Cybersecurity in the electronic communications sector in Europe: navigating the digital frontier
Inês Antas de Barros
Vieira de Almeida, Lisbon
Vieira de Almeida, Lisbon; Newsletter Officer, Communications Law Committee
Madalena Gomes Cruz
Vieira de Almeida, Lisbon
The advent of the digital age has led to a transformation in all spheres of life, particularly in the electronic communication sector. As the electronic communications concept was enlarged in the EU with the approval of the European Electronic Communications Code (EECC), which introduced number-independent interpersonal communications services (or ‘over-the-top services’) as electronic communications services, the borders between these and the information society services blur from a usage perspective, as the conveyance of signal is no longer the distinctive mark of the electronic communications. However, these lines do not blur in regulatory terms, as obligations are considerably different. All those services have swiftly become the backbone of modern societies, playing a pivotal role in driving economic growth, fostering social interactions and shaping the evolution of governmental operations.
With this newfound capability, unprecedented security challenges arise, which require the continuous rethinking of the current cybersecurity framework.
Recognising the importance of ensuring security and the specific challenges of the digital age, the EU has been establishing a robust legal framework for cybersecurity, which underwent profound and important changes with the new ‘Cybersecurity Strategy for the Digital Decade’ (the ‘Strategy’), approved on 16 December 2020. The Strategy is divided in three main pillars, guiding the future of cybersecurity in the EU:
- resilience, technological sovereignty and leadership: concerning cybersecurity by design and increased guarantees for all relevant stakeholders within the supply chain, it consists of the review of the current legal framework for cybersecurity, among others;
- building operational capacity to prevent, deter and respond: dealing with cyber incidents and attacks, aiming at empowering states and citizens to prevent and tackle cyberattacks and cybercrime, consisting of a European crisis management framework and a reinforcement of synergies between civil, defence and space industries; and
- advancing global and open cyberspace: to implement a vision of cyberspace based on the rule of law and on core human values and rights as foreseen in the EU framework, by promoting the adoption of international standardisation processes and expanding the EU dialogue with other countries.
With particular impact on the electronic communication sector, due to the unprecedented potential of 5G technology to revolutionise the digital world (paired with the escalating challenges it poses to the existing cybersecurity landscape), the EU took a significant step by establishing the ‘EU toolbox for 5G security’ (the ‘EU Toolbox’) (part of the first pillar of the Strategy). The EU Toolbox forms a critical part of the EU’s legal approach to managing cyber threats in the 5G era.
This article aims to highlight the impact of the cybersecurity framework to the electronic communication sector and to support the discussion on identifying measures that the sector is required to implement to ensure compliance with the regulatory cybersecurity requirements, in particular considering the legal impacts of the ‘EU Toolbox for 5G Security'.
Digital threats and their impact
A variety of cyberthreats are prevalent today, including data breaches, malware, ransomware, phishing and distributed denial of service (DDoS) attacks. These are not just a threat to the integrity and availability of services, but they also pose a significant risk to the confidentiality of data. Indeed, a successful breach could result in theft of sensitive user information, disruption of communication services, financial losses for providers and users, damage to brand reputation, liability and, in worst-case scenarios, threats to national security.
In an era of Internet of Things (IoT) and 5G networks, the surface for possible attacks has increased exponentially, as the interconnectivity of devices and systems increases the potential points of attack. As such, enhancing cybersecurity has become a paramount concern for the European legislator.
The European legal framework for cybersecurity
The EU has gradually developed a comprehensive cybersecurity legal framework which emphasises trust and security in digital services and in the handling of personal data.
The legal framework focuses on specific areas of cybersecurity, such as network security, information security, incident reporting, and cooperation among Member States.
As the legal puzzle around these topics develops, several trends are identified:
- obligations are stricter and the ability to evidence compliance is key – compliance on its own is not enough, it has to be demonstrated;
- boards will be accountable for the cybersecurity choices, fragilities and training – something which is particularly highlighted under the revised version of the ‘Network and Information Security Directive’ (the ‘NIS2 Directive’);
- authorities will have stronger powers to supervise and inspect compliance with these obligations; and
- sanctions and fines increase, acting as a serious discourage of any breach.
The existent and future cybersecurity legal framework derives from a complex and intertwined (not always coordinated) set of legal instruments.
