Electronic communication providers in the EU have to notify significant security incidents to the national telecom regulatory authorities (NRAs) in each EU member state. Every year the NRAs report summaries about a selection of these notified incidents, the most significant incidents, based on a set of agreed thresholds. This document, the Annual Report on Telecom Security Incidents 2017, aggregates the incident reported in 2017, and provides a singleEU-wide overview of telecom security incidents in the EU. Mandatory breach reporting has been part of the EU’s telecom regulatory framework since the 2009 reform of the telecom package: Article 13a of the Framework directive (2009/140/EC) came into force in 2011. The breach reporting in Article 13a focuses on security incidents causing significant outages. The Commission recently proposed an update of the telecom rules. The new breach reporting requirements in Article 40 of the Electronic Communications Code1 2 have a broader scope, including not only incidents causing outages, but also confidentiality breaches. Security breach reporting is also mandatory for trust service providers in the EU (under Article 19 of the EIDAS regulation), for Operators of Essential Services in the EU (under Article 14 of the NIS directive) and for Digital Service Providers (under Article 16 of the NIS directive) in the EU.


