Security and integrity of networks and services

Regulation No. 303/2019, of 1 April1, on the security and integrity of electronic communications networks and services, establishes the obligation to identify the assets of companies whose operation is critical and should be classified and inventoried.

It also establishes the strengthening of the capacity of articulation between ANACOM and the companies in the sector, whether in response times or in terms of contents, as well as with other sectors that depend on electronic communications.

The new rules also foresee the appointment of a security officer and the adoption of a security policy at companies that offer public communications networks or electronic communications services accessible to the public. The regulation is based on the clear identification that the good operation of the networks and services is important in normal daily situations, but above all in emergency situations in which preparation and planning is crucial, and mutual assistance and collaboration is determinant to achieving common goals.

These measures are extremely relevant in the electronic communications sector due to involving an essential infrastructure so that other entities, such as hospitals, emergency services, banks, companies providing power, transport and water distribution, can ensure the continuity of their services.

Regulation No. 303/2019 also establishes:

  • the conditions under which electronic communications companies must disclose to the public security breaches or loss of integrity which have a significant impact, as well as the communication rules and procedures on disclosure incumbent upon them;
  • the obligations on undertaking audits of the security of the networks and services and sending the respective report to ANACOM, as well as the requirements which the audits should obey and the requirements applicable to audit entities;
  • that electronic communications companies are now bound to the duty of implementing a programme of exercises, for a maximum period of two years, to assess the security of networks and services and their adequacy, with a view to possible improvements.

The Regulation also stipulates the creation of a Committee for Monitoring the application of the new rules, which will be coordinated by ANACOM and will incorporate representatives of electronic communications companies. The law comes into force on 2 April 2020, in general, but provides for several obligations which will be implemented in a phased manner.

1 Approved by final decision of ANACOM of 14 March 2019.