Autoridade Nacional de Comunicações
Notice
(This is not an official translation of the law)
Statement of reasons
Regulation on the security and integrity of electronic communications networks and services
1 - Among amendments introduced in 2009 to the Framework Directive (Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services) by Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009, the introduction of regulatory measures on the security and integrity of networks and services stands out, with the addition of Chapter III-A.
2 - Transposing Directive 2009/140/EC, Law No. 51/2011, of 13 September amended on its turn the Electronic Communications Law (Law No. 5/2004, of 10 February, as it currently stands), introducing regulatory measures on the security and integrity of electronic communications networks and services in the new Chapter V of Title III, where ANACOM is conferred, among others, the following specific powers:
a) to approve technical implementing measures and to set out additional requirements with regard to security and integrity to be met by undertakings providing public communications networks or publicly available electronic communications services, for the purpose of article 54-A and under the terms set out in paragraph 1 of article 54-C and article 54-D of the Electronic Communications Law;
b) To approve measures that define the circumstances, format and procedures that apply to requirements of communication of breaches of security or losses of integrity of networks with a significant impact on the operation of networks and services by undertakings providing public communications networks or publicly available electronic communications services, pursuant to article 54-B and paragraph 2 of article 54-C of the Electronic Communications Law;
c) To determine the conditions under which undertakings providing public communications networks or publicly available electronic communications services are required to inform the public of any breach of security or loss of integrity with a significant impact on the operation of networks and services, pursuant to point b) of article 54-E of the Electronic Communications Law;
d) To determine the obligations to carry out security audits to networks and services and to submit the respective report by undertakings providing public communications networks or publicly available electronic communications services, as well as requirements with which audits and auditing bodies must comply, pursuant to paragraphs 1 and 2 of article 54-F of the Electronic Communications Law.
3 - By determination of ANACOM of 12 December 2013, amended by determination of 8 January 2014, ANACOM implemented the conditions that apply to the obligations for notification and public disclosure of breaches of security or losses of integrity with a significant impact on the operation of networks and services, a reporting centre having started operations on 12 June 2014, functioning permanently, for the reception of notifications.
4 - In the light of the experience gained not only through the activity of the reporting centre, but also via national and international cooperation in this matter, this Authority deems that it is now time to exercise the powers referred to in point 2, through the approval of a regulation on the security and integrity of networks and services.
5 - As specifically refers to the obligations for notification and public disclosure, this Authority considers that this regulation should integrate standards that reflect measures already implemented under determination of 12 December 2013, the implementation of which is deemed to have taken place in an effective and consensual manner, without prejudice to some adjustments required on account of the experience gained through the activity developed at the reporting centre. Through this means and for the sake of transparency and legal security, a duly articulated set of conditions applicable in the scope of the security and integrity of networks and services is brought together and consolidated in a single statutory instrument.
6 - In this context, by determination of 4 August 2016, ANACOM approved the launch of the procedure for the drafting of a regulation on the security and integrity of networks and services, as well as the publication of the respective announcement, as provided for in paragraph 1 of article 98 of the Code of Administrative Procedure.
By the expiry of the time limit prescribed, 18 contributions had been received, which were analysed and weighted in the preparation of this draft.
7 - The regulation of obligations of undertakings with regard to the security and integrity of networks and services took into account, on the one hand, the costs incurred by undertakings in order to comply with their obligations and on the other, the benefits arising therefrom, which include not only the protection of interests of citizens and, in particular, of users of networks and services, the support to the continuity of the provision of services that are relevant to society and citizens, the guarantee of the access to emergency services and, in general, the promotion of the development of the internal market via the improvement of the reliability of networks and services, but also those resulting from the prevention of security incidents and from avoiding or minimizing the respective impact.
8 - As such, pursuant to paragraph 1 m) of article 8, paragraph 2 a) of article 9, article 10 and paragraph 1 b) of article 26 of ANACOM’s Statutes, approved by Decree-Law No. 39/2015 of 16 March, and under the terms provided for in paragraph 1 c) and 4 f), both of article 5, articles 54-A, 54-B, 54-C, 54-D, point b) of article 54-E and paragraphs 1 and 2 of article 54-F of the Electronic Communications Law, ANACOM approved, by determination of 29 December 2016, this draft regulation on the security and integrity of networks and services, which, pursuant to article 10 of its Statutes and to articles 98 et seq of the Administrative Procedure Code, and for the purpose of article 8 and, in particular, paragraph 4 of article 54-C of the Electronic Communications Law, is hereby duly submitted to the public consultation procedure, which runs for a period of 30 working days, through publication at ANACOM’s institutional website and in Series II of the Official Gazette.
9 - In this context, stakeholders are required to submit the respective contributions, in writing and in Portuguese, preferably by email to the address regulamento.seguranca@anacom.ptmailto:regulamento.seguranca@anacom.pt.
Once the public consultation is closed, ANACOM will evaluate contributions presented by stakeholders and, together with the approval of this regulation, a report giving a reference to all contributions received shall be made available, as well as an overall assessment that reflects this Authority’s views thereon as well as on grounds for options that are taken.
Draft Regulation on the security and integrity of electronic communications networks and services
Title I
General Provisions
Article 1
Subject-Matter
This regulation lays down:
a) The technical implementing measures and additional requirements with regard to security and integrity to be met by undertakings providing public communications networks or publicly available electronic communications services, for the purpose of article 54-A and pursuant to paragraph 1 of article 54-C and article 54-D of the Electronic Communications Law, under the terms provided for in Title II;
b) The circumstances, format and procedures that apply to requirements of communication of breaches of security or losses of integrity of networks with a significant impact on the operation of networks and services by undertakings providing public communications networks or publicly available electronic communications services, pursuant to article 54-B and paragraph 2 of article 54-C of the Electronic Communications Law, under the terms provided for in Chapter I of Title III;
c) The conditions under which undertakings providing public communications networks or publicly available electronic communications services are required to inform the public of any breach of security or loss of integrity with a significant impact on the operation of networks and services, pursuant to point b) of article 54-E of the Electronic Communications Law, under the terms provided for in Chapter II of Title III;
d) The obligations to carry out security audits to networks and services and to submit the respective report by undertakings providing public communications networks or publicly available electronic communications services, as well as requirements with which audits and auditing bodies must comply, pursuant to paragraphs 1 and 2 of article 54-F of the Electronic Communications Law, under the terms provided for in Title IV.
Article 2
Scope
1 - Undertakings shall ensure that compliance with their obligations with regard to security and integrity of networks and services provided for in the law and in this regulation cover:
a) Normal working conditions;
b) Extraordinary situations, including among others, the following situations:
i) Breach of security or loss of integrity with a significant impact on the operation of networks and services;
ii) Network breakdown, emergency or force majeure, under paragraph 1 of article 49 of the Electronic Communications Law;
iii) Exceptions provided for in points a), b) and c) of paragraph 3 of article 3 of Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access;
iv) Major accident or catastrophe, as well as alert, contingency and disaster situations, under the terms provided for in legal or regulatory provisions applicable to civil protection matters;
v) State of emergency, state of siege or state of war, under the terms provided for in legal or regulatory provisions applicable to civil-emergency planning matters;
vi) Activation of civil protection emergency plans or of civil-emergency planning, under the terms provided for in applicable legal or regulatory provisions;
vii) Serious threats to internal security, including situations of terrorist attacks or of major accidents or catastrophes, under the terms provided for in legal or regulatory provisions applicable to internal security matters.
