📡NIS2 for Electronic Communications Providers — deadlines, obligations, fines

Providers of public electronic communications must implement the ten minimum measures of NIS2 Art. 21(2)(a-j): risk and security policies, incident handling, continuity and recovery, supply-chain security, ICT acquisition and development (including vulnerability handling), effectiveness assessment, cyber hygiene and training, cryptography, HR security and access control, multi-factor authentication [C3]. Unlike DNS, cloud, CDN, MSP and MSSP, the telecom sector does NOT have a dedicated implementing regulation — Reg. (EU) 2024/2690 does NOT cover providers of public electronic communications networks / services [C16]. In practice, derived obligations come directly from NIS2 + the OUG 155/2024 transposition, supplemented for 5G by the measures of the EU Toolbox and Law 163/2021 [C9][C10]. Usual technical framework: ISO/IEC 27001:2022, ISO/IEC 27002, ETSI EN 319401, plus the telecom-specific technical controls from the ENISA EECC guide (still technically relevant after the repeal of Art. 40-41) [C8]. The management body approves and oversees implementation (NIS2 Art. 20) [C6].

The 5G EU Toolbox (January 2020) requires identification and management of equipment, software and technology vendors as a key element of 5G network resilience [C9]. In its June 2023 communication, the Commission confirmed that Member State measures restricting or excluding Huawei and ZTE are justified and consistent with the Toolbox, and that these vendors present a materially higher risk than other 5G vendors [C9]. Romania transposed this policy through Law 163/2021, which requires prior authorisation of 5G technology and equipment manufacturers; for entities in the national defence, public order and national security system, purchases from non-authorised vendors are prohibited [C10]. ANCOM may request detailed information on the technologies, equipment and software used in 5G networks, the manufacturer and the degree of outsourcing [C10]. Baseline technical framework: ENISA 5G Security Controls Matrix, aligned with 3GPP [C17].

Until 17 October 2024, integrity / availability incidents in telecom were reported under Art. 40-41 EECC to the national authority (in Romania: ANCOM) [C8]. From 18 October 2024, NIS2 repeals Art. 40-41 and consolidates reporting under Art. 23: early warning to the CSIRT (DNSC) within 24 hours of awareness, detailed incident notification within 72 hours, final report within one month [C4][C8]. For public providers of electronic communications, the obligation to notify users when a particular or significant threat exists to the security of the network or service remains — derived from NIS2 Art. 23 and previous EECC practice [C4]. In the aggregated 2024 reporting to ENISA, 26 EU MS + 2 EFTA reported 188 telecom incidents; lost user-hours fell by more than 50% (1 743 million in 2024 vs. 3 906 million in 2023); 58% of incidents had impact on mobile telephony [C12]. Procedurally, Romanian operators now send a single flow to DNSC; coordination with ANCOM on continuity and availability remains through the BEREC Cybersecurity WG [C15].

The SS7 (2G/3G) and Diameter (4G) signalling protocols were designed without modern security considerations and are vulnerable to interception, redirection, subscriber location tracking and fraud carried out by actors with access to interconnected networks [C11]. ENISA, in a dedicated report on signalling in telecom, classifies the risk level as medium to high and recommends active contribution from all providers [C11]. For 5G, HTTP/2 signalling + NEF API + SBA introduces a new vector (network slicing isolation, service-to-service authentication). NIS2 Art. 21(2)(e) covers security of networks and systems in acquisition / development / maintenance, which for a mobile operator translates into concrete obligations on signalling firewalls, GTP anti-spoofing, inter-PLMN anomaly monitoring and 5G slice isolation [C3][C11]. The lesson from the Salt Typhoon campaign (2024+) is that operators' backbones and edge routers are a direct target for state actors — router security (patching, management-plane control, segregation) is part of the NIS2 list, not an optional extra [I4][C9].

Providers of public electronic communications process sensitive categories (location data, traffic data, content, identity data) — for which Regulation (EU) 2016/679 (GDPR) and, in Romania, Law 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector apply on top of NIS2 [C13]. In practice, for any incident affecting subscriber confidentiality, the operator must notify in parallel: DNSC under NIS2 Art. 23 (24h / 72h / 1 month) [C4], ANSPDCP (the Romanian Data Protection Authority) under GDPR Art. 33 (72 hours for notification to the authority) and subscribers directly where the risk is high. The lessons from T-Mobile US 2021 [I1], Optus 2022 [I2] and Lyca Mobile 2023 [I5] show the same pattern: an application vulnerability / a compromised account exposed hundreds of thousands to tens of millions of subscriber records. Control framework: strong encryption at rest and in transit (NIS2 Art. 21(2)(h)), granular access control (i), MFA on any administrative access (j), vulnerability handling (e), isolation of CRM and billing systems from the network.

Type: Credential compromise + exfiltration of subscriber databases (attributed to an individual attacker identified later)

Impact: Approx. 7.8 million current postpaid customers with personal data (name, date of birth, SSN, ID) exposed; approx. 5.3 million postpaid customers on another dataset (IMEI, IMSI, phone); approx. 40 million former / prospective customers exposed. Class action settlement of USD 350 million. No financial data exposed.

Lesson: Pivot incident for the telecom sector: a lax configuration on a publicly exposed non-prod environment was the entry point. NIS2 Art. 21(2)(e) and (i) require environment segregation, access control and vulnerability handling — measures which, had they been implemented, would have blocked the exploitation chain.

