Guideline on threats and assets : technical guidance on threats and assets in Article 13a, version 1.2

The 2009 reform of the EU legislative framework for electronic communications (EU Directive 2009/140/EC) has introduced Article 13a into the Framework directive (Directive 2002/21/EC as amended by Directive 2009/140/EC). The reform, was transposed by most EU Member States halfway 2011. Article 13a concerns the security and integrity of electronic communication networks and services. The first part of Article 13a requires that providers of networks and services manage security risks and take appropriate security measures to guarantee the security (paragraph 1) and integrity (paragraph 2) of these networks and services. The second part of Article 13a (paragraph 3) requires providers to report about significant security breaches and losses of integrity that has had a significant impact on the operation of networks or services to competent national regulatory authorities, who should report about these security incidents to ENISA and the European Commission (EC) annually. In 2010, ENISA, the European Commission (EC), Ministries and Telecommunication National Regulatory Authorities (NRAs), initiated a series of meetings (workshops, conference calls) to achieve an efficient and harmonised implementation of Article 13a across the EU. The Article 13a Expert Group now comprises experts from NRAs of most EU countries, and several EFTA and EU candidate countries. Meetings (telephonic or physical) are organized and chaired by technical experts from ENISA. The European Commission acts as an observer in these meetings. The Article 13a Expert Group reached consensus on two non-binding technical guidelines for NRAs: the "Technical Guideline on Incident Reporting" and the "Technical Guideline on Security Measures". This document complements the other two guides by providing a list of assets and a list of threats. This document provides a full list of threat types, the relation between threats and root cause categories (used in incident reporting), a full list of asset types, and it introduces asset groups and component layers. The primary goal of this document is to improve pan-EU annual summary reporting. NRAs could also use this document for cross-checking risk assessments by providers, for supervising the security measures taken by providers, and for their national incident reporting frameworks.