2 - Undertakings shall comply with their obligations with regard to the security and integrity of networks and services provided for in the law and in this regulation, in order to allow for a proper compliance with their other obligations in the scope of the offer or electronic communications networks and services, including:
a) Obligations with regard to the availability of services and of access to emergency services, under the terms provided for in applicable legal or regulatory provisions;
b) Obligations with regard to civil-emergency planning, civil protection emergency plans and internal security, under the terms provided for in applicable legal or regulatory provisions;
c) Where appropriate, obligations resulting from contracts for the provision of the universal service.
3 - Undertakings shall ensure that compliance with their obligations with regard to the security and integrity of networks and services provided for in the law and in this regulation cover all assets owned or managed by them, including equipment located at customer premises, that is required for the use of their networks or services.
Article 3
Definitions
1 - For the purpose of this regulation, the following definitions shall apply:
a) «Threat» shall mean a potential cause for a security incident;
b) «Risk analysis» shall mean the procedure for the analysis of risks to the security and integrity of networks and services to be carried out by undertakings under article 9;
c) «Assets» shall mean the infrastructures, transmission or information systems, equipment and other physical or logical resources that make up or support a public communications network and respective accesses, including interconnections, a publicly available electronic communications service or an associated related service;
d) «Auditing body» shall mean the body responsible for carrying out the security audit to networks and services pursuant to paragraphs 1 and 2 of article 54-F of the Electronic Communications Law, under the terms of article 31;
e) «Audit» shall mean the security audit to networks and services to be carried out by undertakings, pursuant to paragraphs 1 and 2 of article 54-F of the Electronic Communications Law, under the terms provided for in Title IV;
f) «Undertakings» shall mean undertakings providing public communications networks or publicly available electronic communications services, as set out in the Electronic Communications Law;
g) «Security incident» shall mean an event with real negative impact on the operation or on the security or integrity of networks and services, including a breach of security or loss of integrity with impact on the operation of networks and services;
h) «Electronic Communications Law» shall mean Law No. 5/2004, of 10 February, as it currently stands;
i) «Security Officer» shall mean the collaborator of the undertaking in charge of the management of the security and integrity of networks and services and of the undertaking representation in the exercise of functions conferred upon it under this regulation, under the terms provided for in article 20;
j) «Risk» shall mean the effect of a real or potential and reasonably identifiable event, or sequence of events, that consists of a potential negative impact on the operation or on the security or integrity of networks and services;
k) «Security of networks and services» shall mean the capacity of electronic communications networks and services, including associated related services, to resist, with a given level of reliability, any threat or risk that compromises the availability, the authenticity, the integrity or the confidentiality of stored, transmitted or handled data or of related services that are provided or accessible through those networks or services;
l) «Breach of security or loss of integrity of networks with a significant impact» shall mean the breach of security or loss of integrity of networks with the impact provided for in article 24;
m) «Vulnerability» shall mean the characteristic of an asset or of a measure that may be exploited by one or more threats.
2 - For the purpose of this regulation, all references to the territory of the Autonomous Region of Madeira shall be deemed to be met where the geographic area under consideration covers the territory of the islands of Madeira and of Porto Santo.
Article 4
Cooperation and sharing of information
1 - Undertakings shall cooperate with ANACOM in the scope of the pursuit of their duties and in the exercise of their powers with regard to the security and integrity of networks and services.
2 - Undertakings shall cooperate with each other in the fulfilment of their obligations with regard to the security and integrity of networks and services, including, in particular, in the following situations:
a) Risks, threats or vulnerabilities, either common or of a cascading effect;
b) Dependence or interdependence among networks or services, including, among other cases, the access to and interconnection of networks, co-location of assets and sharing of infrastructure or of other resources;
c) Ordinary supply of goods or services by third parties.
3 - For the purpose of the preceding paragraph, undertakings shall cooperate, as appropriate, by taking joint action, by concluding mutual assistance agreements, by exchanging permanent contact points or by sharing information.
Title II
Obligations of undertakings with regard to security and integrity
Chapter I
General Provisions
Article 5
Obligations of undertakings
1 - Pursuant to article 54-A of the Electronic Communications Law and under the terms of this regulation:
a) Undertakings shall take appropriate technical and organisational measures to appropriately prevent, manage and reduce the risks to the security of networks and services, aiming in particular to prevent or minimise the impact of security incidents on interconnected networks, at national and international level, and on users;
b) Undertakings providing public communications networks shall take the appropriate steps to guarantee the integrity of the respective networks, ensuring the continuity of the supply of services provided over those networks.
2 - Undertakings shall ensure that procedures and technical and organisational measures adopted to comply with the law and with this regulation:
a) Are in accordance with European Commission decisions adopted under the procedure provided for in article 13-A of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services, as it currently stands;
b) Are based, in the absence of decisions provided for in the preceding point, on European and international standards, specifications and recommendations with regard to this matter;
c) Take into consideration technical documents published by the European Union Agency for Network and Information Security (ENISA), as outcome of work developed at the level of the application of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services, as it currently stands.
3 - For the purpose of points b) and c) of the preceding paragraph, ANACOM shall publish at its institutional website:
a) A list of European and international standards, specifications and recommendations with regard to this matter;
b) A list of technical documents published by the European Union Agency for Network and Information Security (ENISA).
Article 6
Technical implementing measures and additional requirements
1 - Without prejudice to article 5 and for the purpose of paragraph 1 of article 54-C and article 54-D of the Electronic Communications Law, undertakings shall adopt the following technical implementing measures and additional requirements:
a) To classify assets and to draw up an Asset Inventory, under the terms respectively of article 7 and article 8;
b) To ensure that Risk Analyses are carried out and to adopt the appropriate technical and organisational measures, under the terms of article 9, which shall include, in any event, and at least, the following measures and requirements:
i) Redundancy, soundness and resilience measures, under the terms of article 10;
ii) Control procedures for exceptional Internet access traffic management, under the terms of article 11;
iii) Change management procedures, under the terms of article 12;
iv) Access control system, under the terms of article 13;
v) Monitoring and control system, under the terms of article 14;
vi) Preparation and implementation of an annual exercise programme, under the terms of article 15;
c) To provide customers with information, under the terms of article 16;
d) To draw up and submit to ANACOM:
i) A General Security Characterisation, under the terms of article 17;
ii) A Security Plan, under the terms of article 18;
iii) An Annual Security Report, under the terms of article 19;
e) To provide itself with the appropriate structure and resources for compliance with its obligations with regard to security and integrity of networks and services, including:
i) The appointment of a Security Officer, under the terms of article 20;
ii) The appointment of a Permanent Contact Point, under the terms of article 21;
iii) The access to a Security Incident Response Team, under the terms of article 22;
f) To compile and update a Security File, under the terms of article 23.
