The Spanish telecom sector sustains the connectivity on which the rest of the digital economy depends. Operators such as Movistar, Vodafone, Orange and MásMóvil control virtually all the fixed and mobile access infrastructure, while an increasingly broad ecosystem of mobile virtual network operators including Digi, Finetwork, Pepephone and Lowi competes in the retail market on top of the wholesale capacity of those incumbents. Alongside them coexist data centre operators, top level domain registries, DNS providers, fibre carriers and submarine cable operators. NIS2 treats this set as essential digital infrastructure and applies a reinforced regime of obligations to it.
This article describes how the telecom sector fits within the NIS2 framework, which Spanish rules overlap with the European directive, which threats specifically affect mobile and transport networks, what the priority technical controls are, and how to build a compliance programme defensible before the CNMC and the competent cybersecurity authority.
The essentials. Public electronic communications network operators are NIS2 essential entities, as are DNS providers, TLD registries, data centre operators and relevant cloud services. The framework is completed by the General Telecommunications Act, the General Telecommunications Regulation, CNMC supervision, ENISA guidance and the EU 5G Toolbox for supplier risk. Critical threats combine SS7 and Diameter signalling abuse, BGP hijacks, defective 5G slice isolation, lawful interception governance and supply chain scrutiny over vendors such as Huawei or ZTE. The compliance plan must articulate signalling firewalls, backbone DDoS protection, RPKI on BGP, zero trust across the infrastructure and a continuous supplier evaluation process.
The telecom operator as a NIS2 essential entity
NIS2 places telecommunications within the digital infrastructure block, a broad category grouping actors that share a common trait: when they fail, everything else fails too. The directive considers as an essential entity the provider of public electronic communications networks and the provider of publicly available electronic communications services. This covers both the backbone operator with its own network and the retail reseller offering a service identifiable to the end user.
Alongside the classic operator, the digital infrastructure recognised by NIS2 includes DNS service providers, top level domain name registries, cloud service providers, data centre operators, content delivery networks and trust service providers. A significant share of Spanish telecom operators performs several of these activities at once, either directly or through specialised subsidiaries, so the real perimeter of obligations tends to be wider than the basic connectivity business alone.
Mobile virtual network operators deserve specific attention. Even if they do not operate their own radio, they provide a public electronic communications service identifiable to the user and, depending on size and share, they fall squarely within NIS2 scope. The discussion of whether a small MVNO sits under essential or important entity status is resolved by applying the thresholds set in the national transposition, and reasonable doubt is cleared through a specific analysis that considers customers, revenue and dependency on the host operator.
Multi-layered Spanish regulatory framework
The Spanish telecom operator works under several overlapping regulatory layers that do not replace one another. NIS2 sets the common European baseline for cybersecurity risk management and incident notification. Law 11/2022, the General Telecommunications Act, develops at national level the general obligations of the sector, including the security and integrity of networks and services. Royal Decree 726/2011, known as the General Telecommunications Regulation, and derived rules concretise technical requirements and procedures for deployment and operation.
The Comisión Nacional de los Mercados y la Competencia, the CNMC, acts as sector regulator and supervisor of specific obligations, including those related to network security. The Secretariat of State for Telecommunications and Digital Infrastructure retains powers of inspection and authorisation. When the operator provides services to the public sector or has relevant public participation, the National Security Framework (ENS) also applies, adding requirements on categorisation and external audit.
At the European level, ENISA publishes technical guidance that has become a mandatory reference for the sector, especially its guides on 5G network security, supplier risk management and incident notification. The EU 5G Toolbox, adopted by the NIS Cooperation Group, offers a common catalogue of strategic and technical measures to mitigate the risks of fifth generation networks, including explicit measures for vendors considered high risk.
Finally, the lawful interception obligations contained in the General Telecommunications Act and in the Regulation on the conditions for providing electronic communications services form an additional layer. Although their purpose differs from that of NIS2, their governance is part of the global security programme because interception systems are by definition high value targets.
Telco specific threats
The telecom operator faces a threat catalogue combining classic vectors with new realities derived from 5G, cloud and supply chain geopolitics.
SS7 and Diameter signalling abuse. The legacy protocols that sustain interconnection between mobile operators were designed in an era when trust between networks was reasonable, and they have aged poorly. Exploiting SS7 allows, with sufficient access, intercepting SMS messages, locating subscribers, redirecting calls or facilitating number portability fraud. Diameter, the successor used in LTE and as a control layer in non standalone 5G, inherits part of the same trust philosophy and requires specialised firewalls to filter anomalous messages at the edge of the signalling network.
BGP hijacks. The protocol that sustains routing between autonomous systems on the internet allows prefix announcements without native cryptographic authentication. Documented episodes of incorrect, accidental or malicious announcements have diverted traffic from sensitive services through third party networks for limited periods. Adopting RPKI and mechanisms such as ROV reduces the risk, but global coverage remains incomplete.
