01
Lawful interception under EECC
Article 40 EECC plus national implementation. Capacity, audit, transparency reports and judicial oversight.
IMPACTLoss of licence in serious breach cases.
SECTOR PRACTICE · TELECOMMUNICATIONS
EU compliance for telecommunications
NIS2, GDPR, ePrivacy for telecom operators, ISPs, and network infrastructure
REGULATIONS.STACK · TELCO● 09
EECCAuthorisation, USO, end-user rights
NIS2Telco as essential entity
EPRIVACYTraffic, location, marketing
GDPRSubscriber data, retention
ROAMINGRoaming pricing and transparency
AI ACTNetwork AI and fraud detection
DSAHosting and intermediary services
CSAMDetection and reporting obligations
BERECNet neutrality and interoperability
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHO WE SERVE
Six telecom profiles, one compliance map.
From national MNOs to MVNOs, ISPs, satellite and number-independent communications. Each profile triggers a different EECC and NIS2 scope.
MNO
Mobile network operators
Spectrum licensing, numbering, lawful interception, BEREC reporting.
EECCNIS2EPRIVACY
MVNO
MVNOs and resellers
Wholesale contracts, switching, end-user rights, billing transparency.
EECCROAMINGGDPR
ISP
Fixed-line and broadband ISPs
Net neutrality, traffic management transparency, USO, complaint handling.
EECCBERECNIS2
OTT / NIICS
Number-independent comms (NIICS)
WhatsApp-style services. ePrivacy and CSAM obligations expanded to NIICS.
EPRIVACYCSAMGDPR
SATELLITE
Satellite and broadcast
Audiovisual media, geo-blocking, content moderation, NIS2 essential entity.
NIS2AVMSDEECC
INFRASTRUCTURE
Tower, data-centre and fibre infrastructure
Co-location, dark fibre, supply-chain assurance, NCCS.
NIS2NCCSGDPR
§ 02 / LANDSCAPE
The telecommunications regulatory clock.
Multiple regimes interlock. We sequence them around your operating cadence.
LIVEEECC
IN FORCE
European Electronic Communications Code
Authorisation, universal service, end-user rights, interoperability, BEREC oversight.
LIVENIS2
IN FORCE
Telco as essential entity
Risk management, 24h/72h reporting, supply-chain assurance, board accountability.
LIVEEPRIVACY
IN FORCE
ePrivacy Directive (current)
Confidentiality of communications, traffic and location data, cookies, unsolicited marketing.
LIVEROAMING
IN FORCE
Roaming Regulation 2022
Roam-Like-At-Home, wholesale caps, quality-of-service transparency to end users.
NEXTEPRIVACY
2026
ePrivacy Regulation (replaces Directive)
Stricter consent for cookies and electronic communications. Extends to NIICS providers.
CRITICALAI ACT
AUG 2026
AI in critical infrastructure
Network optimisation, fraud detection, customer service AI as high-risk where applicable.
CRITICALCSAM
TBD 2026
Child Sexual Abuse Material Regulation
Detection orders, reporting and removal obligations. Significant impact on encrypted services.
PLANNEDDSA
ROLLING
DSA for telco-adjacent services
If you host third-party content or run an online intermediary, DSA Articles 16 and 30 apply.
§ 03 / WHAT TO SOLVE
Where telecom operators get stuck.
02
Traffic and location data retention
ePrivacy Article 5 plus national retention regimes. CJEU has limited bulk retention; targeted retention remains.
IMPACTSix-figure fines from BIPT, AGCOM, AKOS and others.
03
NIICS scope under ePrivacy
WhatsApp-style services pulled into ePrivacy. Encryption versus detection orders an open battleground.
IMPACTService disruption risk for non-EU NIICS providers.
04
Cookie and consent enforcement
Most-fined GDPR area for telcos. Consent management platforms still mis-implementing across the EU.
IMPACTAggregate fines now in tens of millions per operator.
05
NIS2 supply-chain for OEM equipment
Network equipment vendors must be assessed. Some Member States have country-specific bans on high-risk vendors.
IMPACTMandatory swap-out of installed equipment.
06
Net neutrality and traffic management
BEREC zero-rating decisions reshape commercial offers. Transparency reports must be published annually.
IMPACTWithdrawal of commercial bundles after BEREC review.
§ 04 / OFFERING
Our services for telecommunications
TC-01
EECC authorisation and reporting
General and individual authorisation, end-user terms, USO calculation, BEREC annual reports.
DAuthorisationDT&CsDBEREC reports
TC-02
NIS2 readiness for telco
Entity classification, ISMS aligned with ISO 27001 and IEC 62443, incident reporting, supply-chain due diligence.
