ENISA explained that the EU telecom directive requires telecommunications companies to report security incidents and take proactive security steps to protect consumers against security breaches.
The guideline on incident reporting provides advice to national telecom regulatory authorities (NRAs) about two types of incident reporting mentioned in the directive: the annual summary reporting of significant incidents to ENISA and the European Commission, and ad hoc notification of incidents to other NRAs in case of cross-border incidents.
This guideline defines the scope of incident reporting, the incident parameters, and thresholds. It also contains a reporting template for submitting incident reports to ENISA and the commission and explains how reports will be processed by ENISA.
The second guideline advises NRAs on the minimum security measures that telecom operators should take to ensure security of their networks.
“Incident reporting and minimal security measures are important tools to provide consumers, businesses and governments confidence in the security of telecommunication services. After the recent DigiNotar case there is also growing support for broadening the scope of this kind of legislation beyond the telecom sector”, said ENISA Executive Director Udo Helmbrecht.