The National Communications Authority (ANACOM) approved the Regulation on the Security and Integrity of Electronic Communications Networks and Services which, under the Electronic Communications Law, determines the rules that companies offering public communications networks or electronic communications services accessible to the public should follow in relation to the security of the networks and services (scope in Annex).
The approval of the Regulation on Network and Service Security falls within ANACOM's action strategy, and especially under its contribution towards the country having maximum benefit in terms of the choice, price, quality and security of electronic communications services, through active and demanding regulation that promotes efficient investment, facilitates the sharing of infrastructures and ensures fair and dynamic competition.
ANACOM also made special reference to the opportunity of this action concerning an issue that, in view of technological evolution, the case of very high capacity networks and 5G, and the scenario of threats to networks and information, as well as society's enormous dependence on the security of electronic communications networks and services, is crucial for the country's development and security and for the defence of consumer interests.
ANACOM's initiative is also in line with the most recent developments at a European level, in particular the new European Communications Code, as well as the guidelines of the European Network and Information Security Agency (ENISA) and the international technical standards.
The new rules also reflect the contributions received in the context of the public consultation launched by ANACOM to hear its different stakeholders, where we highlight the significant number of participants.
The definition of the regulatory solutions took special account of the events that occurred, over the last two years, in Portugal, namely the fires of 2017 and storm named Leslie in 2018, which damaged and destroyed many communications infrastructures and revealed the country's dependence on the correct functioning of electronic communications networks and services. Security breaches and failures of integrity of networks and services preclude the timely exercise of basic rights of citizens, such as, for example, making or receiving a phone call, which can be particularly serious in situations of emergency.
Main measures
The new regulation establishes the obligation to identify the assets of companies whose operation is critical, that should be classified and inventoried. It also establishes the strengthening of the capacity of articulation between ANACOM and the companies of the sector, whether in response times or in terms of contents, as well as with other sectors that depend on electronic communications. This includes improvement of information flows in terms of reporting security incidents, information to the public, annual reports, obligations on cooperation and the materialisation of ongoing points of contact.
The new rules also foresee the appointment of a security officer and the adoption of a security policy at companies that offer public communications networks or electronic communications services accessible to the public, under the terms defined in the Electronic Communications Law, requirements that are considered essential to improve their efficacy and efficiency in this field. Importance is also given to the interdependences that specifically exist between electronic communications networks and services and the corresponding electric power grids.
The regulation is based on the clear identification that the good operation of the networks and services is relevant in normal daily situations, but above all in emergency situations in which preparation and planning is crucial, and mutual assistance is determinant to achieve common goals.
These measures are extremely relevant in the electronic communications sector due to involving an essential infrastructure so that other entities, like hospitals, emergency services, banks, companies providing power, transport and water distribution, can ensure the continuity of their services.
The new rules also define the conditions in which electronic communications companies should make public disclosure of security breaches or losses of integrity which have a significant impact, as well as the rules and procedures on disclosure incumbent upon these companies.
The new regulation also establishes the obligations on conducting audits to the security of the networks and services, sending the respective report to ANACOM, as well as the requirements which the audits should obey and the requirements applicable to audit entities.
Lastly, electronic communications companies are now bound to the duty to implement a programme of exercises, for a maximum period of two years, to assess the security of the networks and services and their adequacy, with a view to possible improvements.
The regulation stipulates the creation of a Committee for Monitoring the application of the new rules, which will be coordinated by ANACOM and shall incorporate representatives of electronic communications companies.
The new regulation will enter into force on the day after the date of its publication in Diário da República, with the different obligations being enforced in a phased manner.
ANACOM received 113 security notifications in 2018
ANACOM received 113 notifications of security breaches or loss of integrity of the networks in 2018, a reduction of 41% in relation to the 192 notifications received in 2017. The 113 notifications recorded are close to the values observed in previous years (105 in 2016 and 100 in 2015), except for 2017, when there were severe fires in June and October, sharply increasing the notifications.
Annual Number of Notifications (2015-2018)
Unit: number of notifications
Source: ANACOM.
