1. Pursuant to article 54-B of Law no. 5/2004 of 10 February, as amended and republished by Law no. 51/2011 of 13 September (hereinafter the "Electronic Communications Law"), undertakings providing public communications networks or publicly available electronic communications services (hereinafter, the "undertakings") are required to notify ICP - Autoridade Nacional de Comunicações (ICP-ANACOM) as to any breach of security or loss of integrity with a significant impact on the functioning of networks or services which they provide.
2. Undertakings are required to provide notification of all breaches of security or losses of integrity as cause a serious disturbance to the functioning of networks and services, with a significant impact on the continuity of this functioning, according to the circumstances and the rules laid down in the following paragraphs.
3. For the purposes of the preceding paragraphs, undertakings are required to notify ICP-ANACOM as to:
|
Duration and |
Number of affected subscribers or accesses (or, pursuant to point e) of paragraph 4 of Section I, geographic area affected) |
|
≥ 30 minutes |
number of affected subscribers or accesses ≥ 500,000 (Or, pursuant to point e) of paragraph 4 of Section I, geographic area affected ≥3.000 km2) |
|
≥ 1 hour |
500,000 > number of affected subscribers or accesses ≥ 100,000 (Or, pursuant to point e) of paragraph 4 of Section I, 3,000 km2 > geographic area affected ≥ 2.000 km2) |
|
≥ 2 hours |
100,000 > number of affected subscribers or accesses ≥ 30,000 (Or, pursuant to point e) of paragraph 4 of Section I, 2,000 km2 > geographic area affected ≥ 1,500 km2) |
|
≥ 4 hours |
30.000 > number of affected subscribers or accesses ≥ 10.000 (Or, pursuant to point e) of paragraph 4 of Section I, 1,500 km2 > geographic area affected ≥ 1,000 km2) |
|
≥ 6 hours |
10.000 > number of affected subscribers or accesses ≥ 5.000 (Or, pursuant to point e) of paragraph 4 of Section I, 1,000 km2 > geographic area affected ≥ 500 km2) |
|
≥ 8 hours |
5.000 > number of affected subscribers or accesses ≥ 1.000 (Or, pursuant to point e) of paragraph 4 of Section I, 500 km2 > geographic area affected ≥ 100 km2) |
a) Any breach of security or loss of integrity whose impact is encompassed by the following criteria:
b) Any breach of security or loss of integrity affecting delivery to Postos de Atendimento de Segurança Pública (Emergency Service Call Centres - 112 emergency calls), directly or indirectly, of calls to the single European emergency number 112, as well as calls to 115 (national emergency number), for a period equal to or exceeding 15 minutes;
c) Any recurrent breach of security or loss of integrity, where the cumulative impact of their occurrences over a four week period is covered by one of the conditions set out in the preceding paragraphs;
d) Any breach of security or loss of integrity which occurs on a date on which the normal and continuous functioning of networks and services is particularly relevant, under the terms of paragraph 5 of this Section I, where the occurrence:
i) has a duration equal to or exceeding one hour; and
ii) affects one thousand or more subscribers or accesses, or, under the terms of point e) of paragraph 4 of this section I, ii) affects a geographical area equal to or exceeding 100 km2;
e) Any breach of security or loss of integrity which impacts the functioning of all networks and services offered by a company in the entire territory of an island of the Autonomous Region of the Azores or of Madeira, where the duration thereof is equal to or exceeds 30 minutes, regardless of the number of subscribers, number of accesses and geographic area affected;
f) Any breach of security or loss of integrity, detected by the undertakings or reported by customers, which impacts the functioning of networks and services through which services with relevance to society and to citizens are provided, by public or private undertakings and at national or regional level, as set out in paragraph 6 of this Section I, where the occurrence is of a duration equal to or exceeding 30 minutes; and
g) Any breach of security or loss of integrity whose cumulative impact on a group of companies which are covered by the conditions laid down in paragraph 2 of article 3 of Law no. 19/2012 of 8 May is covered by the conditions laid down in point a), and, insofar as it refers to the present point, in point c), both of the present paragraph 3.
4. For purposes of the preceding paragraph:
a) The impact of a breach of security or loss of integrity is to be assessed by reference to all the networks and all the services of a company that are affected thereby;
b) The number of subscribers or accesses affected by a breach of security or loss of integrity corresponds to the sum of the number of subscribers or accesses which are so affected and as comprised by the various networks and services;
c) The number of subscribers to a service that is supported by another service will only be taken into account when the support is not affected;
d) The number of subscribers or accesses affected corresponds to the number of subscribers or accesses covered by the breach of security or loss of integrity, or where it is not possible to determine this number, to an estimate based on statistical data held by the undertaking; and
e) The criterion related to the affected geographical area is only to be applied in the event that the criterion on the number of affected subscribers or accesses is inapplicable or, in the specific case and on a reasoned basis, impossible to determine or estimate.
5. For the purposes of point d) of paragraph 3 of the present Section I, notwithstanding the identification of other dates by ANACOM, as duly notified to the undertakings a minimum of five working days in advance, the following dates are deemed relevant:
a) days on which national elections are held (parliamentary, presidential, European or local);
b) days on which national referendums are held;
c) days of national exercises involving electronic communications networks or services, pursuant to point c) of article 54-D of the Electronic Communications Law; and
d) days on which regional elections are held, where security breaches or losses of integrity occur in the region in question.
6. For the purposes of point f) of paragraph 3 of the present Section I, and notwithstanding the possible identification of other bodies by ANACOM, as duly notified to the undertakings a minimum of five working days in advance, SIRESP - Sistema Integrado de Redes de Emergência e Segurança de Portugal (Integrated Security and Emergency Network System) is deemed a relevant body.
