Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services (Text with EEA relevance)
Modified by
Directive (EU) 2018/1972 of the European Parliament and of the Councilof 11 December 2018establishing the European Electronic Communications Code(Recast)(Text with EEA relevance), 32018L1972, December 17, 2018
Corrected by
Corrigendum to Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services, 32009L0140R(01), September 10, 2013
Directive 2009/140/EC of the European Parliament and of the Councilof 25 November 2009amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services(Text with EEA relevance)"CHAPTER IIIaSECURITY AND INTEGRITY OF NETWORKS AND SERVICESArticle 13aSecurity and integrity1.Member States shall ensure that undertakings providing public communications networks or publicly available electronic communications services take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services. Having regard to the state of the art, these measures shall ensure a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on users and interconnected networks.2.Member States shall ensure that undertakings providing public communications networks take all appropriate steps to guarantee the integrity of their networks, and thus ensure the continuity of supply of services provided over those networks.3.Member States shall ensure that undertakings providing public communications networks or publicly available electronic communications services notify the competent national regulatory authority of a breach of security or loss of integrity that has had a significant impact on the operation of networks or services.Where appropriate, the national regulatory authority concerned shall inform the national regulatory authorities in other Member States and the European Network and Information Security Agency (ENISA). The national regulatory authority concerned may inform the public or require the undertakings to do so, where it determines that disclosure of the breach is in the public interest.Once a year, the national regulatory authority concerned shall submit a summary report to the Commission and ENISA on the notifications received and the action taken in accordance with this paragraph.4.The Commission, taking the utmost account of the opinion of ENISA, may adopt appropriate technical implementing measures with a view to harmonising the measures referred to in paragraphs 1, 2, and 3, including measures defining the circumstances, format and procedures applicable to notification requirements. These technical implementing measures shall be based on European and international standards to the greatest extent possible, and shall not prevent Member States from adopting additional requirements in order to pursue the objectives set out in paragraphs 1 and 2.These implementing measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 22(3).Article 13bImplementation and enforcement1.Member States shall ensure that in order to implement Article 13a, competent national regulatory authorities have the power to issue binding instructions, including those regarding time limits for implementation, to undertakings providing public communications networks or publicly available electronic communications services.2.Member States shall ensure that competent national regulatory authorities have the power to require undertakings providing public communications networks or publicly available electronic communications services to:(a)provide information needed to assess the security and/or integrity of their services and networks, including documented security policies; and(b)submit to a security audit carried out by a qualified independent body or a competent national authority and make the results thereof available to the national regulatory authority. The cost of the audit shall be paid by the undertaking.3.Member States shall ensure that national regulatory authorities have all the powers necessary to investigate cases of non-compliance and the effects thereof on the security and integrity of the networks.4.These provisions shall be without prejudice to Article 3 of this Directive.";