ECASEC Expert Group portal

Background

In 2009 Article 13a was introduced as part of the Telecoms Framework directive. Article 13a requires EU Member States to ensure that providers take appropriate security measures to protect the security and integrity of telecom networks and services.

In 2010, ENISA, the European Commission (EC), Ministries and Telecommunication National Regulatory Authorities (NRAs), initiated a series of meetings (workshops, conference calls) to support a harmonized implementation of Article 13a: This group has grown and matured over the years and is known as the ENISA Article 13a expert group.

A harmonized implementation of the Article 13a provisions on security measures and incident reporting, is important to allow a level playing field across the EU-wide telecom market, and to simplify compliance for telecom providers operating across national borders.

The primary objectives of the ENISA Article 13a expert group are:

• Involve all EU member states in an open discussion about Article 13a, to discuss implementation details, share knowledge and exchange views.
• Agree and implement a reporting scheme between ENISA, the European Commission, and the authorities for telecom security, for ad-hoc reporting about cross-border incidents and the annual summary reporting (paragraph 3 of Article 13a)
  
• Support the EU member states with the national supervision of Article 13a, i.e. the national incident reporting scheme, ensuring a providers assess security risks and take the appropriate security measures (paragraphs 1 and 2 of Article 13a).

The detailed terms of reference of the group can be found here: Terms of reference of the Article 13a Expert Group

ENISA together with the Article 13a Expert Group drafted technical guidelines for authorities, about the technical implementation of Article 13a. These technical guidelines carry the consensus of all the experts in the group. Consultation with the private sector, about drafts, takes place via the national telecom security authorities. 

Article 13a basically asks providers to perform three activities: 1. assess risks, 2. take appropriate security measures, and 3. report about significant security incidents. The three processes are depicted in the triangle below. Cybersecurity supervision under the NIS Directive (Article 14/16) and under eIDAS (Article 19) is based on the same triangle.

The group adopted 3 Article 13a guidelines. The latest versions can be found at the following links: 

• Article 13a Technical Guideline on Incident Reporting: The reporting guidelines defines an EU-wide reporting framework for telecom security incidents. It is the basis for the (current) practical implementation of cross-border and annual summary reporting.
• Article 13a Technical Guideline on Security Measures: The security measures guideline contains a baseline of telecom security measures. These measures should be considered by authorities when assessing compliance of providers with Article 13a.It is used by most EU Member States as a basis for national secondary legislation or national guidance.  These security measures were derived from existing international standards, an agreed shortlist, commonly used in the telecom sector.  
• Article 13a Technical Guideline on Threats and Assets: The threats and assets guideline provides a common dictionary of relevant threats and assets. It supports the incident reporting framework and can be used to evaluate the completeness of risk assessments performed by telecom providers. 

Other publications produced by ENISA in collaboration with the Article 13a group

Every year ENISA publishes an annual report which aggregates the data about telecom security incidents reported across the EU.  The latest is the annual report telecom security incidents 2019.

Based on trends, issues, discussion with authorities, ENISA selects and dives into specific topics, typically 1-2 times per year. This often results in the publication of short technical papers on specific topics relevant for resilience and security of networks and services, such as security exceptions in the net neutrality rules,  BGP security, security in signalling (SS7, Diameter), power supply dependencies, national roaming, protection of underground cables, and so on. Sometimes a deep-dive results just in an internal working paper or a technical presentation for the Article 13a group. Please use the ENISA website for a full overview of ENISA publications on telecom security.

Incident reporting tool CIRAS

To support the MS with the implementation of Article 13a cross border and annual summary reporting, ENISA developed an incident reporting tool which can be used by the national authorities.

The tool is accessible at https://resilience.enisa.europa.eu/ciras If you are an expert working at a national telecom security authority tasked with reporting incidents and you need access, please contact us at resilience@enisa.europa.eu.

For the public we provide detailed information about reported incidents in the ENISA visual tool for reported incidents at the ENISA website. Data Privacy Statement for the reporting tool - CIRAS

Policy context

For easy reference, here is a link to the complete EU legal framework for electronic communications, which incorporates the 2009 reform. Article 13a can be found on page 55.

From the end of 2020 the EECC (Article 40) will replace Article 13a. The new EU telecom security rules in Article 40 of the EECC are largely a continuation of the approach under Article 13a. The EECC can be accessed here.

In 2019 ENISA published a paper that explains the main changes in security supervision under the EECC, with respect to Article 13a.

Contact us - For any questions or remarks please contact us via email to resilience@enisa.europa.eu