Security and integrity of networks and services

Notification of incidents having a significant impact on the availability of communications networks or services

Pursuant to Art. 16a Par. 5 of the Austrian Telecommunications Act (TKG) 2003, providers  of public communications networks or services are required to notify  the regulatory authority of security breaches or losses of integrity where such incidents have a significant impact on the operation of networks or services. These reports are to be submitted in the form prescribed by the regulatory authority.

In applying this provision, the regulatory authority based its considerations on the requirements specified in the Technical Guideline on Reporting Incidents published by the European Network and Information Security Agency (ENISA). In particular, this concerns the definition of circumstances under which the impact of an incident is considered so significant that it must be reported to the regulatory authority. The notification obligation is contingent upon the availability of emergency numbers as well as the duration of the incident and the number of users  affected in each service category. In this context, the service categories of fixed telephony, mobile telephony, fixed or mobile Internet access, and messaging services are distinguished.

• An incident must be notified in any case if an emergency number is not accessible from a communications network for multiple users of a publicly available telephone service.
• Otherwise, an incident must be notified if it lasts more than x hours and affects more than y users in the respective service category. The values of x (duration) and y (number of users) are derived from the following table:

Example: If a disruption of a fixed network telephony service lasts 1:45 hours, then the value in the column "> 1 h" is to be applied. Therefore, the incident must be notified to the regulatory authority if more than 420,000 users are affected.

Until further notice, the form available on this page is to be used for notification purposes. The notification must be sent immediately via e-mail to nis @ rtr.at in order to ensure that the regulatory authority can take action without delay. Information not available at the time of notification can also be submitted at a later point.

Measures to ensure the security and integrity of networks and services

Under Art. 16a Par. 1 TKG 2003, providers of public communications networks are obliged to take appropriate measures to guarantee the integrity of their networks and to ensure the continuity of services provided over those networks. According to Art. 16a Par. 2 TKG 2003, providers of public communications networks or services, having regard to the state of the art, are required to take appropriate technical and organisational measures  to ensure a level of security appropriate to the risks posed. In particular, the measures must be appropriate for preventing or minimising the impact of security incidents on users and interconnected networks.

These rules transpose the provisions of EU law into Austrian law. For the practical implementation of these provisions, ENISA cooperated with the EU Member States in preparing the Technical Guideline for Minimum Security Measures, which breaks down the measures to be taken into different domains and subdomains. Providers are advised to use this document as guidance for selecting security measures.

According to Art. 16a Par. 9 TKG 2003, the Federal Minister for Transport, Innovation and Technology, after consulting the regulatory authority and taking the relevant international rules into consideration, is to issue an ordinance  specifying provisions for the implementation of Art. 16a. As the Technical Guideline for Minimum Security Measures aims at harmonising security levels and is supported by the EU Member States, it is expected that the document's content will be taken into account in this ordinance.

• ENISA web site - Securing Europe's Information Society
• ENISA Article 13a Working Group portal