2 - For the purpose of point b) of the preceding paragraph, measures to be adopted under articles 10 to 15 shall be reinforced by undertakings whenever required and to a degree that meets results of Risk Analyses conducted.
3 - For the purpose of paragraph 1 e), undertakings shall establish and maintain an appropriate structure of security functions and responsibilities, and ensure that they are provided with the necessary technical capacity, namely at the level provided for human resources, assets and third-party supplies, in order to ensure compliance with their obligations with regard to the security and integrity of networks and services, under the terms of the law and this regulation.
Chapter II
Technical implementing measures and additional requirements
Article 7
Classification of assets
1 - Undertakings shall classify their assets as class A to D, under the terms provided for herein.
2 - An asset shall be classified as class A where, as a result of an interruption or serious disruption of operation, the number of affected subscribers or accesses may be equal to 500,000 or over, or the affected geographic area may be equal to 3,000 km2 or over, or may cover the whole of the territory of the Autonomous Region of Azores or of the Autonomous Region of Madeira.
3 - The following assets shall also be classified as class A:
a) The main management and operation centre of an undertaking that, in the set of its offers, has a total number of subscribers or of accesses equal to 500,000 or over;
b) The main management and operation centre of an undertaking that includes at least an asset classified as class A;
c) Assets on which depends the offer of networks and services through which the continuity of the provision of services provided for in paragraph 3 f) of article 24 is ensured;
d) Assets that ensure international interconnection, interconnection between the Autonomous Regions or interconnection between the Mainland and an Autonomous Region, including submarine cable stations, satellite stations or cross-border land system;
e) Assets that ensure interconnection between networks over which, as a whole, offers aimed at a total number of subscribers or of accesses equal to 500,000, or over, are provided.
4 - An asset shall be classified as class B where, as a result of an interruption or serious disruption of operation, the number of affected subscribers or accesses may be lower than 500,000 and equal to 100,000 or over, or the affected geographic area may be lower than 3,000 km2, and equal to 2,000 km2 or over, or may cover the whole of the territory of an island of the Autonomous Region of Azores or of the Autonomous Region of Madeira, save where, under the terms provided for in preceding paragraphs, it is classified as class A.
5 - The following assets shall also be classified as class B, where they are not classified as Class A:
a) The main management and operation centre of an undertaking that, in the set of its offers, has a total number of subscribers or of accesses lower than 500,000 and equal to 100,000 or over;
b) The main management and operation centre of an undertaking that includes at least an asset classified as class B;
c) Assets that ensure inter-island interconnection in the Autonomous Regions of the Azores or Madeira, including submarine cable stations and satellite stations;
d) Assets that ensure interconnection between networks over which, as a whole, offers aimed at a total number of subscribers or of accesses lower than 500,000 and equal to 100,000 or over, are provided.
6 - An asset shall be classified as class C where, as a result of an interruption or serious disruption of operation, the number of affected subscribers or accesses may be lower than 100,000 and equal to 10,000 or over, or the affected geographic area could be lower than 2,000 km2, and equal to 1,000 km2 or over, save where, under the terms provided for in preceding paragraphs, it is classified as class A or class B.
7 - As asset shall be classified as class D where it is not classified in any of classes A, B or C.
8 - Undertakings shall also classify assets identified in the scope of civil-emergency planning or of a civil protection emergency plan, that is indicated by ANACOM through notification thereto, which shall include:
a) Identification of the asset;
b) Class as which the asset is to be classified.
Article 8
Asset Inventory
1 - Undertakings shall draw up and keep up to date an Asset Inventory, signed by the Security Officer, which shall include:
a) Assets classified as classes A, B or C;
b) Critical assets for the continuity of the operation of their networks and services.
2 - The following information shall be provided for each item of the Asset Inventory:
a) Unique identifier;
b) Designation;
c) Characterization in terms of:
i) Functionalities and services supported;
ii) Indication of the class as which it was classified, under article 7, and description of the potential impact of an interruption or serious disruption of its operation;
iii) Security measures, controls and records adopted;
iv) Critical third-party supplies for its operation, including managing, operational, security and power services;
v) Autonomy in case of power failure;
vi) Geographical location and identification of owners or managers of locations;
vii) In the case of interconnection, indication of the type (international interconnection, interconnection between Autonomous Regions, interconnection between the Mainland and the Autonomous Regions or inter-island interconnection) and identification of interconnected undertakings;
d) Record of security incidents that have occurred;
e) Record of changes made, including results of integration and system tests that are performed and plans for restoration of assets, under the terms provided for in article 12;
f) Reference to the most recent Risk Analysis.
3 - Undertakings shall draw up the Asset Inventory within 60 days from the start date of operations.
4 - Undertakings shall notify ANACOM of a summary of the Asset Inventory that includes a list of items with information in points a) and b) and sub-points ii) and vi) of point c) of paragraph 2:
a) In its initial version, by the deadline provided for in the preceding paragraph;
b) In an up-to-date version, together with the Annual Security Report.
Article 9
Risk management
1 - Undertakings shall undertake a Risk Analysis:
a) Of a global scope, with regard to assets classified or classifiable as classes A, B or C, or assets that are critical for the continuity of operation of their networks and services:
i) At least once every year;
ii) Upon notification by ANACOM of an emerging risk, threat or vulnerability that implies a high probability of a breach of security or loss of integrity of networks with a significant impact, within the deadline set for the purpose by ANACOM, should the Authority so choose;
b) Of a partial scope:
i) After each notification of customer identification, pursuant to paragraph 6 of article 24, as regards assets on which depends the offer of networks and services through which the continuity of the provision of the respective relevant services is ensured;
ii) After each notification of asset identification, pursuant to paragraph 8 of article 7, as regards assets themselves;
iii) During the planning and preparation for the introduction of a change to a asset or assets integrated in the Asset Inventory, as regards the asset(s) involved;
iv) After a breach of security or loss of integrity with a significant impact, or another extraordinary situation, has occurred, as regards affected assets listed in the Asset Inventory.
2 - Undertakings shall document the preparation, execution and presentation of results of the Risk Analysis.
3 - Undertakings shall guarantee that the Risk Analysis covers, for each asset:
a) The identification of threats, internal or external, intentional or non-intentional, including:
i) Accidents or natural disasters;
ii) Human error;
iii) Malicious attacks;
iv) Hardware or software failures;
v) Failures in the supply of goods or services by an external body;
b) Characterization of the impact and probability of occurrence of threats identified in the preceding point.
4 - The Risk Analysis shall take into consideration:
a) The history of extraordinary situations that have occurred;
b) The history of security incidents and, especially, of breaches of security or losses of integrity with a significant impact;
c) The number of subscribers or of accesses involved;
d) The geographic area involved;
e) The guarantee of access to emergency services;
f) The support to the continuity of provision of services provided for in paragraph 3 f) of article 24.
5 - The Risk Analysis shall also take into consideration the integrated assessment of risks to the security and integrity of networks and services at national, European and international levels, published on an annual basis or notified by undertakings to ANACOM.