Type: API exposed without authentication; coding error in a legacy endpoint

Impact: Out of 9.8 million Optus customers, approx. 1.2 million with valid ID and complete personal information compromised; 900 000 with expired ID compromised. Data exposed: name, date of birth, phone, email, addresses, passport and driver's licence numbers. The attack was described as "not sophisticated" — trial and error on a forgotten endpoint. Dual regulatory probe (ACMA + OAIC).

Lesson: Same root cause class as Salt Typhoon and T-Mobile: asset management lacking control and forgotten / non-decommissioned APIs. NIS2 Art. 21(2)(i) (asset management) and Reg. (EU) 2024/2690 — even though it does not cover telecom — make it plain that a complete inventory of public endpoints is a minimum practice expected by DNSC under OUG 155/2024.

Type: Deliberate cyberattack that halted 4G/5G, SMS, fixed voice and TV services

Impact: The entire Vodafone Portugal base (approx. 4 million mobile subscribers + 3.4 million residential and business fixed-services customers) affected; only 3G remained operational, with limited capacity (~3 MB/s); service restoration required extended and careful action. Vodafone Portugal officially described the incident as a "deliberate and malicious attack intended to cause damage".

Lesson: Demonstration that a single incident at an integrated operator can simultaneously take mobile, fixed, TV and SMS networks offline. NIS2 Art. 21(2)(c) (continuity / crisis management) requires periodic scenario testing; for an integrated operator, the crisis plan must include per-service restoration, prioritisation of emergency services (112) and public communications coordinated with the authorities.

Type: Persistent state espionage on operators' backbone and edge routers; long-term multi-year access

Impact: AT&T, Verizon and Lumen confirmed compromise in December 2024; the campaign was described by US officials as the "worst telecom hack in our nation's history", with the capability to geolocate millions of people and record calls. T-Mobile US announced it was monitoring the activity. CISA and international partners issued advisory AA25-239A in August 2025; the FCC opened a notice of proposed rulemaking for new cybersecurity rules for carriers.

Lesson: Backbone and provider edge / customer edge routers are priority targets. CISA calls for patching CVE-2024-21887 (Ivanti Connect Secure) and CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect), plus active hunting. NIS2 Art. 21(2)(e),(f),(i) covers exactly these requirements; for EU operators, integration with the ENISA CTI mechanisms and the EU CSIRTs Network is a minimum operational baseline.

Type: Cyberattack (suspected ransomware-related); top-up service, national and international calls disrupted; investigation into data exfiltration

Impact: Services suspended in all 60 countries except 4; top-up portal taken down; investigation with third-party IT + law enforcement and data protection authority notification. Lyca's wording about "encrypted customer data" suggests unauthorised database access.

Lesson: A global MVNO with centralised IT propagates the incident across dozens of jurisdictions. NIS2 Art. 21(2)(d) (supply chain) + (c) (BCM / crisis management) — for an MVNO, per-market segregation + a parallel communications plan with each jurisdiction's authorities are already part of the minimum operational standard.

European Electronic Communications Code — Directive (EU) 2018/1972 · Transposed in Romania by Law 198/2022 (amending OUG 111/2011) [C14]

The basic regulatory framework for the electronic communications sector (authorisation, access, spectrum, universal service, user rights). Articles 40-41 (with security requirements and incident reporting) were repealed by NIS2 from 18 October 2024 [C8]; the rest of the EECC remains applicable. The ENISA Guide on Security Measures under the EECC remains technically relevant for any telecom operator seeking a verified operational baseline.

5G EU Toolbox + Law 163/2021 (Romania) · Toolbox: coordinated instrument of the NIS Cooperation Group, January 2020; Law 163/2021 published 11 June 2021 [C9][C10]

Combined framework for 5G network security. The EU Toolbox contains strategic measures (control of high-risk vendors) and technical measures (the ENISA 5G Security Controls Matrix catalogue) [C9][C17]. Law 163/2021 imposes in Romania prior authorisation of 5G technology manufacturers; for the defence, public order and national security system, purchases from non-authorised vendors are prohibited [C10].

GDPR (Reg. (EU) 2016/679) + Law 506/2004 (ePrivacy for electronic communications) · GDPR directly applicable from 25 May 2018; Law 506/2004 published 25.11.2004, amended several times (including by Law 235/2015) [C13]

Providers of electronic communications process traffic, location and identity data of subscribers — sensitive categories for which the GDPR + Law 506/2004 impose confidentiality, retention and subscriber rights requirements. For an incident affecting personal data, notification to DNSC under NIS2 Art. 23 does not replace notification to ANSPDCP under GDPR Art. 33 and, where applicable, to subscribers [C4]. Good practice: a single runbook feeding both flows.

Comm. Impl. Reg. (EU) 2024/2690 — NIS2 technical measures · Directly applicable from 17 October 2024 [C16]

Important for the supply chain: the regulation spells out technical requirements for DNS, TLD, cloud, data centres, CDN, MSP, MSSP and trust services [C16]. Providers of public electronic communications are NOT in direct scope, but if they use any of those providers (cloud, CDN, MSSP), their partner is bound by the same 13 technical sections — a key element for contractual clauses under NIS2 Art. 21(2)(d).

ENISA — Guide on Security Measures under the EECC + 5G Security Controls Matrix · Non-legal technical documents; remain the operational reference [C8][C17]

Even after the repeal of Art. 40-41 EECC, the technical baseline developed by ENISA under the previous regime remains an accepted operational standard. For 5G, the 5G Security Controls Matrix (a catalogue of controls aligned with the Toolbox + 3GPP) is the standard reference for national authorities during NIS2 + Law 163/2021 audits. DNSC will use this technical framework in audits on NIS2 Art. 21(2) for telecom, pending any future publication of a separate sectoral implementing regulation.