31 July 2013
The Romanian Authority for Management and Regulation in Communications (ANCOM) adopted the decision regarding the establishment of the minimum security measures to be taken by the providers of public electronic communications networks or of publicly available electronic communications services. The decision also establishes the procedure by which the providers will report incidents with significant impact on the provision of electronic communications networks and services.
With a view to preventing and limiting the impact of such incidents on the users and on the interconnected networks, the providers must establish technical and organization-related measures that should ensure an adequate level of security and integrity for their own electronic communications networks and services. Among the providers’ obligations imposed by this decision we count both establishing a risk management system, an incident detection system, and setting up their own strategy for ensuring network resilience and service continuity in case of serious disruptions in the operation of networks or services.
By imposing minimum security measures, the Authority aims at reducing the number of incidents, operational and fraudulent interruptions, at preventing the loss, the destruction, the theft or the jeopardizing of various resources of the providers, as well as at optimizing service quality and at strengthening users’ confidence in the electronic communications services.
The decision establishes, furthermore, a national procedure of reporting security incidents with significant impact, defining incidents as events that may affect or threaten, directly or indirectly, the security and integrity of the electronic communications networks and services at a national or European level. Thus, the providers of public electronic communications networks or of publicly available electronic communications services have the obligation to send ANCOM an initial notification regarding the occurrence of an incident with significant impact (affecting more than 5,000 connections, for at least 60 minutes).
This notification must be sent not later than 1:00 p.m. on the working day following the one when the incident was detected and must include an information set, as well as an estimate of the affected geographic area, of the number of connections affected, of the incident repercussions on other providers’ supply of networks and services and an assessment of the impact on the possibility to call the unique emergency number 112.
ANCOM will collect information regarding the incidents with significant impact in order to identify their causes, including the most frequent threats and vulnerabilities, to formulate future recommendations and to elaborate best practices for ensuring the security and integrity of electronic communications networks and services.
ANCOM’s Decision establishes the legal framework for implementing the provisions of the Government Emergency Ordinance no.111/2011 on electronic communications, approved, with amendments and completions, by Law no.140/2012, regarding the security and integrity of electronic communications networks and services, and will enter into force on 1 October 2013.