1. For every breach of security or loss of integrity that is subject to notification under the provisions of Section I, undertakings are required to submit the following to ICP-ANACOM:
a) an initial notification, pursuant to paragraphs 4 and 5 of the present Section II;
b) a final notification, pursuant to paragraphs 8 and 9 of the present Section II; and
c) whenever required, in accordance with the provisions of paragraph 6 of the present Section II, notice of the cessation of the breach of security or loss of integrity with significant impact, in accordance with paragraphs 6 and 7 of the present Section II.
2. In the circumstance detailed in point c) of paragraph 3 of Section I, undertakings are only required to submit a final notification to ICP-ANACOM, pursuant to paragraphs 8 and 9 of this Section II, mutatis mutandis.
3. In the circumstance referred to in point g) of paragraph 3 of Section I, a single series of notifications may be submitted to ICP-ANACOM, pursuant to paragraph 1 of this Section II, provided that said notifications:
a) cover the entire impact of the security breach or loss of integrity; and
b) are submitted on behalf of all the undertakings.
4. The initial notification is to be sent at the earliest opportunity and when the company is able to conclude that there is or will be significant impact, up to one hour subsequent to ascertaining the circumstance detailed in Section I as, in each specific case, determines the obligation of notification, whereas the undertaking, notwithstanding compliance with this deadline, is required to give priority to the mitigation and resolution of the breach of security or loss of integrity.
5. The notification referred to in the preceding paragraph is to include the following information:
a) Name, telephone number and email address of a representative of the undertaking for the purpose of any contact by ICP-ANACOM;
b) Date and time that the breach of security or loss of integrity took on significant impact or, where this cannot be determined, the date and time of its detection;
c) Date and time that the breach of security or loss of integrity ceased to have significant impact or, where impact persists, the date and time that it is estimated that significant impact will cease;
d) Brief description of the security breach or loss of integrity, including an indication of the category of the root cause and, as far as possible, the details;
e) Possible estimate of its impact in terms of:
i) networks and services affected;
ii) access to emergency services;
iii) number of subscribers or accesses affected;
iv) geographical area affected, in km2; and
f) Observations.
6. After the breach of security or loss of integrity ceases to have significant impact, and whenever it has not already been reported in the initial notification, undertakings are required submit to ICP-ANACOM, at the earliest opportunity and within a maximum period of two hours after such impact ceases, notice that the breach of security or loss of integrity with significant impact has been resolved.
7. The notification referred to in the preceding paragraph must, as far as possible, include the following information:
a) An update to the information provided in the initial notification; and
b) A brief description of actions taken to resolve the breach of security or loss of integrity.
8. The final notification is to be sent within a period of twenty working days from the time that breach of security or loss of integrity ceases to have significant impact.
9. The notification referred to in the preceding paragraph must include the following information:
a) Date and time that the breach of security or loss of integrity took on significant impact or, where this cannot be determined, its detection;
b) Date and time that the breach of security or loss of integrity ceased to have significant impact;
c) Date and time that the security breach or loss of integrity commenced, or where this is not possible to determine, the date and time of its detection and date and time of cessation, where different from the dates and hours reported, respectively, in accordance with points a) and b);
d) Impact of the breach of security or loss of integrity in terms of:
i) Networks (including national and international interconnections) and respective infrastructure (including systems) and affected services;
ii) Access to emergency services using 112 (single European emergency number) (including access using the national emergency number 115);
iii) Number of affected subscribers or accesses by network or service;
iv) Percentage of affected subscribers or accesses as proportion of total subscribers or accesses by network or service access; and
v) Geographical area affected, in km2;
e) Description of the security breach or loss of integrity, including indication of the category of the root cause and detail;
f) Indication of measures taken to mitigate the breach of security or loss of integrity;
g) Indication of measures adopted to resolve the breach of security or loss of integrity, including, in the event of breaches of security or loss of integrity with partial restoration, the chronology and detail of the stages of restoration;
h) Indication of the measures taken and/or planned to prevent or minimize the occurrence of similar security breaches or losses of integrity in the future (in terms of planning and/or operations, of contingency planning, of interconnection agreements, of service level agreements and other relevant areas) and the date on which they took or will take effect;
i) When appropriate, the information made available to the public regarding the breach of security or loss of integrity, including any updates to this information, and the date and time of such disclosure;
j) Other relevant information; and
k) Observations.
10. For the purposes of paragraphs 5, 7 and 9 of this Section II, the root causes of breaches of security or loss of integrity can have the following categories:
a) Accident/natural disaster;
b) Human error;
c) Malicious attack;
d) Hardware/software failure; or
e) Failure by an external party to supply goods or services.
11. Wherever possible, the information included in the notifications set out in the present Section II on the number of subscribers or accesses is to follow the definitions set out in the framework of obligations governing the periodic submission of information to ICP-ANACOM.
12. The notifications set out in the present Section II are to be performed using the following means:
a) as regards initial notifications and notifications of cessation of breaches of security or losses of integrity with significant impact, by email to notifica@anacom.ptmailto:notifica@anacom.pt and by telephone 214340899; and
b) as regards the final notification, by delivery in person or by registered mail.
13. Companies whose networks or services have their functioning impacted by such breaches of security or losses of integrity are to cooperate among themselves to ensure the proper detection of any breach of security or loss of integrity and to undertake assessment of its impact, and in the case referred to in point g) of paragraph 3 of Section I, for the respective notification.
14. With a view to the proper performance of the provisions of the present Annex A, it is incumbent upon the undertakings to deploy all the resources and procedures as are necessary to detect and evaluate security breaches or losses of integrity covered by the circumstances set out in Section I, assess their respective impact and undertake notification.
