ETNO-GSMA feedback on draft implementing act under the NIS2 Directive

ETNO and the GSMA welcome the opportunity to share their views on the draft implementing regulation regarding cybersecurity risk management and reporting obligations for various digital infrastructure and service providers. Our members, who represent the leading telecommunication network and service providers in Europe, are thoroughly preparing to comply with the NIS 2 Directive and have been actively engaging with decision-makers and regulators on the national implementation of the law.

ETNO and the GSMA welcome the opportunity to share their views on the draft implementing regulation regarding cybersecurity risk management and reporting obligations for various digital infrastructure and service providers. Our members, who represent the leading telecommunication network and service providers in Europe, are thoroughly preparing to comply with the NIS 2 Directive and have been actively engaging with decision-makers and regulators on the national implementation of the law.

Member States are currently implementing and applying a plethora of security legislation, including the national transposition of NIS 2, which now also encompasses security rules for the telecom sector previously under the European Electronic Communications Code (EECC); the new Critical Entities Resilience Directive (CER); the Digital Operational Resilience Act (DORA); and national measures stemming from the 5G Security Toolbox. Additionally, data privacy legislation such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive demands further incident notifications in case of a data breach. These regulations affect the telecoms industry all at once. Therefore, consistent, and harmonized application of this layered security rulebook is paramount.

As stated in NIS2, to avoid unnecessary disruption, existing national guidelines adopted for the transposition of the rules related to security measures laid down in Articles 40 and 41 of the EECC should be considered. If the Commission were to adopt further implementing acts in the future, we would encourage the Commission to perform a thorough gap analysis and to build on its established corpus of legal requirements and practices, including the ENISA Guidelines on Security Measures and Incident Reporting under the EECC, which we understand are being updated considering the draft implementing acts. 

Regarding the draft implementing regulation, we understand that it is strictly addressed to categories of digital infrastructure, digital and ICT service management providers whose operations have a cross-border dimension. However, telecommunications operators typically also serve as cloud computing providers and often include CDN, DNS, and managed services as part of their portfolios. If telcos were to be subject to differing principles regarding the applicability of rules, thresholds, and requirements for incident reporting and risk management depending on which asset or service is affected, this could result in overlapping and incoherent rules, causing both additional legal and operational uncertainty and costs.

The implementing regulation should therefore clearly specify how it applies to those entities whose core business is different from the provision of the services encompassed in the act, but which also provide these services as part of their portfolio. The act should help avoid duplication, support coherence, and prevent fragmentation through differing national cybersecurity policies.

Below, we present some general remarks on the draft implementing act, along with specific comments on the text of the draft regulation and its annex. However, due to the short timeframe and the highly detailed and technical nature of the document, it cannot be considered a comprehensive assessment.

We elaborate on our recommendations in the paper. For questions and clarifications regarding this feedback, please contact Paolo Grassia (grassia@etno.eu), Director of Public Policy at ETNO.