European Agency Finds Mandatory Incidence Reporting Has Improved Telecom Security


The first European Union-wide incident reporting requirement has been surprisingly successful in improving the security of European telecommunications, according to a report from the EU Agency for Network and Information Security (ENISA).

The requirement, implemented in Article 13a of the Framework Directive 2009/140/EU Telecom Package, directed operators to take measures to manage network security risks and report incidents to their national regulatory authorities. While originally aimed at preventing disruptions in service, some countries also applied Article 13a to privacy and data security.

Overall, the report evaluates five aspects of Article 13a implementation: (1) the new security measures implemented in the member states; (2) the transparency resulting from the incident reporting process; (3) the learning process resulting from incidents; (4) the level of collaboration between the stakeholders; and (5) the harmonization of the procedures within the EU.

It credited Article 13a with bringing uniformity to telecommunications security “but more importantly contributed to strengthening the European telecom infrastructure’s resilience and service availability across the EU.”

While EU fixed and mobile telephone and Internet services are covered by the incident reporting requirements, some member states also include SMS messaging (70 percent), television (45 percent) and radio broadcasting (31 percent). The report concluded that the harmonization of services covered is satisfactory, but warned that remaining differences could be an obstacle to achieving the Telecom Packages’ objectives.

To remedy these shortfalls, ENISA suggested clarifying which types of networks and services should be covered, and reinforcing cross-border collaboration.

The report also found that 54 percent of respondents felt that Article 13a could only “sufficiently and clearly cover by itself security of electronic communications” in conjunction with Article 4 of the e-Privacy Directive, which requires publicly available electronic communications services, where necessary, to safeguard security in conjunction with communication network providers.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.