ECASEC Expert Group portal

This is the workspace for the ECASEC, the Article 40, former Article 13A Expert Group. Below you can find a history of the group and the latest versions of the Article 13a guidelines. Members of the group use this space to access dedicated tools, the reporting tool, the issue tracker, drafts under consultation, etc.

ECASECBackground

In December 2018, a new set of telecom rules called the European Electronic Communications Code (abbreviated as EECC) was adopted.

The EECC updates the EU telecom package of 2009 and paves the way for the roll out of fibre, very high capacity networks and next generation mobile networks (5G), which will create jobs and growth, enable new application scenarios like internet of things (IoT) and new business models.

EU countries had to transpose this EU directive into national law by 21 December 2020.

Article 40 of the EECC, which replaces the above-mentioned Article 13a, contains detailed security requirements for electronic communication providers. Article 41 of the EECC, which replaces Article 13b of the Framework directive, outlines how competent authority can enforce these security requirements. Although the security requirements under the EECC are similar to the security requirements under the Framework directive, there are important differences.

An overview of the main differences can be found in the ENISA paper “Security supervision under the EECC".

As with Article 13a, ENISA will support the EU Member States with the implementation of Article 40 of the EECC, to ensure there is an effective, efficient, and harmonized approach to security supervision across the EU.

To reflect this legislative change the Article 13a group has changed its name to ECASEC, European Competent Authorities for Secure Electronic Communications.

The primary objectives of the ENISA ECASEC expert group are:

  • to agree on the technical and organisational measures for an efficient and effective implementation of the relevant provisions of Articles 40 and 41 of the EECC and, as of October 2024, of the provisions of the NIS 2 directive that pertain to telecom security, incident reporting and supervision of electronic communications providers,
  • to facilitate voluntary exchange of information between experts of National Competent Authorities, including on security threats, security incidents, lessons learned, standards, good practices and tools,
  • to facilitate review and provide input on ENISA papers.
Meetings are held 3 times per year and are hosted by a different national authority each time, to spread traveling costs and time equally.
The group is chaired by full members. The current chair is Ahmet Yesilyurt, representing the Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen of Germany. The group also has 2 vice-chairs, Mrs Željka Kardum Ban from HAKOM, Croatia and Mr. Vassilis Stathopoulos from ADAE, Greece. 
ENISA supports the group with logistics, technical advice, drafting and acts as secretariat. Contact the secretariat (ENISA) at: Secretariat_Article13EG@enisa.europa.eu

The Terms of Reference of the ECASEC EG can be found here 

 

Article 13a guidelines
 

ENISA together with the Article 13a Expert Group drafted technical guidelines for authorities, about the technical implementation of Article 13a. These technical guidelines carry the consensus of all the experts in the group. Consultation with the private sector, about drafts, takes place via the national telecom security authorities. 

Article 13a basically asks providers to perform three activities: 1. assess risks, 2. take appropriate security measures, and 3. report about significant security incidents. The three processes are depicted in the triangle below. Cybersecurity supervision under the NIS Directive (Article 14/16) and under eIDAS (Article 19) is based on the same triangle.

 

The group adopted several guidelines. The latest versions can be found at the following links: 

    • Technical Guideline on Incident Reporting under the EECC: The reporting guidelines defines an EU-wide reporting framework for telecom security incidents. It is the basis for the (current) practical implementation of cross-border and annual summary reporting.
    • Guideline on Security Measures under the EECC: This document, the Technical Guideline for Security Measures, provides guidance to competent authorities about the technical details of implementing Articles 40 and 41 of the EECC: how to ensure that providers assess risks and take appropriate security measures. The guideline lists 29 high-level security objectives, which are grouped in 8 security domains. For each security objective we list specific detailed security measures which could be taken by providers to reach the security objective. These security measures are grouped in 3 levels of increasing sophistication. We also give examples of evidence, which could be taken into account by an auditor, for example, when assessing if these security measures are actually in place.
    • Article 13a Technical Guideline on Threats and Assets: The threats and assets guideline provides a common dictionary of relevant threats and assets. It supports the incident reporting framework and can be used to evaluate the completeness of risk assessments performed by telecom providers. 

 

Other publications produced by ENISA in collaboration with the ECASEC EG

Every year ENISA publishes an annual report which aggregates the data about telecom security incidents reported across the EU.  The latest is the annual report telecom security incidents 2021.

Based on trends, issues, discussion with authorities, ENISA selects and dives into specific topics, typically 1-2 times per year. This often results in the publication of short technical papers on specific topics relevant for resilience and security of networks and services, such as eSIM securitySecurity exceptions in the net neutrality rulesBGP security, security in signalling (SS7, Diameter), power supply dependencies, national roaming, protection of underground cables, and so on. Sometimes a deep-dive results just in an internal working paper or a technical presentation the group. Please use the ENISA website for a full overview of ENISA publications on telecom security.

 

Incident reporting tool CIRAS

To support the MS with the implementation of Article 13a cross border and annual summary reporting, ENISA developed an incident reporting tool which can be used by the national authorities.

The tool is accessible at Incident reporting — CIRAS (europa.eu) If you are an expert working at a national telecom security authority tasked with reporting incidents and you need access, please contact us at resilience@enisa.europa.eu.

For the public we provide detailed information about reported incidents in the ENISA visual tool for reported incidents at the ENISA website. Data Privacy Statement for the reporting tool - CIRAS

 

Policy context

For easy reference, here is a link to the complete EU legal framework for electronic communications, which incorporates the 2009 reform. Article 13a can be found on page 55.

From the end of 2020 the EECC (Article 40) replaced Article 13a. The new EU telecom security rules in Article 40 of the EECC are largely a continuation of the approach under Article 13a. The EECC can be accessed here.

In 2019 ENISA published a paper that explains the main changes in security supervision under the EECC, with respect to Article 13a.

 

Contact us - For any questions or remarks please contact us via email to