import regime for alcoholic beverages signals a step towards a modernised and more streamlined regulatory framework. Removing the sole-agent requirement allows multiple importers to import the same wine brands without exclusive rights, increases competition among distributors, might expands product variety, and may lead to reduced prices, thereby making wine more accessible to Thai consumers.
At the same time, in order to address businesses’ concerns regarding reduced oversight, particularly risks to product standards, consumer protection, and importer accountability, effective enforcement and market surveillance will be critical to deter any fraudulent or illegal imports and ensure food safety and traceability. Businesses are encouraged to seek legal assistance to fully take advantage of the opportunities presented by Thailand’s updated framework for imports of alcoholic beverages.
For any additional information or legal advice on this matter, please contact Paolo R. Vergano
The questionable exclusion of novel foods from regulatory sandboxes under the proposed European Biotech Act
By Ignacio Carreño García, Paolo R. Vergano, and Tobias Dolle
On 16 December 2025, the European Commission (hereinafter, the Commission) published its proposal for the European Biotech Act. The proposal foresees to amend, inter alia, Regulation (EC) No 178/2002 laying down the general principles and requirements of food law, the EU’s General Food Law, by introducing the possibility of regulatory sandboxes for the food sector, with potential involvement of the European Food Safety Authority (hereinafter, EFSA).[FV1] A regulatory sandbox refers to “a controlled environment where participants can test innovative products or substances and related processes as well as data and other regulatory requirements at a pre-market stage under a set of defined rules and monitoring and for a limited period of time”.
This article analyses the proposed European Biotech Act, the exemption of novel foods from regulatory sandboxes, a joint industry statement on regulatory sandboxes, and how this topic is addressed in the UK.
The proposed European Biotech Act
On 16 December 2025, the Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on establishing a framework of measures for strengthening Union’s biotechnology and biomanufacturing sectors particularly in the area of health (European Biotech Act). The European Biotech Act was announced in the 2024 – 2029 Political Guidelines of the Commission, with the aim of creating an enabling environment to make it easier to bring biotechnology products from the laboratory to the factory and onto the market, while maintaining the highest safety standards for the protection of the population and the environment.
The European Biotech Act foresees to create an enabling environment for innovation and development in order to accelerate time to market. With its primary focus on health, the proposal would amend various existing EU legal instruments, namely Regulation (EU) No 536/2014 on clinical trials; Regulation (EC) No 1394/2007 on advanced therapy medicinal products; Regulation (EU) 2024/1938 on standards of quality and safety for substances of human origin; Regulation (EU) 2019/6 on veterinary medicinal products; Directive 2001/18/EC on genetically modified organisms; Regulation (EU) 2024/795 establishing the Strategic Technologies for Europe Platform; and Regulation (EC) No 469/2009 on supplementary protection certificates.
In the field of food safety, amendments are proposed to the EU’s General Food Law, in order to streamline risk assessment processes. A key change concerns the introduction of “provisions for regulatory sandboxes, allowing EU Member States to test innovative technologies under harmonised conditions that foster innovation while safeguarding consumer health and safety. Such amendments should contribute, amongst others, to accelerating the risk assessment process carried out by EFSA for products that are subject to pre-market authorisation in accordance with Union food and feed law and foster innovation in the sector”.
Regulatory sandboxes and a peculiar exception for novel foods
Notably, the European Biotech Act proposes to insert an Article 49a to the EU’s General Food Law, which would provide, in relevant part, that “1. A Member State or several Member States jointly may establish regulatory sandboxes (…). 2. Regulatory sandboxes may be established in relation to the following: (a) all stages of the production, processing and distribution of food with the exception of novel foods, and also of the feed produced for, or fed to food-producing animals; (b) food contact materials, with the exception of plastic recycled materials; (…)”.
The proposed act allows regulatory sandboxes to apply to food enzymes, food additives, flavourings, and processing aids, as well as to feed, food contact materials, and food production processes. Regulatory sandboxes would be established and operated at national EU Member State level, at the initiative of one or more EU Member States. These regulatory sandboxes would be subject to a comprehensive system of notification and reporting to the Commission.
Interestingly, though, novel foods would be excluded from the regulatory sandboxes. Recital 115 of the proposed Regulation states that “Experience has shown that certain types of novel foods trigger ethical or cultural concerns among various consumer segments regarding their acceptability. Since those aspects are best addressed within the applicable rigorous regulatory framework established by Regulation (EU) 2015/2283 of the European Parliament and of the Council, it is appropriate to exclude novel foods from the scope of regulatory sandboxes”.
