Regulation no. 303/2019 on the security and integrity of electronic communications networks and services

Regulation no. 303/2019 on the security and integrity of electronic communications networks and services, approved by final decision of ANACOM of 14 March 2019, was published on 1 April 2019, in Series II of the Official Gazette (Diário da República).

This Regulation establishes the obligation to identify the assets of companies whose operation is critical and should be classified and inventoried. It also establishes the strengthening of the capacity of articulation between ANACOM and the companies of the sector, whether in response times or in terms of contents, as well as with other sectors that depend on electronic communications.

The new rules also foresee the appointment of a security officer and the adoption of a security policy at companies that offer public communications networks or electronic communications services accessible to the public. The regulation is based on the clear identification that the good operation of the networks and services is important in normal daily situations, but above all in emergency situations in which preparation and planning is crucial, and mutual assistance is determinant to achieving common goals.

These measures are extremely relevant in the electronic communications sector due to involving an essential infrastructure so that other entities, such as hospitals, emergency services, banks, companies providing power, transport and water distribution, can ensure the continuity of their services.

Regulation 303/2019 also establishes:

  • the conditions in which electronic communications companies should make public disclosure of security breaches or losses of integrity which have a significant impact, as well as the rules and procedures on disclosure incumbent upon these companies;
  • the obligations on conducting audits to the security of the networks and services, sending the respective report to ANACOM, as well as the requirements which the audits should obey and the requirements applicable to audit entities;
  • that electronic communications companies are now bound to the duty to implement a programme of exercises, for a maximum period of two years, to assess the security of the networks and services and their appropriateness, with a view to possible improvements.

The regulation also stipulates the creation of a Committee for Monitoring the application of the new rules, which will be coordinated by ANACOM and shall incorporate representatives of electronic communications companies. The diploma comes into force on 2 April in its entirety but provides for several obligations to be implemented in a phased manner.