Presentation is loading. Please wait.

Presentation is loading. Please wait.

Telco related activities in ENISA

Published bySuhendra Tanudjaja Modified over 6 years ago

Similar presentations

Presentation on theme: "Telco related activities in ENISA"— Presentation transcript:

1 Telco related activities in ENISA
Dr. Dan Tofan| Art. 13a meeting Vienna

2 Art.13a - Incident Reporting for the Telecom Sector
Article 13a of the Framework Directive (2009/140/EC), addresses security and integrity of public electronic communications networks and services (availability of the service). Art. 13a related activities: Active Expert Group with all NRAs (EU and EFTA) & EC Non-binding technical guidelines (strong adoption among MS) 7 years of annual reporting from Telecoms to NRAs and then to ENISA and EC Incident reporting schemes have improved resilience and security in the EU telecoms sector. An example is Article 13a, which addresses security and integrity of public electronic communication networks and services. ENISA is supporting this regulatory framework since 2011 by publishing reports about significant incidents and outages across the EU.

3 Art. 13a incidents in Telecom
Article 13a of Directive (2009/140/EC) addresses the security and integrity of public electronic communications networks and services (availability of the service). Every country submits yearly to EC and ENISA a report with significant incidents that had an impact on their networks and services. ENISA analyses the incidents, published statistics and investigates the root causes. Incident reporting in EU | Dan Tofan

4 Incidents per root cause category (percentage)

5 Some of our work Technical Guideline on Incident Reporting
Technical Guideline on Security Measures Technical Guideline on Threats and Assets Impact evaluation on the implementation of Article 13a incident reporting scheme within EU Analysis of security measures deployed by e-communication providers Interconnect security study (2018) Incident reporting in EU | Dan Tofan

6 New Telecom Code (I) – Security Art. 40-14
Objectives Ensure high-level of security of networks and services Ensure external coherence with NISD, GDPR and ePD Main changes Security requirements apply to number-independent interpersonal communication services (ICS) A comprehensive definition of security (confidentiality, integrity, availability and authenticity) Reinforced cooperation obligations Full consistency with NISD. Security requirements apply to number-independent ICS: Citizens should be able to rely on secure communications, irrespective of the technological means used. Today, security rules apply only to traditional telecom companies. Given the growing importance of number-independent interpersonal communications services (such as VoIP (e.g., Skype) webmail (e.g., Gmail), Internet messaging (Whatsapp), it is necessary to ensure that they are also subject to appropriate security requirements in accordance with their specific nature and economic importance. Providers of such services should thus ensure a level of security commensurate with the degree of risk posed to the security of the electronic communications services they provide. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk for such services can be considered in some respects lower than for traditional electronic communications services. Therefore, whenever it is justified by the actual assessment of the security risks involved, the security requirements for number-independent interpersonal communications services should be lighter. This approach is in line with the principle of proportionality and in line with the approach used in the NISD with regard to security obligations applying to the so-called Digital Service Providers (e.g. cloud service providers) as opposed to providers of essential services. A comprehensive definition of security encompassing confidentiality, integrity and availability: the current text does not contain a definition of security. The Directive has therefore been implemented differently, with many MS applying a restrictive notion of security, limited to the guarantee of availability of the service in case of technical disruption. The new text introduced a new definition encompassing all relevant dimensions of electronic communications security, i.e. confidentiality (info is not accessed by unauthorised persons), integrity (info is not altered, damaged, manipulated); and availability (the service remains available). This definition is compatiblle with the one used in the NISD. Reinforced cooperation obligations: the proposal introduces an obligation for competent authorities to consult/cooperate with law enforcement, NIS and DP authorities. Moreover, in order to face the growing risks related to cybersecurity, it empowers competent authorities to rely on technical assistance from CSIRTs (computer security incident response teams), ie NIS bodies with cybersecurity expertise. Full consistency with NISD No overlap: ECN and ECS are not subject to NISD rules Substantive rules are fully aligned: security obligations are very similar, if not identical; same definition of security; light-touch approach for providers of digital services (OTTs) Same definition of security Identical approach with regard to relationship with data protection laws: security rules are without prejudice to data protection rules.

