There are two pieces of EU legislation which explicitly mention security measures in the telecom sector: Article 4 of the e-Privacy directive asks providers to take security measures to protect security of personal data processing. Article 13a of the Framework directive asks providers to take security measures to protect security of the provided networks and services. It has been argued there is an 80% overlap between the two articles.
ENISA would like to leverage this overlap and in this way optimize the implementation of both articles across the EU and where possible achieve harmonization between the implementation of Article 13a and Article 4. We look forward to discussing and developing this proposal further with all competent authorities (on Article 13a and 4), including DPAs and NRAs.