6 - Following each Risk Analysis, undertakings shall:
a) Review their classification of assets and, where appropriate, undertake their re-classification and the update of the Asset Inventory;
b) Adopt the appropriate technical and organisational measures, including, among others, the measures and requirements provided for in articles 10 to 15;
c) Review, and where appropriate, update the General Security Characterization, the Security Plan and other documentation included in the Security File.
7- Measures to be adopted under the preceding paragraph shall allow:
a) The prevention, management and reduction of risks;
b) The reinforcement of the soundness and resilience of assets, including:
i) Their protection against identified threats;
ii) Their recovery or redundancy, in order to quickly restore the operation of networks and services;
c) An effective response to security incidents, threats or vulnerabilities;
d) The access to emergency services;
e) The support to the continuity of the provision of services provided for in paragraph 3 f) of article 24.
8 - For the purpose of this article, ANACOM shall be entitled, if deemed necessary, to issue guidelines in order to standardize the risk matrix to be adopted by undertakings.
Article 10
Redundancy, soundness and resilience measures
1 - With regard to assets classified as class A, undertakings shall:
a) Guarantee their redundancy by establishing alternative assets in a different geographical location;
b) Identify the time period required and characterize the procedure to activate alternative assets referred to in the preceding point.
2 - In case redundancy of assets classified as class A is impossible, undertakings shall adopt alternative measures and notify ANACOM of their adoption and respective grounds, including results of tests carried out.
3 - The preceding paragraphs shall not apply to assets classified as class A under paragraph 3 c) of article 7, regarding which undertakings shall only be required to ensure redundancy where it is requested by the customer.
4 - Undertakings shall ensure redundancy of connections between assets classified as classes A, B or C, and in the case of connections between assets classified as classes A or B, that such connections take different geographic routes.
5 - Undertakings shall identify and characterize soundness and resilience measures adopted for assets classified as classes A, B or C as a result of Risk Analyses conducted and taking into consideration threats that are more likely to occur or with a higher potential impact, and in any situation of:
a) Disruption of energy supply;
b) Disruption of leased line supply;
c) Hardware or software failures;
d) Malicious attack;
e) Other threats which must be safeguarded on the basis of experience and good practise collected at national and international level.
6 - Undertakings shall ensure that assets classified as classes A, B or C are provided with an emergency energy supply system that allows them to operate undisrupted or uninterrupted in case of interruption of energy supply with the following minimum duration:
a) 24 hours for assets classified as class A;
b) 12 hours for assets classified as class B;
c) Six hours for assets classified as class C.
7 - Undertakings shall conduct tests to measures referred to in this article, including tests to the operation of emergency energy supply systems, at least once every six months, drawing up a record of their performance and of results achieved.
Article 11
Control procedures for exceptional Internet access traffic management
1 - Undertakings shall ensure that the adoption of Internet access traffic management measures complies with Regulation (EU) 2015/2120 of the European Parliament and of the Council, of 25 November 2015, laying down measures concerning open internet access.
2 - Undertakings shall ensure the record of relevant information for control of exceptional Internet access traffic management measures that, for each adopted measure, includes, among others, the following elements:
a) The exception that substantiates it, under the terms provided for in paragraph 3 a), b) or c) of article 3 of Regulation (EU) 2015/2120 of the European Parliament and of the Council, of 25 November 2015, duly documented;
b) The nature of the measure, in particular whether blocking, slowing down, altering, restricting, degrading or other;
c) The subject-matter of the measure, namely content, applications or services and covered IP addresses or ports;
d) The duration, including the dates and times of the measure commencement and end.
3 - Undertakings shall adopt, identify and characterize a continuous Internet Access Traffic Monitoring System, so as to detect:
a) Threats to the operation or the security and integrity of the network, of services provided via that network and of the terminal equipment of end-users;
b) Impending network congestion.
4 - As regards the prevention and mitigation of network congestion situations, undertakings shall ensure that adopted measures of exceptional Internet access traffic management also allow the adoption of measures required for:
a) Reservation of capacity for emergency communications of a public interest;
b) Prioritisation of traffic in the extraordinary situations provided for in sub-points iv) to vii) of point b) of paragraph 1 of article 2.
Article 12
Change management procedures
1 - Undertakings shall establish change management procedures in order to minimize the likelihood of security incidents that may arise from such changes.
2 - In the special case of physical or logical changes to assets classified as class A or B, undertakings shall:
a) Guarantee that integration and system tests are run before the change is introduced;
b) Draw up an asset restoration plan that suits the change to be introduced.
Article 13
Access control system
1 - Undertakings shall establish and maintain physical and logical Access Control Systems that take into special account assets included in the Asset Inventory.
2 - Access Control Systems shall:
a) Be appropriate to prevent, manage and decrease risks for security and integrity of networks and services;
b) Be reviewed at least once every year and whenever required, namely as a result of the Risk Analyses conducted.
3 - Undertakings shall conduct tests to Access Control Systems, at least once every six months, for the sake of protection against unauthorized access.
4 - Undertakings shall ensure the documentation and record of the operation of Access Control Systems, including:
a) Changes introduced;
b) Security incidents occurred;
c) Tests conducted;
d) Alarms generated.
Article 14
Monitoring and control system
1 - Undertakings shall establish and maintain Monitoring and Control Systems of operating, security and integrity conditions of assets included in the Asset Inventory and of traffic, that operate continuously and that allow:
a) The detection of threats and security incidents;
b) The generation of appropriate alarms in case they occur;
c) The activation of security measures.
2 - Monitoring and Control Systems shall be:
a) Appropriate to prevent, manage and decrease risks for security and integrity of networks and services;
b) Reviewed at least once every year and whenever required, namely as a result of the Risk Analyses conducted.
3 - Undertakings shall conduct tests to Monitoring and Control Systems, at least once every six months.
4 - Undertakings shall ensure the documentation and record of the operation of Monitoring and Control Systems, including:
a) Threats detected;
b) Security incidents occurred;
c) Alarms generated;
d) Measures activated;
e) Tests conducted;
f) Changes introduced.
Article 15
Exercises
1 - Undertakings shall draw up an Annual Exercise Programme to assess security and integrity in order to improve technical and organisational measures that have been adopted, especially as regards, where appropriate:
a) Assets included in the Asset Inventory;
b) Access to emergency services;
c) Access to offers of networks and services;
d) Support to the continuity of the provision of services provided for in paragraph 3 f) of article 24.
2 - The Annual Exercise Programme shall include the following stages:
a) Preparation stage;
b) Completion stage;
c) Assessment stage.
3 - Undertakings shall also ensure that the implementation of the Annual Exercise Programme allows the assessment and testing of the Security Plan and especially of the respective continuity or restoration plans, checking:
a) Its effectiveness in the response to risks, vulnerabilities or threats, internal or external, intentional or non-intentional, more likely to occur or with a higher potential impact;
b) Compliance with applicable legal or regulatory provisions.
4 - Undertakings shall ensure, to the appropriate extent, the participation of other undertakings or of third parties in the implementation of the Annual Exercise Programme, namely by conducting joint exercises.
5 - Undertakings shall prepare Annual Exercise Programme implementation reports, including the description of results obtained.
