Last 7th of July 2021, the European Union Agency for Cybersecurity (ENISA) published its Technical Guideline for Security Measures under the EECC (European Electronic Communications Code) to provide guidance to the national authorities tasked with supervising the security of electronic communication networks and services about the technical details of implementing Articles 40 and 41 of the EECC: how to ensure that providers assess risks and take appropriate security measures.
The guideline lists 29 high-level security objectives, which are grouped in 8 security domains. For each security objective there are specific detailed security measures which could be taken by providers to reach the security objective. These security measures are grouped in 3 levels of increasing sophistication. There are also examples of evidence, which could be considered by an auditor, for example, when assessing if these security measures are actually in place.
ENISA is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.