7 New Telecom Code (II) – Security Art. 40-14
Updates to the security part: Art. 2(22) - ‘security’ of networks and services means the ability of electronic communications networks and services to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those networks or services. Updates from ENISA | Dan Tofan

8 New Telecom Code (III) – Security Art. 40-14
Updated to the security part: Incident notification: breach of security that has had a significant impact on the operation of networks or services. Delegated acts can follow on formats and procedures applicable to notification requirements. Member States shall ensure that the competent authorities have the power to obtain the assistance of CSIRTS (national or the one responsible for TELECOM). Parliament proposal: ENISA shall assist Member States in coordinating the measures taken to avoid duplication or diverging requirements that may create security risks and barriers to the internal market. Updates from ENISA | Dan Tofan

9 New Telecom Code (IV) – Security Art. 40-14
Parameters to be used in determining significant incidents: (a) the number of users affected by the breach; (b) the duration of the breach; (c) the geographical spread of the area affected by the breach; (d) the extent to which the functioning of the service is disrupted; (e) the impact on economic and societal activities. Bold ones already in use; Updates from ENISA | Dan Tofan

10 What are we working on Defining the scope, merely the approach for OTTs Comprehensive definitions: security, incident, CIAA. Definition of the parameters Threshold proposals. Bold ones already in use; Updates from ENISA | Dan Tofan

11 Thank you

Download ppt "Telco related activities in ENISA"

Similar presentations

Transparency and Domestic Regulation Mina Mashayekhi Division on International Trade UNCTAD.

Transparency and Domestic Regulation Mina Mashayekhi Division on International Trade UNCTAD.
Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.
Net Neutrality, What Else? Wim Nauwelaerts Partner Hunton & Williams.

Net Neutrality, What Else? Wim Nauwelaerts Partner Hunton & Williams.
National implementation of REMIT Henrik Nygaard, Wholesale and transmission (DERA)

National implementation of REMIT Henrik Nygaard, Wholesale and transmission (DERA)
1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.

1 Reform of the EU regulatory framework for electronic communications What it means for Access to Emergency Services Reform of the EU regulatory framework.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
Regulatory Body MODIFIED Day 8 – Lecture 3.

Regulatory Body MODIFIED Day 8 – Lecture 3.
European Commission Enterprise and Industry Market surveillance and automotive type-approval legislation - 28/06/2012 | ‹#› WP.29 Enforcement Working Group.

European Commission Enterprise and Industry Market surveillance and automotive type-approval legislation - 28/06/2012 | ‹#› WP.29 Enforcement Working Group.
ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.

ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.
Data protection at Eurojust: a robust, effective and tailor-made regime Diana ALONSO BLAS, LL.M. Head of the DP Service/Data Protection Officer.

Data protection at Eurojust: a robust, effective and tailor-made regime Diana ALONSO BLAS, LL.M. Head of the DP Service/Data Protection Officer.
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October 2012 1.

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Dr Sharon Azzopardi. k What is Convergence? A Union of Media Print Television Camera Telephone Radio Internet A Union of Services Data Voice Video.

Dr Sharon Azzopardi. k What is Convergence? A Union of Media Print Television Camera Telephone Radio Internet A Union of Services Data Voice Video.
Health and Safety Executive Health and Safety Executive Competent Authority & Data Reporting HSE/DECC Consultation Events - Spring 2014 EU Offshore Directive.

Health and Safety Executive Health and Safety Executive Competent Authority & Data Reporting HSE/DECC Consultation Events - Spring 2014 EU Offshore Directive.
Compliance with IOSCO requirements AMEDA Leadership Forum Alexandria Egypt Monday 27 th April 2009 by Dr. Ashraf EL Sharkawy Senior Advisor to the CMA.

Compliance with IOSCO requirements AMEDA Leadership Forum Alexandria Egypt Monday 27 th April 2009 by Dr. Ashraf EL Sharkawy Senior Advisor to the CMA.
The New EU Directives Oftel Forum 25/04/02 Heather Clayton.

The New EU Directives Oftel Forum 25/04/02 Heather Clayton.
FAQs about the new regulatory framework Lucy Rhodes

FAQs about the new regulatory framework Lucy Rhodes
European Commission Rita L’ABBATE Legal aspects linked to internal market DG Enterprise and Industry MARKET SURVEILLANCE COMMUNITY FRAMEWORK UNECE “MARS”

European Commission Rita L’ABBATE Legal aspects linked to internal market DG Enterprise and Industry MARKET SURVEILLANCE COMMUNITY FRAMEWORK UNECE “MARS”
The Notification Procedure of national telecoms markets Pál Belényesi 27 October 2006.

The Notification Procedure of national telecoms markets Pál Belényesi 27 October 2006.
THE NEW DIMENSIONS OF THE EUROPEAN PUBLIC PROCUREMENT POLICY Christian SERVENAY DG MARKT/Unit C1.

THE NEW DIMENSIONS OF THE EUROPEAN PUBLIC PROCUREMENT POLICY Christian SERVENAY DG MARKT/Unit C1.

Similar presentations

Ads by Google