Presentation is loading. Please wait.

Presentation is loading. Please wait.

Telco related activities in ENISA

Similar presentations


Presentation on theme: "Telco related activities in ENISA"— Presentation transcript:

1 Telco related activities in ENISA
Dr. Dan Tofan| Art. 13a meeting Vienna

2 Art.13a - Incident Reporting for the Telecom Sector
Article 13a of the Framework Directive (2009/140/EC), addresses security and integrity of public electronic communications networks and services (availability of the service). Art. 13a related activities: Active Expert Group with all NRAs (EU and EFTA) & EC Non-binding technical guidelines (strong adoption among MS) 7 years of annual reporting from Telecoms to NRAs and then to ENISA and EC Incident reporting schemes have improved resilience and security in the EU telecoms sector. An example is Article 13a, which addresses security and integrity of public electronic communication networks and services. ENISA is supporting this regulatory framework since 2011 by publishing reports about significant incidents and outages across the EU.

3 Art. 13a incidents in Telecom
Article 13a of Directive (2009/140/EC) addresses the security and integrity of public electronic communications networks and services (availability of the service). Every country submits yearly to EC and ENISA a report with significant incidents that had an impact on their networks and services. ENISA analyses the incidents, published statistics and investigates the root causes. Incident reporting in EU | Dan Tofan

4 Incidents per root cause category (percentage)

5 Some of our work Technical Guideline on Incident Reporting
Technical Guideline on Security Measures Technical Guideline on Threats and Assets Impact evaluation on the implementation of Article 13a incident reporting scheme within EU Analysis of security measures deployed by e-communication providers Interconnect security study (2018) Incident reporting in EU | Dan Tofan

6 New Telecom Code (I) – Security Art. 40-14
Objectives Ensure high-level of security of networks and services Ensure external coherence with NISD, GDPR and ePD Main changes Security requirements apply to number-independent interpersonal communication services (ICS) A comprehensive definition of security (confidentiality, integrity, availability and authenticity) Reinforced cooperation obligations Full consistency with NISD. Security requirements apply to number-independent ICS: Citizens should be able to rely on secure communications, irrespective of the technological means used. Today, security rules apply only to traditional telecom companies. Given the growing importance of number-independent interpersonal communications services (such as VoIP (e.g., Skype) webmail (e.g., Gmail), Internet messaging (Whatsapp), it is necessary to ensure that they are also subject to appropriate security requirements in accordance with their specific nature and economic importance. Providers of such services should thus ensure a level of security commensurate with the degree of risk posed to the security of the electronic communications services they provide. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk for such services can be considered in some respects lower than for traditional electronic communications services. Therefore, whenever it is justified by the actual assessment of the security risks involved, the security requirements for number-independent interpersonal communications services should be lighter. This approach is in line with the principle of proportionality and in line with the approach used in the NISD with regard to security obligations applying to the so-called Digital Service Providers (e.g. cloud service providers) as opposed to providers of essential services. A comprehensive definition of security encompassing confidentiality, integrity and availability: the current text does not contain a definition of security. The Directive has therefore been implemented differently, with many MS applying a restrictive notion of security, limited to the guarantee of availability of the service in case of technical disruption. The new text introduced a new definition encompassing all relevant dimensions of electronic communications security, i.e. confidentiality (info is not accessed by unauthorised persons), integrity (info is not altered, damaged, manipulated); and availability (the service remains available). This definition is compatiblle with the one used in the NISD. Reinforced cooperation obligations: the proposal introduces an obligation for competent authorities to consult/cooperate with law enforcement, NIS and DP authorities. Moreover, in order to face the growing risks related to cybersecurity, it empowers competent authorities to rely on technical assistance from CSIRTs (computer security incident response teams), ie NIS bodies with cybersecurity expertise. Full consistency with NISD No overlap: ECN and ECS are not subject to NISD rules Substantive rules are fully aligned: security obligations are very similar, if not identical; same definition of security; light-touch approach for providers of digital services (OTTs) Same definition of security Identical approach with regard to relationship with data protection laws: security rules are without prejudice to data protection rules.

7 New Telecom Code (II) – Security Art. 40-14
Updates to the security part: Art. 2(22) - ‘security’ of networks and services means the ability of electronic communications networks and services to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those networks or services. Updates from ENISA | Dan Tofan

8 New Telecom Code (III) – Security Art. 40-14
Updated to the security part: Incident notification: breach of security that has had a significant impact on the operation of networks or services. Delegated acts can follow on formats and procedures applicable to notification requirements. Member States shall ensure that the competent authorities have the power to obtain the assistance of CSIRTS (national or the one responsible for TELECOM). Parliament proposal: ENISA shall assist Member States in coordinating the measures taken to avoid duplication or diverging requirements that may create security risks and barriers to the internal market. Updates from ENISA | Dan Tofan

9 New Telecom Code (IV) – Security Art. 40-14
Parameters to be used in determining significant incidents: (a) the number of users affected by the breach; (b) the duration of the breach; (c) the geographical spread of the area affected by the breach; (d) the extent to which the functioning of the service is disrupted; (e) the impact on economic and societal activities. Bold ones already in use; Updates from ENISA | Dan Tofan

10 What are we working on Defining the scope, merely the approach for OTTs Comprehensive definitions: security, incident, CIAA. Definition of the parameters Threshold proposals. Bold ones already in use; Updates from ENISA | Dan Tofan

11 Thank you


Download ppt "Telco related activities in ENISA"

Similar presentations


Ads by Google