ENISA: Increasing the resilience of Europe’s telecommunication infrastructures through Incident Reporting
February 2016 by ENISA
A recent ENISA report analyses how mandatory incident reporting schemes have improved resilience and security in the EU telecoms sector. Experiences from this scheme can also serve as a model for the implementation of the forthcoming NIS Directive in other sectors.
The first mandatory, EU-wide incident reporting scheme, aimed at ensuring the security and integrity of EU telecommunication networks and services, turned out to be an unparalleled success.
In a European Union which was highly diversified in terms of telecoms security measures, art. 13a of the Framework Directive 2009/140/EU within the Telecom Package, brought a certain amount of uniformity in terms of security of telecommunication services. More importantly it contributed to strengthening the resilience and services availability of the European telecoms infrastructure all across the EU. Improvements were achieved in a balanced way as some Member States had already met requirements set, whereas others felt the benefits that far outpaced costs and effort provided.
The EU incident reporting activities have been developing for four years now, with an annual growth rate of 25-30% in the number of incidents. The consolidated impact evaluation done by ENISA, to measure performance in this period, has brought to light some important findings of the incident reporting mechanism that include:
• A minimum set of services (fixed and mobile telephony, fixed and mobile internet) are covered by all Member States, in terms of incident reporting and security measures, but some of them went even further and covered a much broader range of services from broadcasting networks (TV, radio) to country code top level domains (CC TLDs), public WIFIs, and Internet exchange points (IXPs).
• Harmonization among Member States implemented regulations has been found to be satisfactory at this point, although gaps can still be observed. Additional improvements could be carried out, especially in the area of networks and services in view of new regulation.
• System failures (66%, e.g. software bugs and hardware failures) along with human errors (20%, e.g. cable cuts) are the top root causes disrupting EU telecommunications infrastructures, and ENISA will concentrate upon those in future studies.
• Third party failures have recorded an increase since last year and continue to represent an important cause for disruptions (16% of all incidents in 2014, 11% in 2013), asking for further developments in areas like supply chain security. Prof. Dr Udo Helmbrecht, Executive Director of ENISA, commented: “Achieving resilience in the EU telecom sector is one of the main building blocks of a strong digital society. ENISA will continue supporting developments in this area and deploy its expertise in the implementation of similar requirements of the NIS Directive in other sectors.”
Further analysis is required to draw some strong conclusions on next steps needed in this area. Topics like security measures to be implemented by electronic communications providers, transparency at national level and cross-border collaboration, still need further analysis as they could not be properly assessed within this study due to their complexity.
The results of this report along with the work done within Art. 13a Expert Group is to be used as an input for the current review of the telecom package that the European Commission has been promulgating.
Full report is available here