Amendments to the framework have brought about new realities for the sector as regards the security of communications, such as the establishment of technical and organizational measures, notification of security breaches or loss of integrity with significant impact on the functioning of networks and services, and the performance of security audits. The law also sets out other obligations, including the establishment of contact points, the conduct of exercises, the development of security plans and presentation of annual reports, as well as new subscriber reporting obligations, minimum content to be included in contracts to be signed and access to emergency services.
The new law also establishes a set of standards for the sector in terms of security and emergency issues, including: on critical infrastructure, company measures and procedures on safeguarding reserve capacity for emergency communications of public interest and on network congestion in emergency situations, the response system for information security incidents, and electronic communications resources which are useful for civil protection.
During 2011, ICP-ANACOM took part in various sector events which saw presentation and dissemination of the main amendments to the framework as regards communications security.
Meanwhile, ICP-ANACOM participated actively in work at European level, supported by the European Network and Information Security Agency (ENISA), to implement the new framework. This work was related to article 13-A of the Framework Directive in terms of the new obligations of operators and providers of electronic communications as regards the security and integrity of networks and services, and involved, in parallel, operators and service providers, through workshops to raise awareness, as provided in the strategic actions, and by obtaining commentary on the documents under preparation.
As a result of this work, in late 2011, ENISA published two documents: "Technical Guidelines for Reporting Security Breaches" and "Technical Guidelines for Minimum Security Measures".
Following publication of these documents, two lines of action were developed. The first is related to making undertakings subject to obligations as regards notification of security breaches and losses of integrity with significant impact and respective public disclosure, with the respective draft decision submitted to public consultation towards the end of 2011. The second, related to the technical and organizational measures to be adopted by companies, seeks to conduct an initial assessment of the national situation based on the measures set out in the ENISA document.
Subsequently, it will be important to give substance to the provisions of article 13-B of the Framework Directive, in particular with respect to the performance of audits.
As mentioned above, the European regulatory framework's privacy and personal data protection amendments have yet to be transposed into national legislation. As a result, launch of the planned impact study in 2011 was delayed, since it was not considered fitting to proceed until after the publication of new legislation, whereby the opportunity was taken to develop preparation work.
