ENISA outlines new cybersecurity rules for service providers and OTTs

ENISA, the European Union Agency for Cybersecurity, has published a report Security Supervision Under The EECC that outlines the new set of rules for the telecoms industry called the European Electronic Communications Code 1 (abbreviated as EECC) that will be transposed into national law across the EU in 2020. At this time it remains uncertain as to whether this will affect the UK, which is in the middle of its Brexit transit, though given the timing it seems likely that it will at least have to align to these new rules.
ENISA’s paper outlines changes which adapt, extend or clarify the previous set of regulations:

  • The scope of regulations will extend to cover OTT services such as Gmail and WhatsApp.
  • A new definition of security, security incidents and security measures is now provided.
  • Service providers will have to implement state-of-the-art measures, as well as encryption and end-to-end encryption “when needed”.
  • Service providers will have to promote encryption and encryption software, and inform subscribers about threats.
  • The new rules clarify incident notification parameters, specifying factors of significance.
  • The new rules promote cross-authority support between authorities for electronic communications, national CSIRT and national authorities for the NIS Directive and data protection.
  • National telecoms authorities are to be given the power to mandate that providers should take measures to mitigate significant threats and impose a time-limit on the implementation of those measures (even before actual incidents occur).

ENISA says that this means three things need to happen. Firstly, the existing security measures framework needs to be reviewed and updated to reflect state-of-the-art, good practices and new provisions. Secondly, a common threshold and reporting model for incident notification should be developed, and should incorporate OTT services. Thirdly, a common approach to cross-border security supervision will be introduced.
ENISA will work with the industry body for European regulators, BEREC, to achieve these aims.

  1. […] not just the EU that’s working on a new set of rules for cybersecurity (see ENISA outlines new cybersecurity rules for service providers and OTTs). The UK’s DCMS (Department of for Culture, Media and Sport) has now outlined a set of […]