Telecom & Trust Services Incidents in 2021: Over-The-Top (OTT) Challenges Emerging
July 2022 by ENISA
The European Union Agency for Cybersecurity (ENISA) releases today the 2021 incident reports on telecom and trust services.
The 2021 reports: what are the key take-aways?
The 2021 annual report on Telecom Security Incidents showcases a total of 90% of user hours lost in the reporting year due to human errors, with the total of user hours lost in 2021 reaching 5106 million user hours. This is more than four times higher than 2020. This was identified as the result of a substantial EU cross-border incident separately reported by three different Member States.
Over-The-Top (OTT) incidents were reported as well and require further attention by decision-making authorities.
The annual report 2021 on Trust Services Security incidents showcases that notified incidents are steadily increasing and that the incidents mostly reported are those related to qualified certificates. Incidents with either minor or large impact continue to increase. This follows the trends of the past five years. 47% of incidents are due to system failures, and thus remain a dominant root cause of incidents. In 2021, incidents caused by malicious actions also increased by 20%.
The analysis is made possible thanks to the information ENISA receives from the national regulatory authorities (NRAs) of each EU Member State.
The ENISA reports aggregate and anonymise the data received and enable a comprehensive analysis to be performed. Based on EU-wide thresholds this analysis still takes into account possible variables when Member States decide for a different approach. The thresholds establish the way incidents are selected and classified and determine the coherence of the analysis.
Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity (ENISA) stated: "Incident reporting helps us understand and analyse the state of cybersecurity. If we want to adequately respond to our current cybersecurity challenges, we need to agree on a common approach to incident reporting for the benefit of us all. The NIS2 Directive provides a much needed push to improve this. ENISA will continue to support the EU, Member States and the cybersecurity community to address this challenge."
Incident Reporting: why does it matter?
Incident reporting is a process by which major cybersecurity incidents are reported on an annual basis and then further analysed. With it, we can identifiy specific aspects of an incident such as the context, the type of incidents, the recurrence, the impact, the level of severity, the root causes and assets affected, etc.
The knowledge gathered therefore allows us to draw a map of current trends, weaknesses, patterns, etc.
The ultimate purpose of incident reporting is to facilitate more informed and efficient decision-making on the measures and actions needed to prevent or better deal with these incidents.
Policy developments: how legislation will improve incident reporting in the EU?
The upcoming NIS2 Directive will consolidate incident reporting under the European Electronic Communications Code (EECC), the NIS and the eIDAS Regulation. ENISA will therefore engage with national authorities and regulators on how to implement consolidated incident reporting under the NIS2 Directive.
Under Article 40 of the EECC, the incident reporting provisions have also changed with mandatory incident reporting now also applying to independent interpersonal communications services (OTT communications services).
The current eIDAS Regulation and its provisions for incident reporting have been in place for five years. The European Commission is now working on a new eIDAS Regulation proposal whereby most of the reporting obligations under ART 19 of eIDAS will be transferred to the NIS 2 Directive.
In the area of electronic communications, providers in the EU have to notify telecom security incidents which have a significant impact to the respective national authorities for telecom security. At the beginning of every calendar year, the authorities send summary reports about these incidents to the EU Agency for Cybersecurity.
Established in 2010, the European Competent Authorities for Secure Electronic Communications expert group (ECASEC), or former Article 13a group, consists of about 100 experts from national telecom security authorities from EU Member States, European Free Trade Association (EFTA) and European Economic Area (EEA) countries, as well as EU candidate countries.
Electronic trust services include a range of electronic services around digital signatures, digital certificates, electronic seals, timestamps, etc. used to secure electronic, online, transactions.
The eIDAS Regulation is the EU wide legal framework meant to ensure the interoperability and security of the electronic trust services across the EU. One of the goals of the eIDAS is to ensure electronic transactions can have the same legal validity as traditional paper-based transactions, to create a framework in which a digital signature has the same value as a hand-written signature.
Security is an important pillar of the overall framework. Article 19 of the eIDAS Regulation requires trust service providers in the EU to assess risks, take appropriate security measures, and mitigate security breaches.