Article 16
Provision of information to customers
Undertakings shall communicate to their customers provided for in paragraph 6 of article 24 the measures adopted following security incidents or in response to threats or vulnerabilities, informing ANACOM thereof.
Article 17
General Security Characterisation
1 - Undertakings shall establish a General Security Characterisation, maintaining it up-to-date, with the following elements:
a) Information on the adopted security and risk management approach and methodology;
b) Security policy;
c) Description of the Security Management System;
d) Description of the redundancy, soundness and resilience measures;
e) Description of the Internet Access Traffic Monitoring System;
f) Description of the Access Control Systems;
g) Description of the Monitoring and Control Systems;
h) Identification and contacts of the Security Officer, including:
i) Name;
ii) Email address;
iii) Geographic address;
i) Contacts of the Permanent Contact Point, and where appropriate, of the Alternative Contact Point, including:
i) Designation of the function;
ii) Main fixed telephone number;
iii) Main mobile phone number;
iv) Email address;
v) Alternative contacts;
vi) Geographic address of the location where the function is performed.
2 - Information provided for in point h) of the preceding paragraph shall attach an express statement, signed by whoever has power to bind the undertaking, that the Security Officer is duly mandated, under the law, to represent the undertaking in the exercise of powers assigned by this regulation.
3 - Undertakings shall submit to ANACOM, within five working days from the start of operations, a General Security Characterisation, signed by the Security Officer, as well as to communicate any change thereto, at least 10 working days before it takes place.
Article 18
Security Plan
1 - Undertakings shall draw up a Security Plan that covers all technical and organisational measures that are adopted.
2 - The Security Plan shall generally aim to:
a) Protect the physical and logical security and integrity of networks and services;
b) Quickly recover the operation of networks and services in case of a security incident;
c) Improve the level of security and integrity of networks and services;
d) Ensure the coordination of action between the undertaking and other bodies involved, including ANACOM, other competent authorities, other undertakings, and where appropriate, customers provided for in paragraph 6 of article 24.
3 - The Security Plan must also include, in particular:
a) Specific continuity or restoration plans for assets included in the Asset Inventory;
b) Measures required for the safeguard of the reservation of capacity for emergency communications of a public interest;
c) Measures required with regard to network congestion in emergency situations, including procedures to be complied with by the undertaking.
4 - Undertakings shall keep the Security Plan up to date, and review it at least once every year and whenever required, namely as a result of the Risk Analyses conducted.
Article 19
Annual Security Report
1 - Undertakings shall draw up an Annual Security Report with a special focus on assets included in the Asset Inventory, that in a comprehensive but short manner, includes the following elements:
a) Description of activities developed with regard to the security and integrity of networks and services, as well as of results achieved, namely:
i) Risk Analyses;
ii) Exercises;
iii) Audits;
b) Aggregated analysis of security incidents with more substantial impact and of all breaches of security or losses of integrity of networks with a significant impact;
c) Summary of main changes to the Security Plan and of improvements introduced in technical and organisational measures that are adopted;
d) Recommendations as regards cooperation activities, measures or practises between undertakings and ANACOM, that promote the improvement of the security and integrity of aggregated networks and services.
e) Any other relevant information.
2 - The Annual Security Report must also include the Annual Exercise Programme for the year following the year concerned.
3 - Undertakings shall submit the Annual Security Report to ANACOM, signed by the Security Officer, by the last working day of January of the year following the year concerned.
Article 20
Security Officer
1 - Undertakings shall establish a Security Officer function, which, among other duties provided for in this regulation, shall be in charge of:
a) The management of the security policy;
b) The management of the security management system.
c) The promotion of the compliance by undertakings of obligations with regard to the security and integrity of networks and services under the law and this regulation.
2 - Undertakings that are not established in the European Union or in the European Economic Area that hold assets classified as Classes A, B or C shall ensure that their Security Officer is settled therein.
Article 21
Permanent Contact Point
1 - Undertakings shall establish a Permanent Contact Point function that ensures, with continuous availability (24 hours a day and 7 days a week), the capacity to start and receive a flow of operational and technical information between the undertaking and ANACOM, namely for the following purposes:
a) Effective response to security incidents with impact at sector level or beyond, including support to the continuity of the provision of services provided for in paragraph 3 f) of article 24, that involves the participation of several undertakings;
b) Articulation between ANACOM and the undertaking for conveyance of operation or technical information, following notification of the breach of security or loss of integrity with a significant impact by the undertaking concerned, or another undertaking;
c) Building and updating integrated information on the situation, in the context of a breach of security or loss of integrity with a significant impact, or of the activation of the civil-emergency planning or of a civil protection emergency plan;
d) Operationalisation of procedures set in the scope of the civil-emergency planning or of a civil protection emergency plan.
2 - Undertakings shall ensure that the Permanent Contact Point is provided with main and alternative means of contacting ANACOM, under normal operating conditions and in the extraordinary situations provided for under article 2.
3 - Undertakings holding assets classified as Classes A or B shall establish an Alternative Contact Point function, at a different geographic location than that of the Permanent Contact Point function, that is able to ensure the functions of the Permanent Contact Point, in case of a failure of the latter or where it is not possible to establish contact therewith.
Article 22
Security Incident Response Team
Undertakings shall ensure access to the services of a Security Incident Response Team, which shall be endowed with the resources and knowledge required for an effective preparation against risks, threats and vulnerabilities, and for responding to security incidents that affect assets classified as classes A, B or C, or critical assets for the continuity of the operation of their networks and services.
Article 23
Security File
1 - Undertakings shall compile and keep up to date a Security File, which shall include:
a) The Asset Inventory;
b) The General Security Characterisation;
c) The Security Plan;
d) The Annual Security Report;
e) The Annual Exercise Programme and respective implementation report;
f) The Draft Audit and Audit Report, in the versions accepted by ANACOM, and the Plan for Addressing Non-Conformities.
2 - Documents provided for in the preceding paragraph shall integrate the Security File in its up-to-date version and in all historical versions of the past five years.
3 - The Security File shall include the security incidents of a major impact that occurred over the past five years, including copies of all notifications and disclosures that were made under Title III.
4 - In addition to the preceding paragraphs, the Security File shall also integrate other documentation on the security and integrity of networks and services, namely as regards the organization, functions and responsibilities, the technical capacity, as well as any systems, processes, plans, measures and records.
5 - All documentation integrated in the Security File shall be signed by the Security Officer.
Title III
Notification and public information obligations
Chapter I
Notification obligations
Article 24
Circumstances
1 - For the purpose of article 54-B of the Electronic Communications Law, undertakings shall notify ANACOM of a breach of security or loss of integrity with a significant impact on the operation of networks or services provided.
2 - All situations of breach of security or loss of integrity that cause a serious disruption on the operation of networks and services, with a significant impact on the continuity of such operation, shall be notified, according to the circumstances and rules provided for in the following paragraphs.
