ENISA, the European Union Agency for Cybersecurity, has published a report Security Supervision Under The EECC that outlines the new set of rules for the telecoms industry called the European Electronic Communications Code 1 (abbreviated as EECC) that will be transposed into national law across the EU in 2020. At this time it remains uncertain as to whether this will affect the UK, which is in the middle of its Brexit transit, though given the timing it seems likely that it will at least have to align to these new rules.

ENISA’s paper outlines changes which adapt, extend or clarify the previous set of regulations:

  • The scope of regulations will extend to cover OTT services such as Gmail and WhatsApp.
  • A new definition of security, security incidents and security measures is now provided.
  • Service providers will have to implement state-of-the-art measures, as well as encryption and end-to-end encryption “when needed”.
  • Service providers will have to promote encryption and encryption software, and inform subscribers about threats.
  • The new rules clarify incident notification parameters, specifying factors of significance.
  • The new rules promote cross-authority support between authorities for electronic communications, national CSIRT and national authorities for the NIS Directive and data protection.
  • National telecoms authorities are to be given the power to mandate that providers should take measures to mitigate significant threats and impose a time-limit on the implementation of those measures (even before actual incidents occur).

ENISA says that this means three things need to happen. Firstly, the existing security measures framework needs to be reviewed and updated to reflect state-of-the-art, good practices and new provisions. Secondly, a common threshold and reporting model for incident notification should be developed, and should incorporate OTT services. Thirdly, a common approach to cross-border security supervision will be introduced.

ENISA will work with the industry body for European regulators, BEREC, to achieve these aims.

Posted by Teresa Cottam

Teresa is the Chief Analyst at Omnisperience and has over 25 years' experience in the telecoms and technology markets. She is an expert on SME and enterprise telecoms, and has considerable vertical market expertise. Her research focus lies in helping B2B telecoms firms become more commercially successful by better understanding and meeting their customers' needs. She is a judge of the GSMA Global Mobile Awards (GloMo's) for customer experience and enterprise innovation, and for the UK Cloud awards. You can follow her on Twitter @teresacottam

One Comment

  1. […] not just the EU that’s working on a new set of rules for cybersecurity (see ENISA outlines new cybersecurity rules for service providers and OTTs). The UK’s DCMS (Department of for Culture, Media and Sport) has now outlined a set of […]



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s