With respect to the Commission’s argument that certain types of novel foods trigger ethical or cultural concerns and that, therefore, novel foods be excluded from the scope of regulatory sandboxes, it should be noted that food safety in the EU is assessed on the basis of scientific evidence. The EFSA’s mandate is strictly limited to independent, objective, and transparent scientific risk assessments. Ethical or cultural considerations do not figure among the criteria for authorisation under the EU’s Regulation (EU) 2015/2283 of the European Parliament and of the Council of 25 November 2015 on novel foods.
Regulatory sandboxes in the UK
Differently from the EU, the UK is establishing regulatory sandboxes also for novel foods, such as cell-cultivated products in which cells isolated from animals or plants, including cells from meat, seafood, fat, offal, or fertilised eggs are grown in a controlled environment, and then harvested to make a final food product. Through the Cell-Cultivated Products Sandbox Programme (February 2025 to February 2027), the UK’s Food Standards Authority is fast-tracking knowledge about cell-cultivated products and using this to produce guidance on a range of topics relevant to these products. The guidance is then used in the process of the authorisation of novel foods under Assimilated Regulation (EU) 2015/2283, the legal basis for the placing on the market of novel foods in the UK.
Raising public awareness on biotechnology and novel foods
On 31 March 2026, the European Economic and Social Committee (EESC) adopted its Opinion on the proposed European Biotech Act. The EESC does not specifically address the matter of the scope of the regulatory sandboxes, but recommends that “Actions and campaigns that highlight the social and environmental contribution of biotech solutions while also addressing society’s concerns are important for the social acceptance of biotech. Raising public awareness and acceptance about opportunities and risks of healthcare biotechnology is key for avoiding public misinformation and polarisation on topics like GMOs, gene or immunotherapies, vaccines and novel foods”. The EESC’s call to raise awareness on novel foods appears to contradict the proposed exclusion of regulatory sandboxes in this field.
On 30 March 2026, in a Joint Statement, seven associations and industry groups, namely FoodDrinkEuroperepresenting Europe’s food and drink industry; EuropaBio, representing the European biotech industry; Food Fermentation Europe, representing precision and biomass fermentation companies; EIT (European Institute of Innovation and Technology) Food, connecting startups, researchers, corporations, and consumers; the EU Agri-food Biotech Alliance, an initiative launched by EIT Food to unify research, industry, and policy for food technology; and the European Federation of Associations of Health Product Manufacturers; and Food Supplements Europe, note that, with respect to the exception for novel foods for regulatory sandboxes, “the innovation ambition of the Biotech Act I is weakened by this exclusion”.
The Joint Statement argues that many novel foods are developed through advanced biotechnological approaches, including precision- and biomass-fermentation, microbial production systems, cell-based techniques and other innovative manufacturing methods, which require new types of data, new testing strategies and new assessment approaches. Accordingly, structured “safe spaces” to clarify expectations would enhance the robustness of the safety assessment, while reducing unnecessary duplication of studies, avoidable costs and development failures, thereby streamlining the process and reducing time to market.
The Joint Statement reads that “excluding novel foods from this framework does not provide additional consumer protection”, but that, “Instead, it removes the possibility for regulators and applicants to learn, in a controlled setting, how to assess the most innovative and scientifically complex food products emerging from biotechnology and biomanufacturing, and moves this learning to the time when the novel food is submitted for safety assessment, with consequences on process, predictability and timelines”.
Outlook
The European Biotech Act is to be adopted under the EU’s ordinary legislative procedure by both the European Parliament and the Council of the EU . Once the co-legislators have agreed their respective positions, inter-institutional trilogue negotiations can commence to agree on a common text. The final adoption is not expected before late 2026 at the earliest. A second Biotech Act, covering non‑health biotechnology sectors, is expected in the second half of the year to ensure a competitive internal market for all areas of biotechnology.
For any additional information or legal advice on this matter, please contact Ignacio Carreño Garcia
Recently adopted EU legislation
Trade Law
Trade Remedies
Food Law
Imelda Jo Anastasya, Amanda Carlota, Ignacio Carreño García, Pattranit Chantaplaboon, Joanna Christy, Tobias Dolle, Alya Mahira, Stella Nalwoga, and Paolo R. Vergano contributed to this issue.
Follow us on Bluesky @fratinivergano.bsky.social
To subscribe to Trade Perspectives©, please click here. To unsubscribe, please click here.