3 - For the purpose of the preceding paragraphs, undertakings shall notify ANACOM:
a) Of any breach of security or loss of integrity the impact of which is included in one of the following levels:
(vide original document)
b) Of any breach of security or loss of integrity that directly or indirectly affects the termination of calls to Public Security Call Centres (112 Call Centres), to the Single European Emergency Number 112, as well as to the national emergency number 115, for up to 15 minutes or over;
c) Of any recurring breach of security or loss of integrity, where the accumulated impact of occurrences in a period of four weeks meets any of the conditions provided for in the preceding points;
d) Of any breach of security or loss of integrity that takes place at a date where the regular and continuous operation of networks and services is particularly relevant, under the terms provided for in paragraph 5 hereof, insofar as:
i) It lasts for an hour or over;
ii) It affects 1000 subscribers or accesses or over, or under the terms of point e) of paragraph 4 hereof, a geographical area of 100 km2 or over;
e) Of any breach of security or loss of integrity that impacts the operation of networks and services provided by an undertaking in all the territory of an island of the Autonomous Region of Azores or Madeira, insofar as it lasts for 30 minutes or over, regardless of the number of affected subscribers or accesses and of the affected geographical area;
f) Of any breach of security or loss of integrity, detected by undertakings or communicated to the latter by customers, that impacts the operation of networks and services through which relevant services are provided to society and to citizens, through their customers, of a public or private nature, of a national or regional scope, provided for in paragraph 6 of this article, insofar as it lasts for 30 minutes or over;
g) Of any breach of security or loss of integrity, where the accumulated impact on a set of undertakings in the conditions provided for in paragraph 2 of article 3 of Law No. 19/2012, of 8 May, meets one of the conditions provided for in point a), and in the part where this point is referred to, in point c), both of paragraph 3 hereof.
4 - For the purpose of the preceding paragraph:
a) The impact of a breach of security or loss of integrity must be assessed by reference to all networks and to all services of an undertaking that are affected;
b) The number of subscribers or accesses affected by a breach of security or loss of integrity corresponds to the sum of number of subscribers or accesses affected in the various networks and services;
c) The number of subscribers of a service that is supported on another service shall only be accounted for where the supporting service is not affected;
d) The number of subscribers or accesses affected corresponds to the number of subscribers or accesses covered by the breach of security or loss of integrity, or where it is not possible to determine such number, to an estimate based on statistical elements with which the undertaking is provided;
e) The criterion for an affected geographical area shall only be applied where the criterion for a number of affected subscribers or accesses is inapplicable or where, in the specific case, it cannot be determined or estimated, duly justified reasons being provided.
5 - For the purpose of point d) of paragraph 3 and without prejudice the identification by ANACOM of other dates, duly notified to undertakings at least five days in advance, the following dates are deemed to be relevant:
a) Day of national elections (legislative, presidential, European or local);
b) Day of national referendums;
c) Day of national exercise of electronic communications networks and services, under point c) of article 54-D of the Electronic Communications Law;
d) Day of regional elections, with regard to any breach of security or loss of integrity that take place in the region concerned.
6 - For the purpose of paragraph 3 f) and without prejudice to the identification by ANACOM of other bodies, duly notified to undertakings at least five days in advance, the following customers are deemed to be relevant:
a) SIRESP - the Integrated System for Emergency and Security Networks in Portugal;
b) RNSI - the National Internal Security Network;
c) SRPCBA - Regional Civil Protection and Firemen Service of the Azores;
d) As from the date of notification to undertakings of their identification by ANACOM:
i) operators of essential services to be identified in the scope of the application of the statutory instrument transposing Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union;
ii) Owners or operators of critical infrastructures designated under Decree-Law No. 62/2011, of 9 May, and in other applicable legislation.
Article 25
Format and Procedures
1 - For each breach of security or loss of integrity for which notification is required, under article 24, undertakings shall submit to ANACOM:
a) An initial notification, under paragraphs 4 and 5 hereof;
b) A final notification, under paragraphs 8 and 9 hereof;
c) A notification of end of breach of security or loss of integrity with significant impact, under articles 6 and 7 hereof, whenever required in accordance with paragraph 6 hereof.
2 - In the circumstance provided for in paragraph 3 f) of article 24, undertakings shall only submit to ANACOM a final notification under the terms provided for in paragraphs 8 and 9 hereof, duly adapted.
3 - In the circumstance provided for in paragraph 3 g) of article 24, undertakings may send to ANACOM a sole series of notifications, under the terms provided for in paragraph 1 hereof, insofar as such notifications:
a) Cover the whole impact of the breach of security or loss of integrity;
b) Are submitted on behalf of all undertakings.
4 - The initial notification must be submitted as soon as possible, provided that the undertaking concludes that a significant impact exists or will exist, no more than one hour after the circumstance provided for in article 24 which, in the specific case, determined the notification obligation, takes place, and without prejudice to this deadline, the undertaking shall prioritize the mitigation and resolution of the breach of security or loss of integrity.
5 - The notification provided for in the preceding paragraph shall include the following information:
a) Name, telephone number and email address of a representative of the undertaking, for the purpose of a possible contact by ANACOM;
b) Date and time the breach of security or loss of integrity started, or where this is impossible to determine, date and time it was detected;
c) Date and time the breach of security or loss of integrity assumed a significant impact;
d) Date and time the breach of security or loss of integrity lost the significant impact or, where it remains, estimated time for such loss;
e) Brief description of the breach of security or loss of integrity, including the indication of the category of the root cause, and details, as much as possible;
f) Possible estimate of its impact, in terms of:
i) Networks and services affected;
ii) Access to emergency services;
iii) Number of subscribers or accesses affected;
iv) Geographic area affected, in km2;
g) Observations.
6 - After the breach of security or loss of integrity has lost a significant impact, and whenever it has not been communicated in the initial notification, undertakings shall submit to ANACOM as soon as possible, and no more than two hours after it has taken place, a notification of end of breach of security or loss of integrity with significant impact.
7 - The notification provided for in the preceding paragraph shall include as far as possible the following information:
a) Update of the information conveyed in the initial notification;
b) Brief description of measures adopted to remedy the breach of security or loss of integrity.
8 - The final notification must be signed by the Security Officer and submitted no later than 20 working days from the moment the breach of security or loss of integrity ceased to assume a significant impact.
9 -The notification provided for in the preceding paragraph must include the following information:
a) Unique identifier of the breach of security or loss of integrity assigned by ANACOM upon receiving the initial notification;
b) Date and time the breach of security or loss of integrity assumed a significant impact;
c) Date and time the breach of security or loss of integrity lost the significant impact;
d) Date and time the breach of security or loss of integrity started, or where this is impossible to determine, date and time it was detected, as well as the date and time the breach of security or loss of integrity ended, where they differ from dates and times conveyed, respectively, under points b) and c);
e) Impact of the breach of security or loss of integrity, in terms of:
i) Networks (including national and international connections) and respective infrastructures (including systems), with the indication, where appropriate, of the respective unique identifier in the Asset Inventory, and services affected;
ii) Access to emergency services available through the the Single European Emergency Number 112 (including access to the national emergency number 115);
iii) Number of subscribers or accesses affected, per network or service;
iv) Percentage of subscribers or accesses affected by total number of subscribers or accesses, per network or service;
v) Geographic area affected, in km2;
f) Description of the breach of security or loss of integrity, including the indication of the category of the root cause, and respective details;
g) Indication of measures adopted to mitigate the breach of security or loss of integrity;
h) Indication of measures adopted to remedy the breach of security or loss of integrity, including in the case of a breach of security or loss of integrity with partial restoration times, the chronology and detail of restoration stages;
i) Indication of measures adopted and/or planned to prevent or minimize the occurrence in the future of similar breaches of security or losses of integrity (in the scope of the planning and/or operation of a contingency plan, interconnection agreements, levels of service agreements and other pertinent areas) and of the date on which they took or will take effect;
j) Where appropriate, information provided to the public on the breach of security or loss of integrity, including any updates thereto, as well as the date and time of such communications;
k) Any other relevant information;
l) Observations.
