New telecom regulatory framework: the French Government specifies the obligations of operators and OTTs

A Decree published on 2 October 2021 marks a new step in the transposition of the European Electronic Communications Code in France. The text specifies the new obligations of operators in terms of notification of security incidents, emergency communications, reporting to the French telecommunications regulatory authority (‘ARCEP’), interoperability and consumer information. We analyse below the impact of this Decree for operators, and in particular for providers of Over-The-Top services for whom the new telecom framework constitutes a regulatory revolution.

What is the status of the transposition of the European Code in France?

On 11 December 2018, the European Union adopted a European Electronic Communications Code (‘EECC’ or ‘European Code’). This European Code brings together in a single text and thoroughly reforms the provisions of four Directives of the 2002 European Telecoms Package. One of its ambitions is to extend the scope of telecom regulation to global providers of so-called Over-The-Top services (e.g. instant messaging or software-to-software VoIP).

EU member states had until 21 December 2020 to transpose the European Code, but national transposition processes have been heavily impacted by the pandemic. To date, eight countries have transposed the text into national law. An acceleration is expected by the end of the year.

In France, the Ordinance No. 2021-650 of 26 May 2021 was the first transposition step of the European Code. It provided that certain provisions would be specified by Decree. It is in this context that Decree No. 2021-1281 published on 2 October 2021 details the obligations of operators.

What is the impact of the Decree for operators?

  • Removal of the ARCEP registration obligation and new cases of information reporting to ARCEP

The Ordinance No. 2021-650 of 26 May 2021 abolished the obligation of prior registration with ARCEP for telecom operators in order to reduce administrative formalities. The Decree removes the references to the declaration in the French Post and Electronic Communications Code (‘PECC’). It clarifies for operators registered under the previous regime that they are no longer obliged to update their registration in the event of a change of situation. Article D. 98-1 III, which established this obligation, is simply deleted.

In addition, the Decree introduces new cases of information reporting to ARCEP and provides for the possibility for the regulator to request information from other companies active in the electronic communications sector or in related sectors.

  • Changes in obligations relating to network and service security

With respect to the security of networks and services, the Decree provides the following clarifications:

  • It provides that operators must inform their subscribers in the event of a particular and significant threat of a security incident and indicate the measures they can take to protect themselves. The final version of the Decree specifies that only the subscribers concerned must receive this information.
  • In addition, it maintains the obligation for operators to notify the Minister of the Interior of any security incident having a significant impact on the operation of its networks or services. The obligation to inform the French National Agency for the Security of Information Systems (‘ANSSI’) seems to be slightly extended through a modification of the terminology.
  • In their security incident management process, operators must integrate the definition introduced in the PECC of the notion of "security of networks and services" as well as the parameters inserted in the regulation to assess the extent of the incident. And therefore, the consequences to be given to it, notably in terms of notifications. These parameters are intentionally aligned with those of the NIS Directive. Indeed, the objective of the European Code was to bring the security incident notification obligations of the telecom sector closer to the obligations applicable to other sectors covered by the NIS Directive.

  • New framework for emergency communications

The Decree transforms the notion of emergency calls into emergency communications so that the latter can encompass all "interpersonal communication services" that can make access to emergency services possible, including in theory those that do not rely on the use of numbers.

However, while the draft text published in January 2020 explicitly opened the door to the possibility of being able to contact emergency services via number-independent interpersonal communication services (software-to-software VoIP, instant messaging or video), these references are not included in the final definition of emergency communications. As for the obligations to route emergency communications, they are placed solely on the providers of number-based interpersonal communications services (‘NB-ICS’), in line with the Ordinance of 26 May 2021. This confirms the philosophy of the new regulation to impose more obligations on actors using numbers than on those who do not use such resources. Number-independent interpersonal communication services therefore seem to escape the new regulatory framework for emergency communications for the time being.

Uncertainties regarding what is covered by emergency communications should be resolved with the forthcoming adoption of an Order setting out the communication services that can be used to reach emergency services.

The Decree also clarifies the obligations to transmit information on the location of the device to the emergency services, and on emergency communications from vehicles (as part of the eCall service developed at the European Union level).

  • New obligation to transmit information of general interest

A new obligation to transmit information of general interest is introduced. The public authorities may therefore ask the operators concerned to send messages to raise users' awareness of illegal activities that may be carried out via the Internet or telephone services. These messages may also concern the means available to users to protect their personal data from malicious acts. An Order has yet to specify the methods of transmitting this information.

This new obligation does not apply to providers of number-independent interpersonal communication services (‘NI-ICS’).

  • Extension of the obligation to communicate alert messages

The obligation to transmit alert messages to the population is extended to NI-ICS (e.g. instant messaging).

An Order is also expected to specify a certain number of points (applicable technical specifications, routing and transmission of messages).

  • Towards an interoperability obligation for global OTT players?

The Decree introduces the possibility for ARCEP to impose interoperability obligations on providers of NI-ICS. If this power were exercised, it would be a real game changer for global OTT players. It could be implemented if ARCEP deemed that interoperability between end-users was compromised due to a lack of interoperability of these services.

  • Regulation of SMP operators

The Decree published on 2 October 2021 adapts the procedures for defining relevant markets, designating operators with significant influence on the relevant markets and determining remedies to the new European framework. For example, the relevant markets are determined for a maximum period of 5 years instead of 3 years.

The text also details the modalities of application of the commitments procedure in terms of co-investment and access to networks or introduces new requirements. For example, it introduces the obligation to provide quality of service levels for any offer published by an operator subject to non-discrimination obligations.

  • Consumer information

The Decree details the information to be provided to consumers prior to the conclusion of a contract for electronic communications services. The content of the information differs according to the category of service provided, hence the importance for each operator to clearly determine the regulatory classification of its various services.

In addition, it specifies the list of information to be provided to disabled persons. This information must be published in a clear, complete, up-to-date, machine-readable and accessible form.

Operators must now update their commercial documentation to take into account these new and extremely precise obligations.

The Decree is available here >

Latest insights

More Insights