Technical Stakeholder Consultation on Proposed Electronic Communications Security Measures (ECSMs)

Ireland published the National Cyber Security Strategy in December 2019. Measure 7 of the Strategy sets out how government will introduce a new and specific set of security requirements for the telecommunications sector, with detailed risk mitigation measures to be developed by the National Cyber Security Centre (NCSC) to assist the Commission for Communications Regulation (ComReg) in fulfilling its statutory functions under existing European Communities (Electronic Communications Networks and Services) (Framework) Regulations 2011, S.I. No. 333 of 2011 ("Framework Regulations"), and the European Electronic Communications Code (Directive 2018/1972).

In parallel to this process, EU Member States published the EU 5G Security Toolbox in January 2020 which represents our coordinated approach to securing 5G networks. One of the major recommendations of the toolbox was that Member States implement technical security measures which "strengthen the security of 5G networks and equipment by reinforcing the security of technologies, processes, people and physical factors".

The Electronic Communications Security Measures (ECSM) working group was established in March 2020 to design a set of security requirements for the electronic communications sector. The working group was co-chaired by the National Cyber Security Centre (NCSC) and the Network Operations Unit (NOU) of ComReg. The group also had membership from selected providers of electronic communications networks and services.

The group held a series of thematic workshops focussing on the areas identified as presenting the highest risk in the National and EU risk assessments. The workshops included presentations by guest speakers from industry, academia and relevant public bodies, as well as detailed technical discussions and submissions, which provided insights on the key risks, challenges, and best practices in the relevant security topics. The workshops resulted in the development by the NCSC of the series of documents known as the Electronic Communications Security Measures or ECSMs. In total, ten ECSMs have been drafted:

The security measures contained in the ECSMs will be provided with a legislative basis through the transposition of the European Electronic Communications Code. Further detail on the purpose, scope and applicability of the ECSMs can be found in ECSM 001 – General.

The purpose of this technical stakeholder consultation is to gather the views of interested parties, in particular third parties who are directly affected, such as providers of public electronic communications networks and publicly available electronic services, equipment manufacturers and suppliers, and cybersecurity professionals.

In gathering submissions, we want to evaluate the technical merit of the proposed security measures and the impact their implementation will have on the security and networks and services.

In making submissions, you should consider the following questions:

• Are the identified risks to the security of electronic communications networks and services appropriate?
• Do the recommended security measures adequately address the identified risks?
• Does the implementation guidance and relevant references provide sufficient guidance to implement the security measures?
• What impact will the measures likely have on the overall security of networks and services?
• What costs or challenges may be associated with the implementation of the security measures?

Respondents may submit general observations and/or detailed drafting suggestions. In cases where responses exceed five pages, we would ask that you include a concise executive summary.

Where respondents are making detailed commentary or suggesting drafting changes, they should refer to the document title and the line number of the relevant text.

Submissions should include ECSM Consultation in the subject field and be sent by email to cybersecurityconsultations@decc.gov.ie

The closing date for submissions has been extended to 5.30pm Friday 28 January 2022

We may hold a stakeholder information session in December to answer initial queries in relation to this consultation. Please contact the email above to register interest.

Supplementary Information

The Department recently gave an information briefing to stakeholders on the ECSM consultation. You can view the presentation from this session below.

We are committed to engaging with stakeholders in a clear, open and transparent manner. Any person or organisation can make a submission in relation to this consultation. All submissions and feedback will be taken into consideration in informing positions to be adopted in negotiations.

Please note that responses to this consultation are subject to the provisions of the Freedom of Information Act 2014 (FOI), Access to Information on the Environment Regulations 2007-2014 (AIE) and the Data Protection Act 2018.

Please also note that we intend to publish the contents of all submissions received to this consultation on our website. We will redact personal data prior to publication. In responding to this consultation, parties should clearly indicate where their responses contain personal information, commercially sensitive information or confidential information which they would not wish to be released under FOI, AIE or otherwise published.

We would like to draw your attention to our Data Privacy Notice which is available on our website and explains how and when we collect personal data, why we do so and how we treat this information. It also explains your rights in relation to the collection of personal information and how you can exercise those rights.

This paper provides an overview of the responses received and the Departmental reply to the issues raised in the technical stakeholder consultation on proposed Electronic Communications Security Measures launched in November 2021.