Security and integrity of networks and services

Current issues

As of 2014, new thresholds apply as regards obligations for notification of incidents to RTR. According to that, even short disruptions have to be notified to RTR if they concern a larger number of subscribers. As of now, an electronic form is available in the e-government area of the RTR website in order to simplify submissions to RTR. Until further notice, the Word file available for download at the end of the page will also be kept. Regarding notification obligations involving emergency calls, provisions have been clarified in that an incident has to be notified to RTR in any case if a network termination point of an emergency control centre is not regularly accessible. In addition, examples for notifications regarding failure of emergency calls are provided for information purposes (available in German only).

 

Notification of incidents having a significant impact on the availability of communications networks or services

Pursuant to Art. 16a Par. 5 of the Austrian Telecommunications Act (TKG) 2003, providers  of public communications networks or services are required to notify  the regulatory authority of security breaches or losses of integrity where such incidents have a significant impact on the operation of networks or services. These reports are to be submitted in the form prescribed by the regulatory authority.

In applying this provision, the regulatory authority based its considerations on the requirements specified in the Technical Guideline on Incident Reporting published by the European Network and Information Security Agency (ENISA). In particular, this concerns the definition of circumstances under which the impact of an incident is considered so significant that it must be reported to the regulatory authority. The notification obligation is contingent upon the availability of emergency numbers as well as the duration of the incident and the number of users  affected in each service category. In this context, the service categories of fixed telephony, mobile telephony, fixed and mobile Internet access are distinguished.

  • An incident must be notified in any case if an emergency number is not accessible from a communications network for subscribers of a publicly available telephone service. Non-accessibility of an emergency number must be notified even if the telephone service is only partially available from the subscriber's point of view (e.g., if only some numbers are accessible for the subscriber but at least one emergency number is not). Moreover, an incident must be notified if the telephone service of the emergency control centre at which the emergency call terminates is not available for passive calls, independently of whether or not emergency numbers are accessible (e.g., by means of automatic forwarding).
  • Otherwise, an incident must be notified if it lasts more than x hours and affects more than y users in the respective service category. The values of x (duration) and y (number of users) are derived from the following table:
Service category / Duration≤1h>1h>2h>4h>6h>8h>16h
Fixed telephony1.000.000400.000250.000130.00050.00030.00010.000
Mobile telephony1.000.000500.000250.000170.000130.00060.00010.000
Fixed Internet access1.000.000320.000210.000110.00040.00020.00010.000
Mobile Internet access1.000.000500.000250.000170.000110.00050.00010.000

Example: If a disruption of a fixed network telephony service lasts 1:45 hours, then the value in the column "> 1 h" is to be applied. Therefore, the incident must be notified to the regulatory authority if more than 400,000 users are affected.

Examples for notification obligatons regarding incidents involving emergency numbers are available for download at the end of the page (available in German only, "Mitteilungspflicht bei Ausfall von Notrufnummern").

As of now, an electronic form for notification of the regulatory authority is available in the e-government area of the RTR website (see https://egov.rtr.at/). As the case may be, this form can also be completed at a later time (e.g., when detailed information is available). Alternatively, the form available on this page can be used for notification purposes. The notification must be sent via e-mail to nis @ rtr.at.

In any case, the notification must be filed immediately when the incident occurs in order to ensure that the regulatory authority can take action without delay. Information not available at the time of notification can also be submitted additionally at a later point.

Measures to ensure the security and integrity of networks and services

Under Art. 16a Par. 1 TKG 2003, providers of public communications networks are obliged to take appropriate measures to guarantee the integrity of their networks and to ensure the continuity of services provided over those networks. According to Art. 16a Par. 2 TKG 2003, providers of public communications networks or services, having regard to the state of the art, are required to take appropriate technical and organisational measures  to ensure a level of security appropriate to the risks posed. In particular, the measures must be appropriate for preventing or minimising the impact of security incidents on users and interconnected networks.

These rules transpose the provisions of EU law into Austrian law. For the practical implementation of these provisions, ENISA cooperated with the EU Member States in preparing the Technical Guideline for Minimum Security Measures, which breaks down the measures to be taken into different domains and subdomains. Providers are advised to use this document as guidance for selecting security measures.

According to Art. 16a Par. 9 TKG 2003, the Federal Minister for Transport, Innovation and Technology, after consulting the regulatory authority and taking the relevant international rules into consideration, is to issue an ordinance  specifying provisions for the implementation of Art. 16a. As the Technical Guideline for Minimum Security Measures aims at harmonising security levels and is supported by the EU Member States, it is expected that the document's content will be taken into account in this ordinance.

Notifications of personal data breaches

According to Art. 2 Par. 1 and 2 of Commission Regulation (EU) No 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council (Directive on privacy and electronic communications), in case of a personal data breach, operators of electronic communications services must notify the competent national authority (i.e., according to Art. 95a TKG 2003 the Data Protection Authority, dsb@dsb.gv.at, +43-1-531 15 / 202525, 1010 Wien, Hohenstaufeng. 3) within 24 hours after the detection of a personal data breach. The notification to the Data Protection Authority shall include the information set out in Annex I of the mentioned Regulation.
When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall, according to Art. 3 Par. 1 of the Regulation, also notify the subscriber or individual of the breach. According to Art. 4 Par. 1 of the Regulation, notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach.

Data security measures

Art. 95 Par. 1 TKG 2003 obliges operators of public communications services to issue data security measures for each service provided by the operator. In case of a particular risk of a violation of confidentiality, the operator must, according to Art. 95 Par. 2 TKG 2003, inform the subscriber concerning such risk and, where the risk lies outside the scope of the measures to be taken by the operator, of any possible remedies including their costs. Moreover, operators of public communications services must take data security measures for the following purposes in any case:

  • to ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
  • to protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure;
  • to ensure the implementation of a security policy with respect to the processing of personal data.

RTR as the competent regulatory authority according to Art. 95 Par. 3 TKG 2003 may review the measures taken by the operators of public communications services and issue recommendations with regard to the security level to be reached. In order to review the measures, RTR may request the operator according to Art. 90 TKG 2003 to provide the required information.

Links

Downloads