Article 13a Expert Group portal

This is the workspace for the Article 13a Expert Group. The Article 13a guidelines for NRAs, developed by the expert group, can be downloaded here.

arti13aBackground

In 2010, ENISA, the European Commission (EC), Ministries and Telecommunication National Regulatory Authorities (NRAs), initiated a series of meetings (workshops, conference calls) to support a harmonized implementation of Article 13a. A harmonized implementation of the Article 13a provisions on security measures and incident reporting, is important to allow a level playing field across the EU-wide telecom market, and to simplify compliance for telecom providers operating across national borders.

The primary objectives of the Article 13a expert group are:

  • Involve all EU member states in an open discussion about Article 13a, to discuss implementation, share knowledge and exchange views.
  • Agree and implement a reporting scheme between ENISA, the EC, and the telecom regulators in the members states, for ad-hoc reporting of cross-border incidents and annual summary reporting, as described in paragraph 3 of Article 13a.
  • Support NRAs across the EU member states with the supervision and implementation of Article 13a, i.e. the national incident reporting scheme, assessment of risks by providers, the appropriate security measures which have to be taken by providers, as described in paragraphs 1 and 2 and 3 of Article 13a.

The expert group developed technical guidelines for NRAs on incident reporting, security measures and threats and assets. The technical guidelines are public and can be accessed using the links below.

Technical guidelines

ENISA, in collaboration with the experts in the Article 13a Expert Group, has drafted technical guidelines for NRAs, about the technical implementation of Article 13a. These technical guidelines have been drafted in consensus with all the experts in the group. ENISA has consulted about drafts of the relevant guidelines with experts from the telecom sector, sometimes directly, sometimes via the NRAs. 

Article 13a basically asks providers to perform three security activities: 1. assess risks, 2. take appropriate security measures, and 3. report about significant security incidents. The three processes are depicted in the triangle below. 

 

The three technical guidelines address these three processes. These guidelines are updated frequently, in collaboration with the NRAs. The latest versions can be found at the following links: 

Note that the Article 13a guideline on security measures is now subsumed by the Technical Guideline on Security Measures in Article 4 and Article 13a

Note that these Article 13a guidelines should not be confused with other ENISA papers on resilience and security of networks and services, which contain specific recommendations about specific topics (such as power supply dependencies, national roaming, ICT procurement, protection of underground cables, etc). The technical guidelines produced by the Article 13a expert group carry a logo on the cover (see picture at the top of this page) which is a word cloud of the most frequently used words in the legal text of Article 13a. 

Note that the guideline on security measures is based on an intermediate shortlist of  information security standards which are used in the telecom sector. 

Legal background

Complete EU legal framework for electronic communications (incorporating the 2009 reforms)

Article 13a can be found on page 55.

Contact us

For any questions or remarks please contact us via email to resilience [at] enisa [dot] europa [dot] eu