Fostering robust cybersecurity practices in the telecommunications industry
The European Union (EU) places great emphasis on cybersecurity within the telecom sector, defining measures to ensure the security of telecommunications networks and services.
In 2009, Article 13a was introduced as part of the Telecoms Framework Directive. Article 13a required EU Member States to ensure that providers of electronic communications networks and services take appropriate security measures to protect their security and integrity.
In December 2018, a new set of telecom rules called the European Electronic Communications Code (abbreviated as the EECC) was adopted. EU countries had to transpose this EU directive into national law by 21 December 2020.
Article 40 of the EECC, which replaces the above-mentioned Article 13a, contains detailed security requirements for electronic communication providers. Article 41 of the EECC, which replaces Article 13b of the Framework Directive, outlines how competent authority can enforce these security requirements. Although the security requirements under the EECC are similar to the security requirements under the Framework directive, there are differences between the two legal acts.
An overview of the main differences can be found in the ENISA report “Security supervision under the EECC”.
In December 2022, Directive (EU) 2022/2555 was adopted, the NIS 2 Directive, repealing the NIS Directive (Directive (EU) 2016/1148) and amending the EECC. Specifically, while Articles 40 and 41 are removed from the EECC, providers or electronic communications and services are now under the scope of NIS 2 Directive.
As with Article 13a and Articles 40 and 41 of the EECC, ENISA supports the EU Member States with the implementation of the NIS 2 directive to ensure there is an effective, efficient, and harmonized approach to telecom security supervision across the EU.
ENISA's activities are mainly conducted through the European Competent Authorities for Secure Electronic Communications Expert Group - ECASEC EG (formerly known as the Article 13A Expert Group). The group was initially formed in 2010 by ENISA, European Commission (EC), National Ministries and National Competent Authorities for the security of electronic communications to facilitate a process of voluntary and informal collaboration between experts. Following the introduction of the European Electronic Communications Code (EECC), the group was renamed ECASEC (European Competent Authorities for Secure Electronic Communications). Although ECASEC has no formal status and operates on a voluntary basis, ENISA has provided ongoing support to EU Member States in overseeing telecom sector security, reinforcing its commitment to strengthening cybersecurity in the industry.
5G Security
Securing 5G networks is crucial for protecting our economies and societies while unlocking their immense potential. It also plays a significant role in maintaining the European Union's technological sovereignty.
In January 2020, following the EU-wide coordinated risk assessment of 5G networks security, the Member States’ Cooperation Group on Network and Information Security (NIS Cooperation Group) supported by the European Commission and ENISA established a Toolbox of mitigating measures related to cybersecurity of 5G networks. The 5G Toolbox provides guidance for the selection of strategic, technical and supporting measures which should be prioritised in mitigation plans at national and at Union level.
ENISA’s work related to 5G cybersecurity builds upon its expertise in telecom security and focuses on supporting the implementation of the 5G Toolbox. Through the development of guidelines and best practices on network security, including integration with existing 5G standards, ENISA aims to provide extensive support in implementing the technical measures outlined in the EU's 5G Cybersecurity Toolbox
5G Security Certification
In response to a request from the European Commission, ENISA is currently preparing a candidate cybersecurity certification scheme on 5G. As part of this process, ENISA has created an Ad Hoc Working Group (EU5G AHWG) to contribute to the development of the candidate scheme.
5G Security Controls Matrix
In line with the EU Cybersecurity strategy, ENISA is actively developing a "comprehensive and dynamic matrix of security controls and best practices for 5G security", known as the 5G Security Controls Matrix. This effort involves close collaboration with national authorities in EU Member States and consultation with industry experts from the EU telecom sector.