Europe gets ready for tighter security and telco regulations

Last week saw the European parliament debate the content of a new regulatory telecommunications package that will have far reaching implications for security and risk professionals on both sides of the Atlantic the 785 members of the parliament’s plenary were supposed to vote on the reform package – but six of the most pressuring issues are still open and largely undecided (see: http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/08/551&format=HTML&aged=0&language=DE&guiLanguage=nl).

In a nutshell, this new telco package mirrors the ongoing struggle between forces that call for stronger independence of the respective national telecoms authorities in the EU member states (e.g., supported by the EU parliament) and those seeking more direct control over politically sensitive areas such as security (e.g., represented by the EU council).

The key elements of this new telco package include the following security-relevant areas:

(1) Copyright and content ownership,

(2) Tighter breach disclosure laws; though in its current form unclear about thresholds, etc., and

(3) IP-address storages rules, currently strongly opposed by European privacy activist

…as well as a more generic part on a:

(4) New agreement on the radio spectrum, including wireless broadband for rural areas.

The regulators also seek to establish a telecommunications authority for Europe – with the current primary security body, the European Network Information Security Agency (ENISA), becoming a part of this new, broader security and telco authority.

Depending on the outcome of the vote and the ongoing discussions, a political agreement on the final legislative texts could be achieved prior to Christmas 2008. The new regulatory framework is then supposed to become the law in all 27 EU Member States by 2010, so the regulators hope.

I believe that Europe needs to expand its regulatory security scheme to better reflect ongoing threats (such as data leaks) – while not losing sight of the continent’s strong privacy roots. I also think that a bigger security authority (beyond the 40 or so strong ENISA) is needed to have a true thought leading impact on European security challenges. However, speed is crucial in this process – yet speed is not exactly what European law makers are famous for. As they say, watch this space…