10 - For the purpose of paragraphs 5, 7 and 9, breaches of security or losses of integrity may be due to the following root cause categories:
a) Accident or natural disaster;
b) Human error;
c) Malicious attacks;
d) Hardware or software failures;
e) Failures in the supply of goods or services by an external body.
11 - Information included in notifications provided for in this article concerning the number of subscribers or of accesses shall comply, wherever possible, with definitions set out in the scope of regular notification obligations towards ANACOM.
12 - Notifications provided for in this article shall take place through the following means:
a) As regards the initial notification and notification of end of breach of security or loss of integrity with significant impact, through the email address and telephone number published at ANACOM’s institutional website;
b) As regards the final notification, by hand delivery or registered post.
13 - Undertakings whose networks or services are affected in their operation by the same breach of security or loss of integrity shall cooperate with each other in order to appropriately detect and assess the impact of this breach of security or loss of integrity and, in the case provided for in paragraph 3 g) of article 24, to undertake the respective notification.
14 - In order to fully meet provisions in this Chapter, undertakings shall implement all means and procedures required for the detection, impact assessment and notification of breaches of security or losses of integrity that fulfil the circumstances provided for in article 24.
Chapter II
Public information obligations
Article 26
Conditions
1 - For the purpose of paragraph b) of article 54-E of the Electronic Communications Law, undertakings shall inform the public of any breach of security or loss of integrity the impact of which on the operation of its networks or services is included in one of the following levels:
(vide original document)
2 - For the purpose of the preceding paragraph:
a) The impact of a breach of security or loss of integrity must be assessed by reference to all networks and to all services of an undertaking that are affected;
b) The number of subscribers or accesses affected by a breach of security or loss of integrity corresponds to the sum of number of subscribers or accesses that are affected in the various networks and services;
c) The number of subscribers of a service that is supported on another service shall only be accounted for where the supporting service is not affected;
d) The number of affected subscribers or accesses corresponds to the number of subscribers or accesses covered by the breach of security or loss of integrity, or where it is not possible to determine such number, to an estimate based on statistical elements with which the undertaking is provided;
e) The criterion for an affected geographical area shall only be applied where the criterion for a number of affected subscribers or accesses is inapplicable or where, in the specific case, it is impossible to be determined or estimated, duly justified reasons being provided.
3 - Provisions in this article shall not prevent ANACOM, under point b) of article 54-E of the Electronic Communications Law, in circumstances other than those provided for in paragraph 1, and where also deemed to be in the public interest, from ordering undertakings to inform the public of breaches of security or losses of integrity that may take place in their networks and services.
Article 27
Content, means and deadlines for disclosure
1 - In informing the public of breaches of security or losses of integrity referred to in article 26, undertakings shall:
a) Guarantee that the content of the information is as clear, accessible and accurate as possible, including, among other elements deemed to be relevant:
i) The indication of networks and services affected;
ii) Expected period of time for resolution, or, where appropriate, date of resolution;
b) Provide information, at least, at the respective websites used in their relationship with users, through a hyperlink immediately visible and identifiable in the first page of the website, without requiring the use of the scrollbar;
c) Provide the information as soon as possible, no more than four working hours after the deadline for initial notification to ANACOM, the time elapsed from 9 am to 7 pm of a working day being deemed for this purpose as working hours;
d) Update the information whenever a significant alteration is verified and as soon as the breach of security or loss of integrity ceases;
e) Keep the information provided on the Internet publicly available, in the same locations referred in point b), for a period of 20 working days from the date of the end of the breach of security or loss of integrity.
2 - Undertakings shall communicate to ANACOM, as soon as they start operating, the URL addresses of web pages where, for the purpose of point b) of the preceding paragraph, they intend to provide the public with information on breaches of security or losses of integrity occurred in their networks and services, as well as any subsequent change thereof, at least five days prior to their implementation.
3 - In order to fully meet provisions in Chapter II, undertakings shall implement all means and procedures required for the detection, impact assessment and disclosure of breaches of security or losses of integrity that fulfil the criteria provided for in article 26.
Title IV
Security audits to networks and services
Chapter I
General provisions
Article 28
Duty to carry out an Audit
For the purpose of paragraphs 1 and 2 to article 54-F of the Electronic Communications Law, undertakings that hold assets classified as classes A, B or C shall ensure that security audits are carried out to their networks and services, at their own expense, under the terms provided for in this Title IV.
Article 29
Scope
Undertakings shall ensure that Audits allow verification, as regards assets of classes A, B and C and critical assets for the operation of their networks and services and taking into account the situation of the undertaking, of compliance with applicable legal and regulatory provisions.
Article 30
Reference standards
1 - Undertakings shall ensure that Audits are carried out in conformity with European and international standards, specifications or recommendations with regard to this matter.
2 - For the purpose of the preceding paragraph and up to 30 June every year, ANACOM shall publish at its institutional website the reference of standards, specifications and recommendations to which Audits of the subsequent year must conform.
Article 31
Auditing Bodies
1 - Auditing bodies and all their collaborators involved in carrying out audits shall comply with the following requirements:
a) Technical competence, namely in compliance with standards, specifications or recommendations identified in paragraph 2 of the preceding article;
b) Relevant experience in the electronic communications sector, namely with regard to network and service planning, operation, security and integrity;
c) Appropriate clearance issued by competent authorities for access to classified matters, where appropriate and under the terms of the applicable law.
2 - Undertakings shall ensure that Auditing Bodies do not provide them with services other than the performance of external and independent audits, and that declarations are submitted to the effect that no conflicts of interest exist, on their behalf and on the behalf of all collaborators involved.
Article 32
Duty of collaboration
1 - Undertakings shall provide to Auditing Bodies all collaboration and assistance required for carrying out audits under the terms provided for in this Title IV, namely:
a) Collaboration in the preparation and conduct of Audits;
b) Collaboration in drawing up Audit Reports;
c) Provision of access to all means of evidence requested;
d) Provision of access to necessary means, namely for testing purposes;
e) Provision of access to locations;
f) Provision of access to relevant suppliers with regard to the security and integrity of networks and services;
g) Provision of access to collaborators with administration, direction or management functions related to the security and integrity of networks and services.
2 - Undertakings shall ensure the access, by ANACOM, to their suppliers and collaborators provided for in points f) and g) of the preceding paragraph, as well as their availability for meeting with ANACOM and for providing clarifications requested by this Authority.
