Guidelines for assessing ISPs’ security measures in the context of net neutrality

According to the EU’s net neutrality regulation, called the Open Internet Regulation, which came into force in 2016, internet providers should treat all internet traffic to and from their customers equally.

Security measures, like blocking traffic on certain ports, are only allowed under specific circumstances. One of these circumstances refers to the application of security measures that are necessary to protect the integrity or security of networks, services using the networks, or end-user equipment.

EU ISP net neutrality

The power to assess whether or not security measures are justified lies with the national telecoms regulatory authorities (NRAs). The application of a security measure to an internet network can be deemed justified by taking into consideration the circumstances, the type of networks, the services provided, etc.

Within this context, ENISA developed a guideline to support NRAs in their assessment. The guideline is available here and includes:

  • a list of evaluation factors for assessing whether a security measure is justified or not;
  • an evaluation checklist for NRAs;
  • a justification form, which can be used by NRAs to collect information about a security measure from providers. The justification form can also be used by providers, as part of their internal processes to document which security measures they consider to fall under this exception to the net neutrality rules.

“ENISA’s role in the EU cybersecurity landscape is often that of a catalyst for collaboration, a hub for exchanging views and opinions. For this paper, we worked closely together with two very different communities: the people supervising security in the telecom sector, and the people supervising the EU’s net-neutrality rules,” noted Udo Helmbrecht, Executive Director of ENISA commented.

“Although these two groups have a very different perspective, the collaboration was actually very useful and fruitful. We are happy with the practical results: a checklist and an evaluation form.”

On the same topic, the Body of European Regulators for Electronic Communications (BEREC) publishes an “Opinion for the evaluation of the application of Regulation (EU) 2015/2120 and the BEREC Net Neutrality Guidelines”. Through this document, BEREC shares its knowledge in the area, based on its experience with the application of the “Open Internet” regulation and its “Net Neutrality Guidelines” to the European Commission.

BEREC concluded that the application of both regulation and guidelines is working well. Both documents could be considered as striking a balance between the views of many different stakeholders.

Johannes Gungl, Chair of BEREC commented: “Secure networks are crucial. However, on the one hand a given measure can provide security to end-users, on the other hand it could impair end-users’ rights. These are the rights to access and distribute information and content, or to use and provide applications and services. Therefore, we are very happy to have been able to contribute to the ENISA guidelines with our expertise on the Open Internet Regulation.”

This guideline was developed together with experts from ENISA Article 13a Expert Group, which focuses on security in the telecom sector. Input from experts Of BEREC’s Net Neutrality Expert Working Group was also used. ENISA prepared these guidelines building upon feedback from providers across the EU.