NIS2 is here – What telecommunica- tions providers need to know about Europe’s new cybersecurity regime

The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024, bringing with it a significant overhaul of the way cybersecurity risk management is regulated in Europe.

The telecommunications industry is no stranger to cybersecurity regulation, with sector-specific legislation focused on cybersecurity being in place across many EU Member States for quite some time.

However, the advent of NIS2 clearly entails a widening of both the scope of the telecommunications sector subject to cybersecurity scrutiny and the level of scrutiny this sector will face, given the impact NIS2 will have on many of Europe’s critical industries.

Outside of the UK, Europe’s telecommunications providers, while accustomed to enhanced cybersecurity regulation, are not necessarily used to stringent sanctions for non-compliance. However, sanctions for non-compliance under NIS2 are substantial, with fining powers of up to €10 million or 2% of worldwide turnover, and (in some cases) sanctions against management and the C-suite. In that regard, lessons from the UK (see our section on the UK below) demonstrate what the future may hold for telecommunications under NIS2 in terms of financial penalties.

This article, part of our NIS2 series, provides a high-level overview of what you need to know for your sector and the steps you need to take now. For a more in-depth insight into NIS2 and its requirements, see our article here.

What does this mean for telecommunications providers?

NIS2 imposes obligations on a broader range of entities, depending on whether they are identified as ‘essential’ or ‘important.’

Unsurprisingly, given their essential role, telecommunications fall under NIS2 as ‘essential’ and are therefore subject to NIS2’s most stringent security measures. This regulated category includes all providers of public electronic communications networks and publicly available electronic communications services.

In addition, many providers associated with the telecommunications sector will also be regulated under NIS2. This includes DNS providers, internet exchanges, and points of presence (PoPs).

Incidents such as ransomware attacks and DDoS attacks are common occurrences for telecommunications providers, with global content and caching provider Akamai reporting a significant rise is such attacks in recent years. Moreover, incidents such as the sabotage of French Telecom’s fixed and mobile services infrastructure in July 2024 (conducted during the Paris Olympics) and the infamous Baltic Undersea Cable Incident in November 2024 demonstrate that the threat to telecommunications has many faces.

Overlapping impact of the CERD

Aside from obligations under NIS2, telecommunications providers will likely face significant overlapping duties under NIS2’s counterpart, the Critical Entities Resilience Directive (CERD), which also entered into force on 18 October 2024.

The CERD covers similar content to NIS2 in terms of resilience but is far broader in scope, applying to any type of threat an organization may face. For example, while NIS2 requires regulated entities to ensure their information systems are hardened against cybersecurity threats, vulnerabilities, and outages, the CERD extends this to all forms of threats, including physical risks such as natural disasters.

In this context, outages like those impacting Telenor’s network in Norway (August 2024) and TDC Net’s outage in Denmark (November 2024) —both of which disrupted emergency services communications and affected several other critical sectors—fall within the scope of CERD and, likely, NIS2.

In some cases, Member States are introducing CERD measures in parallel with NIS2, while in others, CERD requirements are being implemented on a standalone basis. Organizations will need to understand the specific domestic variations of NIS2 and CERD that apply to them in their respective home countries.

What is clear, however, is that for the telecommunications sector, an outage caused by a physical threat will most likely have implications for incident reporting and management obligations under NIS2.

Being responsive to external threats

The NIS2 Directive mandates that telecommunications providers adopt a security posture commensurate with the sophisticated external threats they encounter, particularly those posed by foreign actors. This entails implementing robust risk management practices, continuous monitoring, and rapid response mechanisms to detect and mitigate cyber threats effectively. The directive emphasizes the necessity for telecom operators to assess and enhance their cybersecurity measures, ensuring resilience against potential nation-state attacks and other external adversaries.

Telecommunications networks in the EU face a significant volume of cyberattacks. For instance, in 2023, CERT-EU analysed 602 malicious activities of interest, with the telecommunications sector being among the targeted industries. Similarly, statistics from Deutsche Telekom indicate that Germany’s largest provider faced 30,000 to 40,000 attempted attacks every minute.

Ransomware remains a predominant cybercrime activity globally, with the CERT-EU report identifying at least 55 ransomware operations and a total of 906 victims in 2023. Finally, the proliferation of AI poses a particular threat, given the enhanced capabilities it provides to threat actors.

Telecommunications infrastructure is integral to national security and economic stability, positioning it at the forefront of proactive threat assessment. Consequently, NIS2 imposes stringent obligations on telecom providers, surpassing those applied to other sectors. Operators are expected to implement advanced encryption technologies, including quantum-resistant cryptographic methods and quantum key distribution, to safeguard communications against emerging threats. This proactive stance is essential to maintain the integrity and confidentiality of data transmitted across their networks.

Service availability

Under NIS2, ensuring service availability is paramount for telecommunications providers. Given the critical role telecoms play in the EU's digital infrastructure, Business Continuity Planning (BCP) and Disaster Recovery mechanisms are emphasized to mitigate the impact of outages and security incidents. Operators must adopt advanced network monitoring and redundancy measures to maintain service continuity and minimize downtime. Additionally, swift response capabilities are required to restore network operations promptly, ensuring that services can be brought back online with minimal disruption. This not only reduces the potential economic and societal impact but also enhances public trust in telecommunications services.

Telecom providers also face overlapping obligations under the Critical Entities Resilience Directive (CERD), which emphasizes resilience against both cyber and physical threats. Because telecommunications infrastructure serves as the backbone for countless other NIS2-regulated entities, outages within a major telecom provider could trigger widespread cascading effects. A single significant service disruption may lead to multiple NIS2 incident notifications, as organizations across various sectors—from healthcare to finance—are heavily dependent on stable and secure communication networks to deliver their core services. This amplifies the importance of robust availability measures in the telecommunications sector.