5G slice isolation. The 5G architecture allows defining virtual networks with specific characteristics over the same physical infrastructure, but slice isolation depends on implementation. A weak configuration may allow a less critical slice to become a vector to reach another of higher sensitivity, especially when they share network functions in the core or compute resources at the edge.
Lawful interception governance. Systems that enable compliance with judicial interception orders are a natural target of advanced actors. Any compromise of the interception chain has implications well beyond operational impact and demands particularly strict controls on access, logging and audit.
Supply chain and geopolitical risk. The European public debate on the presence of vendors such as Huawei or ZTE in 5G networks reflects a tangible concern about the risk associated with network components in critical infrastructure. The EU 5G Toolbox addresses this by defining the concept of high risk vendor and guiding decisions on replacement or restriction in sensitive parts of the network.
Historical cases and lessons
The telecom sector accumulates public incidents that frame the risk without resorting to speculation.
The 2022 Twilio breach. The company suffered an intrusion that compromised employee accounts through social engineering aimed at its authentication gateway. The incident had a cascading effect on customers that used the platform to send SMS and authentication codes, including encrypted messaging services and financial entities. The case illustrates how an intermediate communications provider can turn into a single point of failure for very diverse third parties.
Recurring incidents at T-Mobile. The American operator has made public several breaches in recent years, with large scale exposure of customer data. Although the particularities of the United States market do not translate directly to the European one, the reading on the difficulty of protecting massive commercial databases is universal.
Notable BGP hijacks. Public episodes in which prefixes belonging to financial networks, cloud services or DNS providers were announced from autonomous systems without legitimacy have demonstrated for years the real risk of global routing manipulation. The collective response of the sector has been to accelerate the adoption of RPKI and to promote route validation practices among transit providers.
SS7 fraud against banking. The interception of authentication SMS via SS7 has been used in banking fraud operations documented in Europe. Although the response of the financial sector has been to migrate second factors towards less vulnerable mechanisms, the case remains an obligatory reference when justifying investment in signalling filtering.
5G specifics
The 5G rollout introduces challenges that the telecom operator must address specifically.
Network slicing isolation. The 5G promise of offering specialised virtual networks rests on effective isolation between slices. The operator must define and test policies that prevent traffic leakage, cross access to network functions and abusive consumption of resources. The isolation design must be documented and reviewed every time the compute topology is modified or a new slice is incorporated.
Multi-access Edge Computing security. Bringing compute closer to the edge enables low latencies and industrial use cases, but it also decentralises the security model. MEC nodes host network functions, customer applications and, in some cases, third party code. The operator must define a clear trust model for the edge and apply hardening, monitoring and response controls equivalent to those of the core.
Massive IoT scale. 5G is designed to support device densities that far exceed what previous generations could handle. Managing identities, authentication and anomalous behaviour of millions of terminals demands specific platforms and the ability to automatically isolate compromised device fleets.
Private 5G for the enterprise. Increasingly, industrial organisations are deploying private 5G networks, either in cooperation with operators or as their own infrastructure under local licence. This model brings the operator into OT environments with dynamics that differ from residential consumption and requires security profiles adapted to plant reality.
Priority technical controls
The telecom operator that wants to consolidate a defensive posture aligned with NIS2 concentrates investment in controls whose effectiveness the sector has validated.
SS7 and Diameter signalling firewall. A specialised platform at the edge of the signalling network filters anomalous messages, applies rate policies, validates identifier consistency and detects patterns associated with fraud or reconnaissance. The choice of vendor depends on operator size, topology and integration with existing intelligence systems, and must be accompanied by operating processes that genuinely exploit the telemetry generated.
Backbone DDoS protection. Transit networks receive both attacks targeted at hosted customers and attacks that use the network as a vector. Distributed mitigation capacity, with scrubbing at several points and coordination with upstream transit providers, is a basic requirement for any operator of meaningful scale.
RPKI on BGP. Cryptographic signing of routes with RPKI and origin validation at the edge significantly reduce the risk of accepting illegitimate announcements. Each operator should both sign its own prefixes and apply ROV on its sessions with peers and customers, in line with MANRS recommendations and European guidance.
Zero trust across the operator infrastructure. The classic perimeter model does not support the complexity of a modern network distributed across own data centres, edge nodes and hybrid cloud environments. The progressive adoption of zero trust, with continuous verification, strong authentication and identity based segmentation, is a path that most operators have already started.
Supplier governance aligned with the EU 5G Toolbox. The supplier evaluation programme must incorporate technical, contractual and geopolitical risk criteria. Decisions on which parts of the network admit which vendors and under what conditions must be documented, reviewable and traceable to Toolbox guidance and to the competent national authority.
