For Telcos
In today’s interconnected world, telecommunications are transforming the way people engage in their everyday lives. Economic development is strongly related to the existence and well-functioning of the telecommunication networks. Electronic communications services guarantee the smooth transmission of data in this strongly interconnected world by providing the infrastructure for business services to run. Electronic communication services also play a significant role in national security, emergency response and in the economic development of a country. As a result, an outage in any one of these areas can result in severe consequences.
The Telecom Package represents the EU's regulatory framework for electronic communications, and is, according EU Commission’s website, “[…] a series of rules which apply throughout the EU member states. It encourages competition, improves the functioning of the market and guarantees basic user rights. The overall goal is for European consumers to be able to benefit from increased choice thanks to low prices, high quality and innovative services”[1]. The Telecom Package was adopted in November 2009, as a review of the European Union Telecommunications Framework 2007 – 2009.
Art. 13a, of the Directive 2009/140 EC, is part of the Telecom Package and aims at ensuring the security and integrity of electronic communication networks and services, dealing mostly with prevention of outages or service disruption (availability of the service). This is partially achieved through requiring telecommunication service providers to take the appropriate technical and organizational measures to manage the risks posed to security of networks and services, guarantee the integrity of their networks (ensure the continuity of supply of services provided over those networks) and notify the competent national regulatory authority (NRA) of a breach of security or loss of integrity that has had a significant impact on the operation of networks or services.
Published in 2009, Art. 13a required that the deadline for the transposition should be up to 2011. However, the transposition timeframe and process significantly varied from one country to the other. As a matter of fact, countries maturity level, national legislation complexity and process impacted some countries in their ability to comply with the deadlines, resulting in certain gaps between countries overtime. Today, the majority of countries implemented the provisions of the Art. 13a, in one way or another, besides one country. Art. 13a also designates ENISA, along with the European Commission (EC), as responsible bodies for collecting notifications received and actions taken within member states, under the provisions of national implementations of Art. 13a. Besides this specific mandate, according to the directive, ENISA should also contribute to the “harmonization of appropriate technical and organizational security measures by providing expert advice” and by “promoting the exchange of best practices”.
As a response to the directive’s requirements, in 2010, ENISA, Ministries and NRAs from member states, initiated a series of meetings (workshops, conference calls) in order to achieve a harmonized implementation of Art. 13a of the Framework directive. As a result of these meetings, a group of experts from NRAs, now entitled the Art. 13a Expert Group, reached agreement on three non-binding technical documents providing guidance to the NRAs in the EU member states:
- Technical Guideline on Incident Reporting
- Technical Guideline on Security Measures
- Technical Guideline on Threats and Assets
The Art. 13a Expert Group continues to meet several times a year, to develop and improve technical guidelines, to discuss upon the implementation of Art. 13a and to share knowledge and exchange views about past incidents, and how to address them. At one of the meetings we shot a video explaining Article 13a is and how the Article 13a WG works.
For more information please contact: incidents [at] enisa [dot] europa [dot] eu