Chapter II
Audit Procedures
Article 33
Stages
Undertakings shall ensure that Audits are carried out in a staged and ordered manner, including the Pre-Audit Stage, the Audit Stage and the Post-Audit Stage, under the terms provided for in this Chapter II.
Article 34
Pre-Audit Stage
1 - Undertakings shall draw up, together with the Auditing Body, and submit to ANACOM, a Draft Audit with the following elements:
a) Identification of the Auditing Body and of all collaborators involved in each Audit Stage;
b) Identification of relevant suppliers with regard to the security and integrity of networks and services;
c) Identification of all collaborators with administration, direction or management functions related to the security and integrity of networks and services;
d) Supporting documents or declarations that attest compliance with requirements provided for in article 31;
e) Plan for Addressing Non-Conformities of the most recent audit carried out, where appropriate;
f) Audit Programme, duly substantiated, including the following elements:
i) Date scheduled for the commencement of Audit Stage;
ii) Estimated duration of the Audit Stage;
iii) Indication of assets covered by the Audit, with reference to the respective unique identifiers;
iv) Planned activities.
2 - Undertakings shall submit to ANACOM a Draft Audit, signed by the Security Officer:
a) In the case of a first Audit, within 20 working days from the date from which the undertaking holds an asset classified as class A, B or C;
b) In the case of subsequent Audits, within two years from the date of submission of the Draft Audit on which the preceding Audit was based or, where subsequent, within twenty working days from the date when the undertaking holds again an asset classified as class A, B or C.
3 - It is incumbent on ANACOM to accept the Draft Audit, being entitled for this purpose to request the undertaking to provide the necessary clarifications and to remedy any shortcomings.
Article 35
Audit Stage
1 - Undertakings shall start the Audit Stage no more than 40 working days after the date on which ANACOM accepts the Draft Audit.
2 - Undertakings shall give at least 20 days notice of dates and locations of the Audit Stage activities, so that ANACOM may attend them, should the Authority so choose.
3 - Undertakings shall ensure that the Auditing Body draws up an Audit Report which, in conformity with the Draft Audit accepted by ANACOM, includes the following elements:
a) List of non-conformities of the undertaking’s current situation with regard to the reference standards provided for in article 30;
b) Short description of activities developed, including:
i) Analysis of documentation;
ii) Interviews;
iii) Tests;
iv) Checking the operation of equipment and systems;
v) Procedure simulation;
vi) Site visits.
c) Description of the Audit Stage, taking into account the results of Risk Analyses conducted;
d) Total time of the Audit Stage, specifying the time spent with:
i) The assessment of Risk Analyses;
ii) The analysis of documentation;
iii) Interviews;
iv) Tests;
v) Checking the operation of equipment and systems;
vi) Procedure simulations;
vii) Site visits;
viii) The drafting of the Audit Report;
ix) Other activities.
4 - Undertakings shall submit to ANACOM a copy of the Audit Report, signed by the Security Officer on behalf of the Auditing Body, and acknowledging the Report, within 10 working days from the conclusion of the Audit Stage activities.
5 - It is incumbent on ANACOM to accept the Audit Report, being entitled for this purpose, to request the undertaking to provide the necessary clarifications and to remedy any shortcomings.
Article 36
Post-Audit Stage
1 - Undertakings shall prepare and submit to ANACOM a Plan for Addressing Non-Conformities included in the Audit Report, signed by the Security Officer, within 20 days from the date of acceptance, by ANACOM, of the Audit Report.
2 - The Plan for Addressing Non-Conformities shall include:
a) Identification of all Non-Conformities and observations referred in the Audit Report, including any conclusions and recommendations;
b) As regards each Non-Conformity:
i) An analysis of the respective causes;
ii) An indication of corrective measures and respective time limits for implementation.
3 - Undertakings shall ensure that each measure set out in the Plan for Addressing Non-Conformities, referred to in point b) of the preceding paragraph, is implemented as soon as possible and that all are implemented within the deadline set for the purpose by ANACOM, should the Authority so choose.
Title V
Final and transitory provisions
Article 37
Penalty System
Infringements of the provisions of this Regulation shall be punishable under points ee), ff) and gg) of paragraph 2 and points u), v), x) and z) of paragraph 3 of article 113 of the Electronic Communications Law.
Article 38
Entry into force and transitional provisions
1 - This regulation shall enter into force on the day following that of the respective publication in the Official Gazette, without prejudice to the following paragraphs.
2 - Undertakings operating on the date of entry into force of this regulation shall:
a) Establish the Security Officer function within 40 days from the date of entry into force of this regulation, in accordance with article 20, communicating to ANACOM within this time limit the elements provided for in point h) of paragraph 1 and in paragraph 2 of article 17;
b) Establish the Permanent Contact Point function within 80 days from the date of entry into force of this regulation, in accordance with article 21, communicating to ANACOM within this time limit the elements provided for in point i) of paragraph 1 and in paragraph 2 of article 17;
c) Within 1 year from the date of entry into force of this regulation:
i) Classify assets, draw up an Asset Inventory and undertake a Risk Analysis of a global scope, under the terms respectively of article 7, article 8 and article 9, complying thereafter with other obligations provided for therein;
ii) Establish, where appropriate, the Alternative Contact Point function, under the terms of article 21, communicating to ANACOM within this time limit the elements provided for in point i) of paragraph 1 and in paragraph 2 of article 17;
d) Within 18 months from the date of entry into force of this regulation:
i) Adopt, where appropriate, control procedures for exceptional Internet access traffic management, under the terms of article 11;
ii) Adopt change management procedures, under the terms of article 12;
iii) Adopt an access control system, under the terms of article 13;
iv) Adopt a monitoring and control system, under the terms of article 14;
v) Draw up and submit to ANACOM a General Security Characterisation, under the terms of article 17;
vi) Draw up a Security Plan, under the terms of article 18;
vii) Ensure access to the services of a Security Incident Response Team, under the terms of article 22;
viii) Compile a Security File, under the terms of article 23;
e) Draw up an Annual Security Report, under the terms of article 19, referring to the 1st calendar year following the calendar year of the date of entry into force of this regulation;
f) Draw up and implement an Annual Exercise Programme, under the terms of article 15, for the 2nd calendar year following the calendar year of the date of entry into force of this regulation;
g) Adopt redundancy, soundness and resilience measures, under the terms of article 10, within three years from the date of entry into force of this regulation.
3 - Undertakings operating on the date of entry into force of this regulation that are covered by the obligation to carry out an Audit, in accordance with article 34, shall present to ANACOM a Draft Audit, in accordance with article 34, within two years from the referred date of entry into force.
4 - Undertakings starting their activity after the date of entry into force of this regulation shall comply with paragraphs 2 and 3 within deadlines set out therein, or where subsequent, within deadlines set out in the respective articles.
5 - The provision in article 16 and Title III shall enter into force within one year from the date of entry into force of this regulation.
Article 39
Repeal
ANACOM’s decision of 12 December 2013 shall be repealed within one year from the date of entry into force of this regulation.
29 December 2016. - The Vice-Chair of the Management Board, José Manuel de Almeida Esteves Perdigoto.
