Hackers Cost 1B User Hours Lost in EU Telecoms
July 27, 2020
The report published today provides an analysis of root causes and impact of major incidents that happened in the course of 2019 and multiannual trends. The national telecom security authorities in Europe reported a total of 153 major telecom security incidents in 2019. These incident reports were submitted to the EU Agency for Cybersecurity as part of the annual summary reporting on major telecom security incidents in the EU. The reported incidents had a total impact of almost 1 Billion user hours lost.
Juhan Lepassaar, the Executive Director of ENISA, said: "Incident reporting is essential to understand different factors that play a role in cybersecurity incidents, as well as relevant issues. It helps us to see the trends and allows us to assess if the related legislation is working. This will help us to develop the right security measures, if further adjustments or clarifications are needed in the form of implementing acts, and thus improve the overall level of cybersecurity. National authorities use the reporting as a basis for targeted policy initiatives. Our role at ENISA is to make sure that the process is working and to allow the stakeholders, the Member States and the Commission to get the most out of it. We work to harmonise the security incident reporting processes across the Union, to reduce security risks and barriers to the internal market."
Jakub Boratyński, Acting Director of Directorate H in DG CONNECT commented: “Security incident reporting is important in order to get hard numbers about incidents, to analyse root causes and impact, which helps prevent future incidents. It is essential to collect this data not only at EU-level, but also at national level. The COVID-19 outbreak shows more clearly than ever the importance of securing telecom networks.”
Number of incidents and million user hours lost per year
The report published today presents an analysis of root causes, impact, and trends of major incidents. It is the 9th annual report on telecom security incidents.
Key takeaways from the 2019 incidents
To access the report, please visit: ENISA - Telecom Services Security Incidents 2019 Annual Analysis Report
ENISA provides also an online visual tool - CIRAS - giving public access to the full repository of telecom security. This tool gives statistics and anonymized information about the 1200 major incidents reported over the past 9 years.
EECC broadening the scope of the telecom security incident reporting
The New EU telecom legislation, known as the European Electronic Communications Code (EECC), has to be transposed into national law by 21 December 2020.
These new rules are broader in scope, adapting to the changes in the EU’s electronic communications landscape. The new legislation will also cover so-called number-independent interpersonal communications services, such as Whatsapp and Skype. The reporting obligations will cover a broader range of telecom security incidents, including incidents having an impact on confidentiality, availability, integrity or authenticity of the communication networks and the data transmitted via those networks or services.
ENISA is working with the EU Member States to implement these changes. The annual reporting guideline is currently being updated to include new thresholds for the annual summary reporting. The EU Agency for Cybersecurity is also updating the guidelines on security measures.
Electronic communication providers in the EU have to notify telecom security incidents having a significant impact to the national authorities for telecom security in their country. At the beginning of every calendar year, the authorities send summary reports about these incidents to the EU Agency for Cybersecurity.
Security incident reporting has been part of the telecom regulatory framework of the European Union (EU) since the 2009 reform of the telecom package: Article 13a of the Framework directive (2009/140/EC) came into force in 2011. The breach reporting in Article 13a focuses on security incidents with significant impact on the operation of services, such as outages of the electronic communication networks and/or services. Article 40 of the European Electronic Communications Code (EECC) will replace Article 13a by the end of 2020.
The Article 13a Expert Group was founded by ENISA back in 2010, under the auspices of the European Commission. Its purpose is to bring together experts from national telecom security authorities from across the EU to agree on a practical and harmonised approach to the security supervision requirements in Article 13a and to agree on an efficient and effective incident reporting process.
Warna Munzebrock, a representative of Agentschap Telecom, the Dutch Radiocommunications agency, now chairs the group. The Article 13 expert group meets 3 times per year and its work and deliverables can be found in the Article 13a Expert Group portal hosted by ENISA.