Answer given by Mr Breton
on behalf of the European Commission (26.7.2021)
The Commission is not aware of similar attacks taking place in the EU. In any event, the European Union Agency for Cybersecurity (ENISA) and the European Competent Authorities for Secure Electronic Communications (ECASEC) Expert Group (the former ‘Article 13a Expert Group’1) are discussing the issue as usually done when novel ‘attacks’ take place.
The attacks as described in the referenced article exploit inadequate verification of a subscriber’s identity rather than a technical vulnerability in the short message service (SMS) protocol. The existing legislative framework, namely the European Electronic Communications Code2, does foresee in its Article 40 that ‘Member States shall ensure that providers of public electronic communications networks or of publicly available electronic communications services take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services’. These measures include among others correctly identifying their subscribers.
Directive 2013/40/EU3 on attacks against information systems also requires Member States to criminalise relevant conduct, including e.g. the illegal interception of non-public transmissions of computer data to, from or within an information system that includes mobile phones.
1 In 2009 Article 13a was introduced as part of Directive 2002/21/EC (the Telecoms Framework Directive), requiring EU Member States to ensure that providers take appropriate security measures to protect the security and integrity of telecom networks and services. Article 40 of Directive (EU) 2018/1972 (the European Electronic Communications Code, EECC) has replaced this provision. This explains the change in the name of the Expert Group.
2 Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code.