The European Electronic Communications Code (EECC)
Incorporated in 2018, the EECC has introduced several cybersecurity-related requirements applicable to electronic communication service providers. The EECC imposes stricter obligations for electronic communications service providers to protect their services against security risks and to promptly notify any security breaches to the national competent authority. The fact that all the relevant provisions of the EECC were transposed into national legislation means that the regime applicable can vary considerably among Member States, which causes service providers to multiply their efforts in all EU countries. As the NIS2 Directive will also be transposed, this is a challenge that will remain in the core of the service providers concerns.
However, this regime will be revoked as the NIS2 Directive will enter into force, as detailed below. Notwithstanding, as the horizontal framework will rely on the EECC definition of electronic communications service and service provider, (for instance, covering all number-based interpersonal communication services within the scope of EU rules), this directive will have an impact on the regime to come.
The EU toolbox for 5G security
Adopted by the European Commission in January 2020, the EU toolbox for 5G security is part of the EU’s comprehensive approach to secure 5G networks.
The Toolbox outlines key security measures and provides a framework for assessing the risks associated with 5G networks, based on the exercise of coordinated risk assessment of 5G network security that has identified nine main risks grouped into five risk scenarios.
The Toolbox lays out a range of security measures aiming to mitigate risks effectively and ensure secure 5G networks are deployed across Europe, setting detailed mitigation plans for each of the identified risks and recommending a set of key strategic and technical measures (to be taken by all Member States and/or by the Commission).
Mitigation measures are grouped into two categories, (1) strategic and (2) technical; with emphasis of the much-discussed obligation to assess the risk profile of suppliers and the possibility of applying restrictions for suppliers considered to be high risk for key assets.
Although it is up to the Member States to decide on the specific measures (considering the outline described in the toolbox), the aim is to ensure convergent national approaches for effective risk mitigation across the EU.
However, and considering the Second report on Member States’ progress in implementing the EU Toolbox on 5G Cybersecurity, published on 15 June 2023, one must conclude that there have been different approaches within the EU (ranging from Member States that have not yet approved any measure to others that have implemented a ban to high-risk vendors), with important impact on the electronic communication sector.
Directive on Security of Network and Information Systems (NIS Directive)
The NIS Directive, adopted in 2016, is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the EU. It applies to operators of essential services, including entities providing services in the digital infrastructure sector (internet exchange points, domain name system service providers and top-level domain name registries), and digital service providers, which are frequently associated with the electronic communications services.
The NIS Directive mandates that these organisations take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. It also requires that they report significant cybersecurity incidents to the relevant national authority.
A revised NIS Directive (NIS 2) was approved on 16 December 2020. This new version expands the scope of the former NIS Directive to a broader set of players, including the electronic communications sector. NIS 2 Directive, which shall be transposed until 17 October 2024, imposes stricter security and reporting requirements, as well as more demanding cyber risks management approaches, thus further strengthening the cybersecurity posture of the EU.
Specifically for the electronic communications sector, there is a paradigm shift in this new directive. Cybersecurity was usually a topic addressed within doors, through sector-specific instruments – as established in Chapter III (a) of the revoked Framework Directive (the legal precedent of the EECC); however, as the NIS2 Directive enters into force, the sector will be covered by the horizontal legal architecture. Additionally, the NIS2 Directive revokes the Security Chapter of the EECC – consequently, the previous sector-specific regime is not only complemented, but entirely replaced. With this transition, hot topics as the notification of security incidents will suffer alterations, which calls for an action of the Member States to promptly engage in the transposition process, to avoid loopholes and legal uncertainty.
Directive on the Resilience Of Critical Entities
The Directive on the Resilience Of Critical Entities (‘RCE Directive’), adopted in 2008, sets measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities providing services in specific sectors (energy and transports) and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations.
A revised RCE Directive, that entered into force on 16 January 2023 and shall be transposed until 17 October 2024, expands its scope of application, covering digital infrastructures (such as providers of internet exchange points, providers of data centre services, providers of public electronic communications networks and cloud computing services).
The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats or sabotage. The revised version introduces new obligations on entities providing essential services, such as the need to carry out risk assessments; to take appropriate and proportionate technical, security and organisational measures to ensure their resilience based on the relevant information provided by Member States on the Member State risk assessment and on the outcomes of the critical entity risk assessment; as well as the obligation to notify the competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services.
