Image
Error message
Fostering robust cybersecurity practices in the telecommunications industry
The European Union (EU) places great emphasis on cybersecurity within the telecom sector, defining measures to ensure the security of telecommunications networks and services.
In 2009, Article 13a was introduced as part of the Telecoms Framework Directive. Article 13a required EU Member States to ensure that providers of electronic communications networks and services take appropriate security measures to protect their security and integrity.
In December 2018, a new set of telecom rules called the European Electronic Communications Code (abbreviated as the EECC) was adopted. EU countries had to transpose this EU directive into national law by 21 December 2020.
Article 40 of the EECC, which replaces the above-mentioned Article 13a, contains detailed security requirements for electronic communication providers. Article 41 of the EECC, which replaces Article 13b of the Framework Directive, outlines how competent authority can enforce these security requirements. Although the security requirements under the EECC are similar to the security requirements under the Framework directive, there are differences between the two legal acts.
An overview of the main differences can be found in the ENISA report “Security supervision under the EECC”.
In December 2022, Directive (EU) 2022/2555 was adopted, the NIS 2 Directive, repealing the NIS Directive (Directive (EU) 2016/1148) and amending the EECC. Specifically, while Articles 40 and 41 are removed from the EECC, providers or electronic communications and services are now under the scope of NIS 2 Directive.
As with Article 13a and Articles 40 and 41 of the EECC, ENISA supports the EU Member States with the implementation of the NIS 2 directive to ensure there is an effective, efficient, and harmonized approach to telecom security supervision across the EU.
ENISA's activities are mainly conducted through the European Competent Authorities for Secure Electronic Communications Expert Group - ECASEC EG (formerly known as the Article 13A Expert Group). The group was initially formed in 2010 by ENISA, European Commission (EC), National Ministries and National Competent Authorities for the security of electronic communications to facilitate a process of voluntary and informal collaboration between experts. Following the introduction of the European Electronic Communications Code (EECC), the group was renamed ECASEC (European Competent Authorities for Secure Electronic Communications). Although ECASEC has no formal status and operates on a voluntary basis, ENISA has provided ongoing support to EU Member States in overseeing telecom sector security, reinforcing its commitment to strengthening cybersecurity in the industry.
5G Security
Securing 5G networks is crucial for protecting our economies and societies while unlocking their immense potential. It also plays a significant role in maintaining the European Union's technological sovereignty.
In January 2020, following the EU-wide coordinated risk assessment of 5G networks security, the Member States’ Cooperation Group on Network and Information Security (NIS Cooperation Group) supported by the European Commission and ENISA established a Toolbox of mitigating measures related to cybersecurity of 5G networks. The 5G Toolbox provides guidance for the selection of strategic, technical and supporting measures which should be prioritised in mitigation plans at national and at Union level.
ENISA’s work related to 5G cybersecurity builds upon its expertise in telecom security and focuses on supporting the implementation of the 5G Toolbox. Through the development of guidelines and best practices on network security, including integration with existing 5G standards, ENISA aims to provide extensive support in implementing the technical measures outlined in the EU's 5G Cybersecurity Toolbox
5G Security Certification
In response to a request from the European Commission, ENISA is currently preparing a candidate cybersecurity certification scheme on 5G. As part of this process, ENISA has created an Ad Hoc Working Group (EU5G AHWG) to contribute to the development of the candidate scheme.
5G Security Controls Matrix
In line with the EU Cybersecurity strategy, ENISA is actively developing a "comprehensive and dynamic matrix of security controls and best practices for 5G security", known as the 5G Security Controls Matrix. This effort involves close collaboration with national authorities in EU Member States and consultation with industry experts from the EU telecom sector.
Related content
Low Earth Orbit (LEO) SATCOM Cybersecurity Assessment
This report explores the cybersecurity of Low Earth Orbit (LEO) constellations providing telecommunications services (LEO satcom). Examining various threats and risks-technical, financial, or commercial the landscape of potential attacks is vast.
Undersea cables
This report aims to follow up with detailed technical guidelines for national authorities and to support them with the technical aspects of the supervision of undersea cables and their associated infrastructure, including landing stations and cable net
Health Threat Landscape
This is the first analysis conducted by the European Union Agency for Cybersecurity (ENISA) of the cyber threat landscape of the health sector in the EU.
Good Practices for Supply Chain Cybersecurity
The report provides an overview of the current supply chain cybersecurity practices followed by essential and important entities in the EU, based on the results of a 2022 ENISA study which focused on investments of cybersecurity budgets among organisat