ENISA, the European Union Agency for Cybersecurity analyses the main changes for telecom security supervision under the new European Electronic Communication Code (EECC).
Telecom security supervision
In the EU providers of electronic communications fall under security rules and security supervision by national authorities in the EU Member States. The report published today, called “Security supervision under the EECC” is a first step to support EU Member States in their implementation of the new rules called the European Electronic Communication Code. The report highlights the main changes and identifies the key areas where future work is needed, by the national authorities and ENISA, the EU Agency for Cybersecurity.
Key changes in the legislation
We see the 7 important changes for telecom security supervision:
- Over-The-Top (OTT) services, like WhatsApp and Gmail, for example, will be in scope of the EU telecom rules and will be supervised by national authorities.
- The new rules provide an EU-wide definition of security requirements and security incidents for the telecom sector. They clarify for example that breaches of confidentiality of communications, or issues with the authentication of users, for example, are in scope. Previously this was left up to interpretation. This meant there was no clear mandate for authorities to address them.
- The new rules require telecom providers to implement state-of-the-art measures, such as (end-to-end) encryption. This is important to protect the security and privacy of consumers in the EU.
- Telecom providers are also required to promote, with their customers, the use of encryption tools, and to inform their customers about possible threats, so they can protect themselves.
- Additionally, the national telecom authorities can ask telecom providers to mitigate specific cyber threats, even before there are actual incidents.
- The new rules clarify what parameters need to be considered in the telecom security breach reporting, to assess the significance of breaches, such as, among others, the impact on economic and societal activities
- Under the new rules the national telecom regulators will be able to collaborate with the other national authorities for cybersecurity, such as CSIRTs. This will improve situational awareness across the board and make supervision more effective and more consistent across different sectors.
Juhan Lepassaar, the Executive Director of the EU Agency for Cybersecurity, said:
“In 2020 the new European Electronic Communications Code will come into force. It aims to improve the security of electronic communications services. Anticipating this transition, to make the most out of the new rules, ENISA started collaborating with the national telecom regulators from across Europe. Our goal is to ensure that these new provisions will be rolled-out effectively and efficiently, with maximum benefit for the security and privacy of EU consumers, whether they call, chat, text, or email.”
Target Audience
This report provides recommendations for ministries and telecom regulators across Europe. It could be useful also for experts in the electronic communications sector (providers, industry associations).
Timeline
ENISA foresees the following areas of potential cooperation with the Members States in the following 2-3 years:
- Review and update of the existing security measures framework
- Development of national reporting thresholds and a new incident reporting guidelines
- Development of cross-border approaches to security supervision
ENISA will work closely on these areas with the Article 13a Expert Group, a group of experts from the European Security Authorities.
Background
The new European Electronic Communication Code (EECC) adopted in December 2018 replaces the existing EU telecom regulatory framework and brings significant changes, among others, in the security supervision of the electronic communication services. The EECC requires Member States to implement the new rules by the end of 2020.
The ENISA Article 13a expert group was set up in 2010, with the goal of bringing together experts from NRAs from across the EU to agree on a harmonised implementation of the security supervision requirements and incident reporting process according to the provisions of the Article 13a (of the Framework Directive 2009/140/EC). The result of this collaboration have been the guidelines on incident reporting, security measures and threats and assets. Moreover, ENISA annually publishes a report on Telecom Security Incidents.
Further information:
Full report: Security supervision under the EECC.
The European Electronic Communications Code Directive.
The Article 13a Expert Group portal.
Press and Media:
For further queries or interviews, please contact press@enisa.europe.eu.