The legislation requires Member States to ensure that telecommunications providers protect the security of their networks and services (Articles 13a and 4), as well as the security of the processing of personal data (Article 4).

This joint framework has been designed as a tool for the authorities that supervise the electronic communications sector pursuant to Article 13a and Article 4. The advantages of developing this single framework are twofold:

  • For telecommunications providers: it simplifies compliance.
  • For the authorities (telecom regulators, data protection authorities): it allows for consistent supervision and facilitates collaboration between authorities at both national and international levels.

The framework contains 26 high-level security objectives, grouped into 7 domains. Each security objective indicates its relevance to Article 13a and/or Article 4. It also details the security measures for each objective, along with the evidence demonstrating their implementation. To emphasize that this is not a one-size-fits-all solution, the measures are grouped into 3 levels of sophistication: basic, industry standard, and advanced.

Staffan Lindmark, Deputy Head of Section at the Swedish Post and Telecom Authority and a member of ENISA's Telecom Regulatory Expert Group, said regarding this initiative: “Access to reliable electronic communications is vital in today's society. Together, Articles 13a and 4 form a comprehensive regulatory framework for information security in the telecoms sector, designed to ensure that users receive reliable services and that the vast majority of data transferred daily in communications is adequately protected. This joint framework developed by ENISA enables competent authorities to apply these rules consistently across Europe.”

ENISA Executive Director Udo Helmbrechtcommented on the project: “Security is a complex issue and a top priority for the EU. We must avoid overlaps and inconsistencies between different laws. Experts from national authorities point out that there is approximately 80% overlap in the security measures that telecom providers must take to protect the security of networks and services, as well as the processing of personal data. ENISA acts as a link between telecom regulators, data protection authorities, and providers, helping Member States to implement existing legislation effectively and cost-efficiently.”

The framework was developed with input from a group of experts from the competent national authorities (national regulatory authorities (NRAs) and data protection authorities (DPAs)), building on previous experiences and discussions on how to monitor Article 13a and Article 4. This report, derived from ENISA's Guidelines on ENISA's Article 13a security measures, includes the technical and organizational measures addressed in ENISA's Recommendations for the technical implementation of Article 4 (section 5.2). ENISA will continue to work with EU national authorities and support the monitoring of security measures in the telecommunications sector.