Under the terms of and for the purposes set out in paragraph 1 of article 98 of the Código do Procedimento Administrativo (Administrative Proceeding Code), it is announced that, on 4 August 2016, pursuant to the powers and responsibilities set out in point m) of paragraph 1 of article 8 of ANACOM's Statutes (approved by Decree-Law no. 39/2015 of 16 March) and in the pursuit of the regulatory objective set out in point c) of paragraph 1 and point f) of paragraph 4, both of article 5 of Law no 5/2004 of 10 February, in the prevailing wording (Lei das Comunicações Eletrónicas), and under the provisions of articles 54A to 54G of this Law and the provisions of point a) of paragraph 2 of article 9 and point b) of paragraph 1 of article 26, both of ANACOM’s Statutes, the Board of Directors of Autoridade Nacional de Comunicações (ANACOM) has decided to commence a procedure to prepare a regulation on the security and integrity of networks and services.
The object of this regulation shall include:
a) The approval of technical implementing measures in the context of the security and integrity obligations of companies which offer public communications networks or publicly available electronic communications services, pursuant to paragraph 1 of article 54-C of Lei das Comunicações Eletrónicas (Electronic Communications Law);
b) The establishment of additional security and integrity requirements applicable to companies which offer public communications networks or publicly available electronic communications services, under the provisions of article 54-D of Lei das Comunicações Eletrónicas (Electronic Communications Law);
c) The approval of measures which define the circumstances, format and procedures applicable to requirements of reporting security breaches or losses of network integrity, pursuant to paragraph 2 of article 54-C of Lei das Comunicações Eletrónicas (Electronic Communications Law);
d) The determination of the conditions whereby ANACOM considers that there is public interest in public disclosure, by companies which offer public communications networks or publicly available electronic communications services, of security breaches and losses of integrity with significant impact on the operation of networks and services, pursuant to point b) of article 54-E of Lei das Comunicações Eletrónicas (Electronic Communications Law); and
e) An order that companies which offer public communications networks or publicly available electronic communication services carry out audits of the security of their networks and services and submit the respective audit reports, including the establishment of specifications to which the auditors were subject, under the provisions of paragraphs 1 and 2 of article 54-F of Lei das Comunicações Eletrónicas (Electronic Communications Law).
With regard to the points c) and d) above, ANACOM intends to incorporate rules into the regulation reflecting the measures already implemented under ANACOM's decision of 12 December 2013https://www.anacom.pt/render.jsp?contentId=1186180, as amended by ANACOM's decision of 8 January 2014https://www.anacom.pt/render.jsp?contentId=1186986, whose execution is deemed to have been accomplished in an effective manner based on consensus. This will bring together and consolidate a properly articulated set of conditions applicable to the security and integrity of networks and services into a single piece of legislation, enhancing transparency and legal certainty.
Stakeholders may, within 25 working days of this announcement (i.e. no later than 12 September 2016), submit any contributions which they deem should be taken into consideration in the preparation of this Regulation. These should be sent to ANACOM (in writing and in Portuguese) by email to regulamento.seguranca@anacom.ptmailto:regulamento.seguranca@anacom.pt1.
Subsequently, stakeholders will have an opportunity to comment on the draft regulation, which will be submitted to public consultation in accordance with the provisions of article 10 of ANACOM's Statutes, with publication on ANACOM's institutional website (www.anacom.pthttps://www.anacom.pt) and in the 2nd Series of Diário da República (Official Journal).
ANACOM will examine the contributions made by stakeholders and, upon approval of this regulation, will provide a report referencing the contributions received and providing an overall assessment which sets out ANACOM's position and the reasoning which supports the options taken.
1 Each email may contain one or more files as long as the total size of all files does not exceed 10 megabytes and, if necessary, comments may be divided into two or more emails.
Consult:
- Approval to commence procedure to prepare a Regulation on the security and integrity of networks and services https://www.anacom.pt/render.jsp?contentId=1392873