Most of the security incidents notified in 2018 derived from failures in power supply or hired circuits, followed by hardware/software failures (due to system technical flaws) and accidents/natural disasters. Malicious attacks, which includes theft or damage to cables, and human errors are also responsible for some of the incidents that were reported, but to a lesser extent.
Cause of the notifications in 2018
Unit: % notifications
Source: ANACOM.
In 2018, the total number of subscribers/accesses affected by incidents was 3.2 million, compared to 11.2 million in 2017. The month of May was the one with the highest number of affected subscribers/accesses, more than 734 thousand. However, the month of March was the one with the highest number of notifications, 23 thousand.
The months of October and November were the ones with the highest values of daily average number of subscribers/accesses affected (indicator that considers the number of subscribers/accesses affected in each notification and the duration of each incident), of 224 thousand and 377 thousand subscribers/accesses, respectively. This value was greatly above the daily average value of the year – 53 thousand. The origin of these values was essentially due to a single incident that affected a considerable number of subscribers/accesses and an extremely long duration, associated to the time taken to restore the electronic communications infrastructures destroyed by the Leslie storm on 13 October.
Daily average number of subscribers/accesses affected in 2015, 2016, 2017 and 2018
ANNEX
Scope of the regulation relative to security and integrity of electronic communications networks and services
1 – Pursuant to their obligations on matters of security and integrity of networks and services, established in the law and present regulation, companies should adopt the measures in a manner appropriate:
a) To normal operating conditions;
b) To exceptional situations, including, among others, the following:
i) Security incident;
ii) Network breakdown, emergency or force majeure, under the terms in number 1 of article 49 of the Electronic Communications Law;
iii) Exceptions foreseen in subparagraphs a), b) and c) of number 3 of article 3 of Regulation (EU) 2015/2120 of the European Parliament and Council, of 25 November 2015, which establishes measures relative to access to the open Internet and amends Directive 2002/22/EC relative to the universal service and user rights on matters of electronic communications networks and services and Regulation (EU) 531/2012 relative to the itinerance of public mobile communications networks in the European Union;
iv) Serious accident or disaster, under the terms established in the legal and regulatory provisions applicable to civil protection;
v) State of emergency, state of siege or state of war, under the terms established in the applicable legal and regulatory provisions;
vi) Activation of a civil protection emergency plan or plan under emergency civil planning of the communications sector, under the terms established in the applicable legal and regulatory provisions;
vii) Serious threat to internal security, including situations of terrorist attacks, under the terms established in the legal and regulatory provisions applicable to internal security matters.
2 – Companies should comply with their obligations on matters of security and integrity of networks and services, established in the law and present regulation, in a manner appropriate to the evolution of weather conditions and risks of natural disasters or other extreme phenomena, including storms, landslides, floods, strong winds, forest fires, earthquakes and tsunamis, namely, among other aspects, with respect to the choice of locations, equipment, materials and infrastructures for accommodation and the procedures for protection and preservation.
3 – For the purposes of the provisions in the previous number, companies should take into account:
a) The information issued by the competent national, European or international entities;
b) The National Strategy of Adaptation to Climate Change 2020, approved by Council of Ministers Resolution 56/2015, of 30 July.
4 – Companies should comply with their obligations on matters of security and integrity of networks and services, established in the law and present regulation, in conformity with the provisions relative to security on classified matters of national scope and concerning the international organisations to which Portugal belongs.
5 – Companies should ensure that all the assets which, irrespective of their ownership, support the functioning of their networks and services, including terminal equipment if under their management, are covered in compliance with their obligations on matters of security and integrity of networks and services, established in the law and present regulation.
6 – Pursuant to the principle of good administration, ANACOM uses information conveyed by companies concerning the present regulation in order to pursue its duties on matters of civil protection emergency planning and emergency civil planning in the communications sector.
Consult:
- Regulation No. 303/2019, published on 1 April https://www.anacom.pt/render.jsp?contentId=1474999
- Regulation on security and integrity of electronic communications networks and services https://www.anacom.pt/render.jsp?contentId=1470124
- Consultation on the second draft regulation on the security and integrity of electronic communications networks and services https://www.anacom.pt/render.jsp?contentId=1458960
