Proposals of revised NIS 2 Directive raises concerns over the European Electronic Communications Code fragmentation – says BEREC Opinion

On 19 May 2021, the BEREC Board of Regulators adopted an Opinion on the revised Directive on Security of Network and Information Systems (NIS2.0 Directive) and its effect on Electronic Communications. 

On 16 December 2020, the EC published a proposal that expands the current scope of the NIS Directive by adding new sectors based on their significance for the economy and society - the public electronic communications networks (ECN) and electronic communications services (ECS) now fall within the scope of essential entities. The proposal further strengthens security requirements for the relevant entities with an applicable minimum list of critical security elements. The proposed NIS2.0 Directive also suggests transferring the current security provisions in Articles 40 and 41 of the European Electronic Communications Code (EECC) to the NIS Directive.

BEREC’s concerns 

BEREC recognizes a rationale for the proposal to collect all critical infrastructures under one security framework; however, it raises concerns about the effects of fragmenting the EECC. BEREC outlines that the electronic communications sector already has its own sector-specific, comprehensive and proven regulatory framework that considers all perspectives, including security, economic analysis, competition law and other regulatory issues. This holistic approach to the security of the electronic communications sector, which has successfully adapted to the changing security landscape, has proven its merit. The industry cannot afford the risk of losing the experience with legal, technical and economic aspects of security in the current framework, built over ten years.

Moreover, BEREC raises concerns over the effect of the proposed changes on the ECN and ECS markets and the overall common security level reached with the targeted measures established since 2009. The BEREC Opinion explains that the obligations foreseen in the EC’s proposal may be disproportionate for some providers (e.g. small ones) and act as a barrier to market entry. In light of these concerns, BEREC considers it as most appropriate to retain Articles 40 and 41 in the EECC and not change or shift these provisions into the context of the reviewed NIS Directive. 

In its Opinion, BEREC also highlights a risk regarding the lack of clarity of the definitions that may result in legal challenges on specific areas of supervision under the NIS 2.0 Directive compared to the EECC.  

BEREC recommends 

BEREC strongly recommends that the revised Directive introduces sufficient safeguards to ensure the continuation of current practices and builds on the knowledge and experience of current competent authorities for the security of ECN and ECS. BEREC also suggests reviewing and clarifying the definition of “security of network and information systems” in the NIS 2.0 Directive. Finally, BEREC further suggests to assess, how the NIS2.0 Directive could best complement the provisions in the EECC.

BEREC will continue following closely the legislative process throughout the year, as foreseen in the Work Programme 2021, and may envisage relevant activities supporting the work of competent bodies.