4
communications networks and infrastructures (including physical attacks on the networks and
information systems, in line with the all-hazard approach of the NIS2 Directive), by a hostile third
country, i.e. nation state actors, but also organised crime groups and hacktivists acting in support of
nation states.
In this context, the full range of cybersecurity incidents against which the operators need to protect,
is not considered, leaving out of scope, for instance, incidents caused by natural phenomena, climate
change, human errors, involuntary bugs, misfunctions and misconfigurations, cyber-attacks with a
purely financial aim, such as scams and fraud, etc.
4
These other incidents and attacks must however
still be considered by the operators when securing their systems and networks. Annex 2 contains a
longer list of threats relevant for telecom operators.
The networks and information systems assets in scope of this risk assessment are:
• Public electronic communications networks:
o Mobile networks, including the signalling networks;
o Fixed networks;
o Satellite networks;
• Core Internet infrastructure:
o Routing of Internet traffic;
o Submarine and underground cables;
o Internet exchange points (IXPs) and data centres;
o Networks and systems used for the provision of Top-level domain registries (TLDs)
and Domain Name System (DNS) services.
Out of scope are web certificates and qualified trust service providers, the (so-called over-the-top)
number-independent interpersonal communications services, as well as cloud services, unless
operators use them to deliver the above-mentioned networks or infrastructures. Also out of scope are
the end-user devices, such as smartphones, personal computers (PCs), home routers, and targeted
threats on such devices such as smartphone spyware, because they are not an integral part of the
networks or infrastructures and generally speaking not under the control of the operators. However,
scenarios where such devices are used to attack the networks and infrastructures are considered.
Regarding issues related to 5G networks, the findings of the EU Coordinated risk assessment of the
cybersecurity of 5G networks
5
published in October 2019 and the mitigating measures of the EU
Toolbox on 5G Cybersecurity (EU Toolbox)
6
of January 2020 remain valid and relevant for the purpose
of the present risk assessment.
1.3. Methodology
This report is based on the results of a risk assessment performed by Member States in the NIS
Cooperation Group, with support from the Commission and ENISA and in consultation with BEREC,
between April 2022 and December 2023. The assessment was conducted building on the methodology
of the EU Coordinated risk assessment for 5G networks and the cybersecurity analysis of Open Radio
4
ENISA, Telecom Security Incidents 2021, 27 July 2022, https://www.enisa.europa.eu/publications/telecom-
security-incidents-2021
5
NIS Cooperation Group, EU-wide coordinated risk assessment of 5G networks security, 9 October 2019,
https://digital-strategy.ec.europa.eu/en/news/eu-wide-coordinated-risk-assessment-5g-networks-security
6
NIS Cooperation Group, Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures, 29 January
2020,
https://digital-strategy.ec.europa.eu/en/library/cybersecurity-5g-networks-eu-toolbox-risk-mitigating-
measures
