ANACOM received 192 notifications of security breaches and failures of service in 2017, 83% more than the 105 notifications received in 2016https://www.anacom.pt/render.jsp?contentId=1457381. These reported incidents result from accidents/natural disasters, including the fires occurring in 2017, and from hardware/software failures or from failures in power supply or leased lines.
Annual Number of Notifications in the period 2015-2017
Unit: number of notifications
Source: ANACOM
In addition to the increase in the number of notifications received by ANACOM in 2017, there was a very significant increase in the average number of subscribers/accesses affected daily (an indicator that considers the number of subscribers/accesses affected under each notification and the duration of each incident). This indicator rose to a peak of 319 thousand subscribers/accesses in November 2017. The figures for the last quarter of 2017 are mainly due to notifications which, as well as involving, on average, a significant number of subscribers/accesses, were also of extremely long duration - a direct result of the time taken to restore service following the extensive destruction of electronic communications infrastructure due to the forest fires occurring on 15 October.
Average number of subscribers/accesses affected daily in 2015-2017
Fixed and mobile telephone and mobile Internet were the services most affected between 2015 and 2017.
Typology of services affected in the 2015-2017 period
Unit: % of notifications
Source: ANACOM
ANACOM approves draft Regulation on the Security of Communications Networks and Services
The scale of these incidents has highlighted Portugal's dependence on the proper functioning of electronic communications networks and services. Security breaches and failures in the integrity of networks and services prevent citizens from exercising basic rights, such as making or receiving calls, in a timely manner; in emergency situations, this becomes critical. With the aim of preventing such situations, ANACOM has approved a draft regulation which seeks greater transparency in the market, whereby citizens can be better informed, strengthening links of cooperation and articulation between the sector's economic operators and also links with other sectors, including emergency and rescue services.
The draft regulation establishes the need to identify company assets which are operationally critical, and which therefore need to be classified and inventoried. It also enhances the capacity for articulation between ANACOM and the sector’s companies, in terms of response times and in terms of the content of responses, as well as articulation with other sectors which rely on electronic communications, such as through improved information flows as regards notifications, information to the public, annual reporting, cooperation obligations and the constitution of permanent contact points.
The draft regulation also envisages the appointment of a security officer and the adoption of a security policy in companies as a condition to ensure their effectiveness and efficiency in these matters. All these measures are all the more relevant given that the electronic communications sector constitutes essential infrastructure which is critical to the capacity of other organisations to ensure continuity of their services, including hospitals, emergency services, banks, energy suppliers, transport companies and water distributors. The draft regulation highlights the interdependencies that exist specifically between electronic communications networks and services and electricity networks and services.
The regulation is based on the clear assertion that the proper functioning of networks and services is important in normal day-to-day situations, and especially important in emergency situations, where preparation and planning are essential and where mutual assistance and collaboration are key to achieving common goals such as establishing safety plans and conducting joint exercises.
The document sets out the obligations of companies which offer public communications networks and publicly available electronic communications services in this respect, as well as the conditions governing the public reporting of security breaches and losses of integrity with significant impact. It also defines rules and communication procedures which companies are required to implement.
The document further establishes obligations as to the performance of security auditing of the network and of services, with audit reports sent to ANACOM, as well as the requirements governing auditing and auditors.
This draft regulation, drawn up after examining the contributions made in response to the public consultation to which the first draft regulation was submitted, will now be submitted to the consultation procedure for 30 working days.
Consult:
- Approval of the second draft regulation on the security and integrity of electronic communications networks and services https://www.anacom.pt/render.jsp?contentId=1457378
- Consultation on the draft regulation on the security and integrity of electronic communications networks and services https://www.anacom.pt/render.jsp?contentId=1402456
