In the telecommunications sector, the EU Directive 2009/140/EC states that Member States shall ensure that providers of public communications networks ‘take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services’. As part of the adoption of this directive at the national level, a first project has been developed in collaboration with the Institut Luxembourgeois de Régulation (ILR), the national regulatory authority for the telecommunications sector in Luxembourg that aimed to adapt and facilitate security risk management in the telecommunications sector. To this end, both ILR and LIST have produced an initial framework composed of two parts: an approach and a tool to support the adoption of this regulation by Telecommunications Service Providers (TSPs) at the national level (regulated entity part) and a tool collecting the data received by the regulatory authority from the regulated entities through the preceding approach (regulatory authority part).
In light of the feedbacks following the first regulatory cycle performed from December 2015 to July 2016, R&D challenges have emerged to facilitate and improve the quality of the risk management process performed by the regulated entities on one side and to improve the governance of the regulation by the regulatory authority on the other side. The main limitations identified are the lack of support to the security risk management process, a management of risks based on individual assessments instead of taking care of the whole ecosystem, and limited data analytics capabilities.
The main objective of this project is to establish an advanced security risk management framework dealing with the limitations highlighted. To achieve this primary objective, LIST researchers specialized in the application and development of risk management methods and tools will more specifically focus on the following secondary objectives:
As outcome of the project, the planned innovation will enable a better governance of the regulation. Risk awareness and decision-making ability of ILR will be improved based on the indicators that will be established. The value for ILR will also be in the standardized and high-level quality of the results obtained to comply with the regulation, thanks to the supporting models, positioning Luxembourg as a top performer in the EU to comply with this EU Directive. Finally, the security of TSPs as well as the quality of service for end-users will be improved, hence risks taken by the end-users related to lack of security and integrity of networks and services will be minimized.
Description du projet sur le site du FNR: www.fnr.lu/projects/regulatory-technologies-for-luxembourg-regulatory-institute/