Ancom - ANCOM propune stabilirea unor măsuri minime de securitate pentru reţelele şi serviciile de comunicaţii electronice şi o procedură de raportare a incidentelor

Homepage >>
Press Releases >>
April 2013 >>

ANCOM Proposes Establishing Minimum Security Requirements for the Electronic Communications Networks and Services and an Incident Reporting Procedure

24.04.2013

The National Authority for Management and Regulation in Communications (ANCOM) launches for public consultation a draft decision on establishing the minimum security requirements to be taken by the providers of public networks or of publicly available electronic communications services. The decision also proposes a procedure by which the providers will report ANCOM the incidents with significant impact on the provision of electronic communications networks and services.

According to the draft decision, the providers will have to establish technical and organisational measures in order to ensure an adequate level of security and integrity for the electronic communications networks and services. Among the obligations to be imposed on the providers, there are setting up a risk management procedure, an incident detection system, and a specific strategy for ensuring the continuity of the provision of electronic communications networks and services in serious disruption situations, as well as ensuring the network and service protection against cyber-attacks.

By imposing minimum security requirements on the providers, the Authority aims at significantly reducing the number of incidents, operational disruptions and frauds, at preventing the loss, destruction, theft or jeopardizing the providers’ various resources, as well as at optimising the quality of service and increasing their trust in electronic communications services.

Moreover, the draft decision proposes establishing a national procedure of reporting security incidents with significant impact, where incidents are those events that may jeopardize or threaten, directly or indirectly, the security and integrity of electronic communications networks and services at national or European level. Thus, the providers of public electronic communications networks or of publicly available electronic communications services will have the obligation to send ANCOM an initial notification regarding the occurrence of an incident with significant impact (that affects a number of more than 5,000 connections, for at least 60 minutes), within 6 hours from its detection, as well as a final notification regarding the existence of this incident within 2 weeks since the detection date.

ANCOM will inform the public by means if its own website www.ancom.org.ro on the existence of such incidents, reported by the providers, where these are of public interest. Furthermore, upon ANCOM’s request, the providers themselves will inform the public on the occurrence of such an incident.

In order to establish the fields where security measures are required and in order to determine the procedure of reporting security incidents with significant impact provided in the draft decision under public consultation, ANCOM conducted, during 2012, two studies regarding the security and integrity of electronic communications networks and services. The first study envisaged incidents that affected the continuity of the provision of electronic communications networks and services during 2011, while the second approached the security measures implemented by the providers. The former indicated that most of the providers have no procedures for addressing incidents, most often taking ad-hoc measures, on a case-by-case basis. Moreover, most of the providers inform their users on the occurrence of such incidents only when the users utterly request this or when complaints are submitted, while the notion of a ”significant incident” is perceived differently by the respondents.

The draft decision establishes the legal framework for implementing the provisions of the Government Emergency Ordinance no.111/2011 on electronic communications, approved, with amendments and completions, by Law no.140/2012, regarding the security and integrity of electronic communications networks and services.

The draft decision on establishing the minimum security requirements to be taken by the providers of public networks or of publicly available electronic communications services and a procedure for reporting incidents with significant impact on the provision of electronic communications networks and services is available here. The interested persons are invited to send their comments and suggestions, by 27.05.2013, at the ANCOM headquarters in 2 Delea Noua Street, Bucharest 3, directly to the ANCOM Registry Office or by means of the ANCOM regional divisions. Comments may also be sent by fax to +40 372 845 402 or by e-mail to consultare@ancom.org.ro.