Systematic hardening. Consolidating secure configurations on routers, switches, virtualisation platforms, operating systems and network applications remains the base on which everything else is built. Any serious programme includes periodic review, automated deployment and independent verification.
ENISA and the EU 5G Toolbox in practice
ENISA publishes technical network security guidance that has gained regulatory weight in the sector. Its documents on security measures for operators, on good incident notification practices and, especially, on 5G network security, are a reference to evidence diligence before a supervisory authority.
The EU 5G Toolbox translates community level strategic concerns into concrete measures. It defines the concept of high risk vendor, proposes restrictions applicable to sensitive parts of the network, encourages supplier diversification and emphasises the importance of continuous audit of the supply chain. Spain, like the rest of the member states, has advanced in incorporating these principles through administrative decisions and specific guidance that the operator must follow closely.
The intersection between EU 5G Toolbox and NIS2 is direct: the Toolbox provides the strategic detail that NIS2 compliance needs in the specific area of 5G, particularly with regard to supply chain risks.
Lawful interception, RGT and ANUE
The obligation to cooperate with the judicial authority through lawful interception of traffic is one of the features that distinguishes the telecom sector. The General Telecommunications Regulation develops the technical and operational aspects of these obligations, while the General Telecommunications Act sets the higher framework.
The national authority for the use of law enforcement equipment within the European framework, together with the procedures defined by the Ministry of the Interior, configures the ecosystem the operator must respect when implementing its interception systems. The governance of these systems demands strict separation of roles, auditable logging of every access, dual authorisation controls where applicable and periodic review confirming that technical measures keep pace with changes in the network.
Any deviation in this area carries consequences combining administrative liability, reputational risk and exposure to criminal investigation when illegitimate access is established. For that reason, the lawful interception block is not managed as an isolated technical project, but as a chapter of corporate governance reaching the management body.
Frequently asked questions
Is a small MVNO obliged by NIS2?
It depends on size and type of service. The thresholds set in the national transposition classify the MVNO as essential or important entity according to revenue, customer base and criticality. An MVNO with a reduced customer base may end up as an important entity, while one with a relevant presence in the mass market enters as essential. The specific analysis for each operator is the only serious way to resolve the doubt.
Is 5G more insecure than 4G?
5G offers native improvements in authentication, encryption and subscriber identification compared to 4G, especially in the standalone core version. Its attack surface is different because it incorporates virtualisation, slicing and edge compute, which requires new controls, but it does not make 5G a more insecure technology by definition. The quality of security depends on how each specific network is designed, deployed and operated.
Is RPKI on BGP mandatory in Spain?
There is no explicit general obligation to apply RPKI on all operators, but regulatory and customer pressure has grown steadily. ENISA guidance, MANRS recommendations and the common practice among large European operators turn RPKI into a de facto standard. An operator that has not yet completed its rollout should include it in the immediate plan.
Which signalling firewall vendor should be chosen?
The decision depends on network size, topology, protocols to be protected and integration with the existing operations chain. Specialised vendors offer mature platforms for SS7 and Diameter, while the ecosystem around 5G signalling is still maturing. The choice must rest on real tests with representative traffic and on the vendor's ability to sustain the solution in the medium term, not solely on commercial comparisons.
How is lawful interception managed without turning it into a risk?
Through strict separation of roles, dual authorisation for sensitive accesses, complete logging of every operation, periodic independent audit and continuous review of the technical chain that sustains the system. Governance must reach the management body, not stay within the technical team operating the platform.
How much does it cost a telecom operator to adapt to NIS2?
There is no single reasonable figure because cost depends on the starting point, on the network size and on the previous maturity of the programme. A mid sized operator with an existing programme can absorb NIS2 compliance with moderate spending growth, concentrated in governance, auditable evidence and reinforcement of specific controls. An operator with low maturity will face a multiyear project with significant investment in architecture, monitoring and training.
Related resources
- NIS2 Spain: compliance 2026
- NIS2 audit step by step
- IoT and OT cybersecurity: critical threats 2026
- Systems and network hardening explained
- What is a sniffer and network traffic analysis
Telecom audit with Secra
Secra accompanies telecommunications operators in NIS2 compliance with an approach that combines technical audit over the network infrastructure, NIS2 gap analysis aligned with the General Telecommunications Act and with ENISA and EU 5G Toolbox guidance, signalling and routing risk assessment, and red team exercises adapted to telco environments. Our team connects offensive knowledge with sector operating experience, helping to prioritise investment where it really closes exposure without generating unnecessary friction with network operations.
If your organisation operates a public electronic communications network, manages an edge node, provides wholesale services to MVNOs or is preparing for an audit by the competent authority, let's talk and design together a NIS2 programme that is solid, defensible and proportionate to the reality of the network.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.