The ePrivacy Directive, adopted in 2004 and amended in 2009, applies to the processing of personal data and the protection of privacy in the electronic communications sector.
The ePrivacy Directive foresees that providers are required to take appropriate technical and organisational measures, considering the state of the art and the cost of their implementation, to safeguard security of its services, if necessary, in conjunction with the provider of the public communications network with respect to network security.
The 2009 amendment has inserted a mandatory notification requirement for personal data breaches, as further regulated by the 2013 Commission Regulation on the measures applicable to the notification of personal data breaches. This Regulation details the rules and criteria applicable to the notification of data breaches both to competent national authorities (within 24 hours after the detection of the personal data breach, where feasible) and to subscribers and individuals (when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual). The outcome of the interplay between this Commission Regulation and the NIS2 Directive is still to be understood, as the revised NIS Directive does not revoke either the 2013 Commission Regulation or the ePrivacy provisions relating to it.
General Data Protection Regulation (GDPR)
While not exclusively a cybersecurity legislation, the GDPR has a significant impact on cybersecurity practices within the electronic communications sector due to its stringent rules around data protection.
GDPR requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which includes protecting systems from cybersecurity threats, as well as, in certain circumstances, to notify, within 72 hours after the detection of the personal data breach (where feasible), data breaches to supervisory authorities – unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, an evaluation that has to be carried out on a case by case basis. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, organisations are also required to communicate the breach to affected data subjects, without undue delay.
EU Cybersecurity Act
The EU Cybersecurity Act, enacted in 2019, has strengthened the mandate of the European Union Agency for Cybersecurity (ENISA) and established an EU-wide cybersecurity certification framework, thus further solidifying the cybersecurity regime in the EU.
The new certification framework will provide EU-wide certification schemes as a coherent set of rules, technical requirements, standards and procedures for specific information and communication technologies-based products or services. It will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified requirements.
Impact of the EU cybersecurity legal framework
Cybersecurity is not static and, as such, requires constant mapping of legal and regulatory frameworks, best practices and risks, so as to ensure the smooth adaptation of the organisation’s cybersecurity management framework to new threats, technologies and requirements.
The electronic communication sector, given its importance and digital maturity, has been at the forefront of the adoption of cybersecurity and data protection measures, and it is often used as a ‘test’ by the law makers and regulators for other sectors. It is not surprising, therefore, that the continuous approval and identification of requirements for this sector are only extended to other sectors at a later stage. Naturally, this practice impacts the sector’s organisations, which often must adopt measures that have not yet been stabilised and harmonised, setting a baseline for other sectors and organisations.
As such, the electronic communication sector is continuously under the radar of the legislator and authorities and, consequently, is required to closely follow any legal initiative to prepare its implementation, with the least impact on their operations and activities.
Without prejudice, and considering the existent demanding and disperse legal requirements on cybersecurity, organisations acting in the electronic communication sector are required to have a proactive approach to cybersecurity, tackling to cover all aspects of their activity, adopting the appropriate measures, among which we highlight:
- designing their services and products considering the cybersecurity requirements threats (cybersecurity by design);
- carrying out demanding evaluation of third-party vendors with access to information, data and networks (vendors’ screening and contractual safeguards);
- implementing appropriate technical and security measures considering the assessment of risks carried out periodically;
- carrying out cybersecurity audits;
- implementing internal policies and procedures to ensure cybersecurity compliance and mitigation of legal risks;
- implementing incident response plans, covering all notification requirements and incident evaluation criteria arising from the various legislative instruments applicable to the electronic communications sector; and
- developing cybersecurity training and tests.
The regulation of cybersecurity in Europe derives from a complex and evolving puzzle, which requires in-depth knowledge of all the directives, as well as a holistic and eminently proactive approach to cybersecurity, also considering the governance to come. However, as cybersecurity obligations vary among Member States, additional local challenges are posed for electronic communication service providers operating across multiple jurisdictions.
As such, by incorporating cybersecurity by design, strengthening supply chain security, enhancing international cooperation, and implementing cutting-edge security measures, providers take an important step to mitigate legal and regulatory risks and ensure resilience of the electronic communication sector as a whole. The task is demanding but fundamental in order to allow this sector to realise the full potential of the digital era.