Skip to main content
SpringerLink
Log in

Necessary or premature? The NIS 2 Directive from the perspective of the telecommunications sector

Notwendig oder übereilt? Die NIS 2 Richtlinie aus Sicht des Telekommunikationssektors

  • Published:
International Cybersecurity Law Review Aims and scope Submit manuscript

Abstract

A high level of cybersecurity is at the very core interest of the telecommunications sector and constitutes a basic requirement for customer trust in the use of their services. A high cybersecurity standard in the telecom sector is also a precondition for the cyber-resilience of other providers of critical infrastructures that rely on their services. Already pre-dating the NIS Directive the sector has therefore been subject to specific cybersecurity obligations under the Telecom Framework Directive (TFD). The legal framework has only recently been updated in the European Electronic Communications Code (EECC), which is currently still being transposed into Member State law. In addition, the EU Commission’s 5G Toolbox introduced further sector-specific obligations for mobile network operators. The draft Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) abandons the sector-specific approach and aims to harmonise the cybersecurity standards across all critical infrastructure sectors—including the telecom sector. This article focuses on the need for such harmonisation, the key challenges the NIS 2 Directive would create for the telecom sector and should ultimately answer the question, whether the NIS 2 Directive would indeed contribute to a higher cybersecurity standard in the telecom sector.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services (‘Better Regulation Directive’).

  2. Based on the definition provided in Article 2 a, c TFD these terms included both traditional telecommunication service providers and internet access service providers, but not over-the-top services such, as e.g. webmail or messenger services.

  3. Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (‘Cookie Directive’).

  4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation—GDPR’).

  5. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.

  6. After the entry into force of the EECC it has been renamed as European Competent Authorities for Secure Electronic Communications (‘ECASEC’).

  7. ECASEC Expert Group portal <https://resilience.enisa.europa.eu/article-13> (accessed 27 July 2021).

  8. See for example: ISPA—Internet Service Providers Austria, ‘Sicherheitskonzept (Mustervorlage) für Betreiber öffentlicher Kommunikationsnetze und -dienste‘ (2013) <https://www.ispa.at/wissenspool/vorlagen/ispa-mustersicherheitskonzept/> (accessed 27 July 2021).

  9. Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code.

  10. Recital 91 EECC.

  11. European Commission, ‘Commission opens infringement procedures against 24 Member States for not transposing new EU telecom rules’ (4 February 2021) <https://ec.europa.eu/commission/presscorner/detail/en/IP_21_206> (accessed 27 July 2021).

  12. NIS Cooperation Group, ‘Cybersecurity of 5G networks EU Toolbox of risk mitigating measures’ (2020) <https://digital-strategy.ec.europa.eu/en/library/cybersecurity-5g-networks-eu-toolbox-risk-mitigating-measures> (accessed 27 July 2021).

  13. Ibid. SM03.

  14. European Commission, ‘Communication on the secure 5G deployment in the EU—Implementing the EU toolbox’ COM(2020) 50 final.

  15. European Commission, ‘Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union—COM(2013) 48 final’ Recital 23, 24.

  16. Article 1 (3) NIS Directive.

  17. European Commission, ‘Explanatory Memorandum to the Proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’, 5.

  18. Ibid.

  19. Proposal for a Regulation on digital operational resilience for the financial sector (COM(2020) 595 final).

  20. Recital 13 Draft NIS 2 Directive.

  21. See also Proposal for a Regulation on digital operational resilience for the financial sector, Recital 17.

  22. Recital 9 Draft NIS 2 Directive.

  23. European Commission, ‘Impact assessment report accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’ COM(2020) 823 final 75, 79.

  24. Ibid. 61, 63.

  25. ENISA Technical Guideline on Incident Reporting under the EECC, 6.2.4., March 2021 <https://www.enisa.europa.eu/publications/enisa-technical-guideline-on-incident-reporting-under-the-eecc> (accessed 9 August 2021).

  26. See for example the Austrian Telecom Network Security Ordinance 2020 (Telekom-Netzsicherheitsverordnung 2020) <https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20011212> (accessed 13 August 2021).

  27. Article 4 (7) of the draft NIS 2 Directive references to Article 2(8) of Regulation (EU) 2019/881

  28. Nikki Ralston, ‘Flubot Threat Bulletin—Allot blocks over 140M C&C connection attempts’ (Security Boulevard 26 May 2021) <https://securityboulevard.com/2021/05/flubot-threat-bulletin-allot-blocks-100m-cc-connection-attempts/> (accessed 10 August 2021).

  29. See e.g. ENISA Guideline on Security Measures under the EECC, 4th Edition, July 2021 <https://www.enisa.europa.eu/publications/guideline-on-security-measures-under-the-eecc/> (accessed 8 August 2021).

  30. See e.g. 3rd Generation Partnership Project (3GPP) ‘Technical Specifications 33 (TS 33) and 35 (TS 35)’ <https://www.3gpp.org/DynaReport/33-series.htm> and <https://www.3gpp.org/DynaReport/35-series.html> (accessed 13 August 2021).

  31. European Parliament Committee on Industry, Research and Energy Amendments to the draft report on a proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’ <https://www.europarl.europa.eu/doceo/document/ITRE-AM-693680_EN.pdf> and <https://www.europarl.europa.eu/doceo/document/ITRE-AM-693723_EN.pdf> (accessed 27 July 2021).

  32. Article 32 GDPR.

  33. See e.g. ISO 27001:2013 Section A.13.2.1.

  34. Matthew Olsen, Bruce Schneier, Jonathan Zittrain ‘Don’t Panic. Making Progress on the ‘Going Dark’ Debate’ (2016) Harvard University Berkman Center for Internet & Society, 1.

  35. Peter Swire, Kenesa Ahmad ‘Encryption and Globalization’ (2012) 13 The Columbia Science and Technology Law Review 416, 435.

  36. Ibid.

  37. Although there are new solutions being proposed. See e.g. the proposal by Justine Sherry, Chang Lan, Raluca Popa, Sylvia Ratnasamy ‘BlindBox: Deep Packet Inspection over Encrypted Traffic’ (2015) 45 ACM SIGCOMM Computer Communication Review 4, 213.

  38. A prominent example is the WannaCry and Not Petya Cyberattack in 2017 which both used EternalBlue, a vulnerability in Microsoft operating systems that the NSA discovered and kept secret from Microsoft.

  39. George Barker, William Lehr, Mark Loney and Douglas Sicker ‘The Economic Impact of Laws that Weaken Encryption’ (2021) Law and Economics Consulting Associates (LECA) 39.

  40. See e.g. Council of the European Union, ‘Council Resolution on Encryption—Security through encryption and security despite encryption’ 12863/20.

  41. Orin Kerr, Bruce Schneier ‘Encryption Workarounds’ (2018) 106 Georgetown Law Journal 989.

Author information

Authors and Affiliations

  1. ISPA Austria, Vienna, Austria

    Andreas Gruber & Natalie Ségur-Cabanac

  2. Hutchison Drei Austria, Vienna, Austria

    Natalie Ségur-Cabanac

Authors
  1. Andreas Gruber
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Natalie Ségur-Cabanac
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andreas Gruber.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gruber, A., Ségur-Cabanac, N. Necessary or premature? The NIS 2 Directive from the perspective of the telecommunications sector. Int. Cybersecur. Law Rev. 2, 233–243 (2021). https://doi.org/10.1365/s43439-021-00035-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1365/s43439-021-00035-6

Keywords

Search

Navigation