In 2010, ENISA, the European Commission (EC), Ministries and Telecommunication National Regulatory Authorities (NRAs), initiated a series of meetings (workshops, conference calls) to support a harmonized implementation of Article 13a. A harmonized implementation of the Article 13a provisions on security measures and incident reporting, is important to allow a level playing field across the EU-wide telecom market, and to simplify compliance for telecom providers operating across national borders.
The primary objectives of the Article 13a expert group are:
- Involve all EU member states in an open discussion about Article 13a, to discuss implementation, share knowledge and exchange views.
- Agree and implement a reporting scheme between ENISA, the EC, and the telecom regulators in the members states, for ad-hoc reporting of cross-border incidents and annual summary reporting, as described in paragraph 3 of Article 13a.
- Support NRAs across the EU member states with the supervision and implementation of Article 13a, i.e. the national incident reporting scheme, assessment of risks by providers, the appropriate security measures which have to be taken by providers, as described in paragraphs 1 and 2 and 3 of Article 13a.
The expert group developed technical guidelines for NRAs on incident reporting, security measures and threats and assets. The technical guidelines are public and can be accessed using the links below.
ENISA, in collaboration with the experts in the Article 13a Expert Group, has drafted technical guidelines for NRAs, about the technical implementation of Article 13a. These technical guidelines have been drafted in consensus with all the experts in the group. ENISA has consulted about drafts of the relevant guidelines with experts from the telecom sector, sometimes directly, sometimes via the NRAs.
Article 13a basically asks providers to perform three security activities: 1. assess risks, 2. take appropriate security measures, and 3. report about significant security incidents. The three processes are depicted in the triangle below.
The three technical guidelines address these three processes. These guidelines are updated frequently, in collaboration with the NRAs. The latest versions can be found at the following links:
- Article 13a Technical Guideline on Incident Reporting: Defines a cross-EU reporting framework and explains different approaches to setting up a national incident reporting process.
an intermediate shortlist of information security standards which are used in the telecom sector.on
Article 13a can be found on page 55.
For any questions or remarks please contact us via email to resilience [at] enisa [dot] europa [dot] eu