DGap reportDISMSDIncident SOP
TC-03
ePrivacy and consent programme
Consent management platform, traffic and location data lawful basis, cookie register, marketing automation review.
DCMP auditDCookie registerDMarketing
TC-04
Lawful interception support
Capacity build, judicial oversight, transparency reporting, technical audit support.
DCapacityDTransparencyDAudit
TC-05
GDPR programme for subscribers
Subscriber data minimisation, retention, CDR governance, customer rights workflow, breach response.
DRetentionDRightsDBreach
TC-06
AI Act for network and CX AI
Network optimisation, fraud detection, customer-service AI: conformity, human oversight, post-market monitoring.
DClassificationDAnnex IVDPMM
TC-07
DSA for telco-adjacent services
Notice-and-action, trader verification, statement-of-reasons for online intermediary services run by telcos.
DNA workflowDTrader checksDSoR
TC-08
CSAM detection compliance
Detection orders, reporting flows, age verification, balancing encryption and child protection.
DDetectionDReportingDAge verification
TC-09
Outsourced telco compliance officer
Senior advisor with telco experience, regulator liaison, board reporting, programme stewardship.
DRetainerDBoard memosDRegulator
§ 05 / SELECTED WORK
All case studies →Telecom engagements.
CASE 01Tier-1 MNO
NIS2 + EECC programme rebuild after BIPT review. Closed all open findings in 90 days.
11 → 0
FINDINGS
90
DAYS
Cleared
AUDIT
SCOPENIS2 · EECC · ISO 27001 · Supply-chain
CASE 02Tier-3 MVNO
Cookie and consent rebuild, ePrivacy fine appeal partially successful.
Rebuilt
CMP
−65%
FINE
Restored
TRUST
SCOPEePrivacy · CMP · DPA proceedings
CASE 03Fibre infrastructure
NIS2 readiness across 4 Member States, single-pane-of-glass incident response live.
4
STATES
187
SITES
Met
SLA
SCOPENIS2 · NCCS · OT · Incident response
§ 06 / FREE TOOL
Map your telco stack to the EU rulebook.
Eight questions about your authorisation, network footprint and services. Get an indicative obligations map across EECC, NIS2, ePrivacy, AI Act and DSA.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Do you provide number-independent interpersonal communications (NIICS)?
Yes, primary product (messaging, VoIP)A
Yes, as a feature of broader productB
No, only NCS (number-based)C
Not sureD
INDICATIVE → EPRIVACY ART. 4a + CSAM
§ 07 / FAQ
Frequently Asked Questions
01Are we an essential entity under NIS2?+
Telecommunications providers are listed in NIS2 Annex I as essential entities (digital infrastructure sub-sector). Risk management, 24h/72h reporting and board accountability apply regardless of size for this category.
02How does ePrivacy interact with GDPR?+
ePrivacy is lex specialis for electronic communications. It governs traffic and location data, cookies, and unsolicited marketing. GDPR applies in parallel for personal data not specifically covered by ePrivacy.
03What does the ePrivacy Regulation change?+
It replaces the 2002 Directive with a regulation that applies directly in all Member States. Stricter consent for cookies, expanded scope to NIICS providers, and harmonised enforcement. Application targeted for 2026.
04Are NIICS providers like WhatsApp under our regime?+
Yes. The EECC and ePrivacy now cover NIICS. CSAM Regulation extends detection obligations. We help NIICS providers map obligations across the four regimes.
05How do we handle lawful interception requests?+
Article 40 EECC plus national implementation governs lawful interception. We help build the technical and procedural capacity, document judicial oversight, and produce transparency reports.
06Do we need a separate DPO for telco?+
Telcos at scale almost always need a DPO under GDPR Article 37. We provide a senior DPO with telecom-specific experience, named to your national DPA, with retainer-based programme support.
07How does the AI Act affect network and fraud AI?+
Network optimisation, fraud detection and customer-service AI may fall under Annex III high-risk categories. Conformity assessment, human oversight and post-market monitoring obligations apply.
08Can you handle the BEREC annual reporting?+
Yes. We prepare the BEREC reports (transparency, traffic management, end-user rights, USO), coordinate with the national regulator, and align with the BEREC opinion calendar.
§ 08 / RELATED
Related practices.
NIS2 Compliance
Scoping, ISMS, supply-chain and incident reporting for essential entities.
Open practice →Data Protection (DPO)
GDPR and ePrivacy programme for subscriber data, cookies and marketing.
Open practice →Cybersecurity
ISMS, ISO 27001, IEC 62443 and OT security for network infrastructure.
Open practice →09 / GET STARTED
NIS2 and ePrivacy compliance for telecom
Typical outcomes: NIS2 essential entity roadmap, ePrivacy gaps closed, CERT reporting procedures.