Topic #1: New Security and Outage Reporting Obligations for Internet-Based Providers
The European Electronic Communications Code (the “EECC”) is expanding the remit of national telecoms regulators across the EU to cover ‘interpersonal communication services’ (“ICS”)[1]. An ICS is defined as a service “normally provided for remuneration that enables direct interpersonal and interactive exchange of information via ECN between a finite number of persons…..” While the ICS definition has yet to be interpreted by the courts, it is clear that it covers many internet-based messaging and calling services (for consumers and enterprises). This means that leading tech companies need to quickly get to know their newest regulator in each and every EU Member State, the national telecoms regulator (the Commission for Communications Regulation in Ireland).
This Insight focuses on Article 40 EECC, and highlights the potential for it to be hugely burdensome for ICS providers when they experience EU-wide security and/or outage incidents.
Article 40 of the EECC obliges all providers of public electronic communications networks / services (including ICS providers) to meet a particular network security standard and to report significant incidents to competent national regulators Similar obligations already apply to traditional telecoms operators. Post EECC, the big question is what do global ICS providers need to do to prepare for country-by-country enforcement of security standards and incident reporting rules under Article 40?
What Is A Reportable Incident?
Reporting is mandatory where an incident has a significant effect on the confidentiality, authenticity, integrity or availability of the following assets: the networks; services; the stored or transmitted or processed data; and other services offered or accessed via those e-communications networks or services.
What constitutes a significant incident will be ultimately up to the regulators of each Member State to decide, however the EECC specifies the following parameters that should be taken into account when determining the significance of a security incident: the number of users affected by the security incident; the duration of the security incident; the geographical spread of the area affected by the security incident; the extent to which the functioning of the network or service is affected; and the extent of impact on economic and societal activities.
What Is the Practical Impact of Article 40?
Article 40 has potential to be hugely burdensome for ICS providers , as one team may have to report on a single incident to regulators in each and every EU Member State. Historically, security incident reporting has led to in-depth regulatory engagement on the reasons for the incidents and the mitigations to prevent reoccurrence. It is not clear how such in-depth engagement will occur under the EECC where there is potential for engagements with different national regulators to be highly duplicative.
Article 40 will not represent a major change for ‘traditional’ ECS providers[2] (as current EU framework provides such obligations) however, network security is expected to continue being a core focus for regulators particular in relation to security standards (as specified in ENISA guidelines) to reflect concerns at an EU level in relation to 5G infrastructure.
Does Article 40 Make Special Accommodations for ICS Providers / Tech Companies?
In general, the security provisions in Article 40 are the same for ICS (number-based and number-independent) and traditional telecoms operators. Both are subject to ex-ante regulatory investigations (including being required to provide information and submit to an audit on security to a regulator on request) and ex post regulatory investigations of significant incidents raising concerns of non-compliance.
However, there are limited special accommodations or exceptions made for ICS / OTT providers. Recital 95 ECCC recognises that, because these providers may not fully control their transmission networks (eg, the internet), certain security measures may not be needed, if justified on the basis of a risk assessment, and security requirements should reflect their specific nature and economic importance. It remains unclear how much Recital 95 will relieve the burden on ICS providers in practice. It will be important for ICS providers to take all opportunities to obtain agreement from national regulators that more light-touch, risk-adjusted network security regulation is appropriate, taking into account the particularities of the ICS in question.
Does Article 40 Make the EU an Outlier for ICS Providers?
We understand that the burden of Article 40 on ICS providers is unique to the EU. By way of example, the US national regulator Federal Communications Commission’s outage reporting rules only cover services that could affect homeland security, public health or safety, and the economic well-being of the nation. Similarly, while comparable obligations are imposed on carriers, carriage service providers and intermediaries in Australia, we understand these requirements do not apply to internet-based ICS.
[1] Defined as a service “normally provided for remuneration that enables direct interpersonal and interactive exchange of information via ECN between a finite number of persons…..”
[2] One change for fixed operators (who are moving traditional fixed services to VOIP) is the enhanced security procedures that might apply to these services)