Enhanced audit

One critical aspect of NIS2 that could materially change the way telecommunications providers approach their information security management, governance, and assurance practices is the introduction of enhanced audits.

NIS2 introduces enhanced audit and inspection measures, with each EU Member State regulator conducting regular (and, in some cases, unannounced) inspections and audits of a company’s information security management frameworks and cybersecurity posture.

For telecommunications providers, enhanced audit and oversight already exist under the EU Electronic Communications Code (EECC), which came into force in December 2020. Under the EECC, telecommunications operators are subject to periodic audits and inspections to ensure compliance with security and privacy requirements. These audits typically cover risk management practices, incident reporting procedures, and the implementation of technical and organizational measures to safeguard network integrity.

Given that the same regulatory bodies under the EECC are likely to be granted equivalent powers under NIS2, how those regulators apply their EECC and NIS2 audit powers alongside one another will be followed within the industry with great interest. This is particularly the case given that audit powers under NIS2 are far broader than those under the EECC and require more comprehensive evaluations of critical infrastructure, supply chain security, and incident response capabilities, ensuring that telecom providers maintain a robust security posture against evolving threats.

Another critical aspect of audits under NIS2 is its cost recovery mechanism. A similar power exists under the EECC, meaning that when a regulator finds compliance gaps, the organization will not only face corrective action plans (with daily fines for non-conformity) but will also be expected to pay for the regulator’s audit. For those unfamiliar with audit, certification, and assurance within the sector, this can amount to a hefty bill.

Incident management

NIS2 represents a significant cultural change in how organizations approach incident management and for the personnel who will need to be involved in that process.

One of the most significant aspects of NIS2 is the emphasis on breach reporting, which requires affected entities to promptly report any cybersecurity incidents to the relevant authority without undue delay and no later than 24 hours after detection of the incident, with more detailed reporting at additional intervals.

For telecommunications providers, stringent incident reporting requirements have been commonplace for quite some time. However, given the EU’s heavy reliance on telecommunications as the backbone of its critical infrastructure, an incident involving a major telecommunications provider will most likely trigger a notification across its NIS2-regulated customer base.

Registration

With NIS2 comes a new mandatory registration requirement. A regulated entity will be required to register with its competent authority and provide key details about where the organisation provides its services, its IP ranges, and (where applicable) the identity and contact information of its designated representative. 

Providers and suppliers located outside Europe and with no legal presence will need to appoint a local representative.

For telecommunications providers, a one-stop shop approach to registration (i.e., registering in a single country) is unlikely to be a viable option and multiple registrations may be required across those countries in which the provider operates its critical infrastructure. In addition, and specifically to this sector, when considering “establishment” for the purposes of registration, telecommunications providers must factor in the countries in which they provide their services not the countries in which they are established.

What about the UK

This article focuses on the EU’s enhanced cybersecurity regime, which will not apply in the UK.

However, cybersecurity regulation for the UK’s telecommunications sector is arguably ahead of the current status quo in Europe. The UK's Telecommunications (Security) Act 2021 and its accompanying Electronic Communications (Security Measures) Regulations 2022 together form Ofcom’s new Telecommunications Security Code of Practice (the “Code”). The Code places stringent obligations on telecom providers to secure their networks and protect against a wide range of cyber threats. Like NIS2, the UK framework emphasizes proactive risk management but includes more prescriptive requirements, such as specific measures for equipment security and vendor risk management, reflecting lessons learned from reliance on high-risk vendors. The Code came into force for the UK’s largest providers in April 2024 and will apply to the remainder of the sector from April 2025.

Aside from the Code, Ofcom has already demonstrated its authority to enforce compliance through significant fines for service outages. For instance, BT was fined £17.5 million in 2023 following a catastrophic network failure that disrupted emergency call services for nearly 11 hours, resulting in approximately 14,000 unsuccessful call attempts. Similarly, Three UK was fined £1.9 million in 2016 after a network fault left customers unable to access emergency services. These penalties highlight the UK’s strong stance on ensuring service availability and the critical role of telecoms in emergency response.

Finally, the UK is in the process of introducing its own NIS2/CERD-equivalent legislation in the form of the new Cybersecurity and Resilience Bill.

For specific guidance on the steps the UK is undertaking in this space, and particularly in respect of compliance with the new Code, please contact a member of the Resiliency team.

What you need to do now

1. Familiarise yourself with the key requirements of NIS2 – you can read our more in-depth article here as a starting point.
2. Undertake a scoping assessment to assess which aspects of your core infrastructure fall within the scope of NIS2 and, specifically, where across Europe that infrastructure is located (this has implications for registration).
3. Where you provide multiple services (e.g., operate a content delivery network alongside a telecommunications service) conduct a scoping assessment to determine how each service falls under NIS2.
4. 4Keep track of the specific NIS2 implementation timeline for your home country – very few Member States were able to implement national implementing laws before the 17 October deadline, but domestic implementation is starting to gain traction.
5. Determine and complete registration requirements – for telecommunications provides this may entail multiple registrations across Europe.
6. Conduct a gap analysis between NIS2 measures (specifically those required in your home country), against the EU Electronic Communications Code and implement a rectification and improvement plan.
7. Review and update existing incident management handling processes – you can read more about some of the changes to incident classification here.
8. Start your vendor management process now, given the significant time it often takes to cascade compliance throughout the supply chain.
9. Start repapering now, including your customer facing contracts as well as the various information your NIS2-regulated customer base will seek to evidence compliance with their own NIS2 obligations.

For further information on NIS2 or assistance with the above activities, please engage with our Resiliency team.