Introducing the most salient rules and updates regarding the security of networks and services brought in by Articles 59 et seq. of the New Electronic Communications Act, applicable to undertakings providing public electronic communications networks or services.
How does the New Electronic Communications Act define security of networks and services?
Article 3(1)(pp) of the New Electronic Communications Act defines ‘security of networks and services’ as “the ability of electronic communications networks and services to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of those networks and services, of stored or transmitted or processed data, or of the related services offered by, or accessible via, those electronic communications networks or services”.
The new Act therefore adopts the definition contained in ANACOM Regulation 303/2019 on the security and integrity of electronic communications networks and services.
What major updates does the New Electronic Communications Act bring regarding the security of networks and services?
While substantially keeping its predecessor’s security obligations and rules, namely general security obligations, implementation measures, additional requirements, audit-related provisions, and binding instructions, the New Electronic Communications Act brings significant updates.
The New Electronic Communications Act is more detailed and stricter than its predecessor regarding obligations, implementation measures, and security requirements, which it has buttressed and fleshed out.
Security incident-related provisions were extensively amended to bolster and consolidate the notification requirements incumbent upon undertakings, and to streamline coordination and cooperation between regulators and other entities outside the sector.
The New Electronic Communications Act also creates a mechanism to assist and cooperate with the Equipa de Resposta a Incidentes de Segurança Informática Nacional [Portuguese IT Security Incident Response Team] and expressly foresees consulting and cooperating with other entities, such as courts and the police, the Centro Nacional de Cibersegurança [Portuguese Cybersecurity Centre] (“CNCS”) and the Comissão Nacional de Proteção de Dados [Portuguese Data Protection Commission] (“CNPD”).
Under the New Electronic Communications Act, the use of equipment in electronic communications networks is sometimes predicated on a security assessment to be conducted by a Security Assessment Commission set up under the auspices of the Conselho Superior de Segurança do Ciberespaço [Cyberspace Security Council].
What are the key general obligations regarding the security of networks and services?
As in the previous framework, undertakings must implement technical and organisational measures to ensure a security level commensurate to the risks posed to the security of networks and services (Article 59).
Such measures must specifically prevent or minimise the impact of possible security incidents on users and other networks and services, taking account of the state of the art and any information, guidelines, assessments, and decisions of any relevant national, EU, or international entities.
However, the new Act innovates with respect to its predecessor, in that it requires such measures to be concordant with specific security aspects. Both undertakings and ANACOM must, among other things, consider: (i) the security and integrity of the networks and resources, including physical and environmental security, and network access control; (ii) the management and detection of security incidents and how they will be notified and reported to the relevant entities and the public; (iii) business continuity management, including business continuity strategies, contingency and recovery plans; and (iv) the monitoring, auditing and testing, including contingency planning exercises, of security assessments and compliance monitoring (Article 59(3)).
Also of note is the express provision for ANACOM to issue binding instructions on measures to prevent the occurrence and ensure the resolution of security incidents.
What are the key specific obligations regarding the security of networks and services?
The New Electronic Communications Act requires compliance with technical implementation measures, additional requirements and security procedures, which will subsequently be implemented and approved by ANACOM, in keeping with the previous framework.
It also imposes new and more specific measures not contained in the previous act nor in Regulation 303/2019. For example, the Act stipulates: (i) specific conditions to virtualise network features; (ii) conditions for the outsourcing of features; (iii) the adoption of supplier diversification strategies; and (iv) the siting of the network operation centre and security operation centre in national territory or in the territory of a EU member state.
Another fundamental aspect introduced by the New Electronic Communications Act is the requirement for a prior binding opinion from the CNCS to approve any implementation measures and/or to define the circumstances, format, and procedures applicable to security incident notification obligations.
How does the New Electronic Communications Act define security incidents?
A security incident is defined as an “event having an actual adverse effect on the security of electronic communications networks or services” (Article 3(1)(m)).
Although slightly different, this definition basically matches the definition contained in Regulation 303/2019 (the part reading “including a security breach or loss of integrity” was dropped). Despite the similarity between concepts, security incident-related provisions were extensively amended.
What entities need to be notified of security incidents under the New Electronic Communications Act?
Undertakings are required to notify ANACOM and CNCS without undue delay of any security incidents having a significant impact on the operation of networks or services, and to inform the public if ordered by ANACOM (Article 60). The new framework further vests in ANACOM powers to directly inform the other relevant national authorities, including courts, the police and the CNPD, which will have practical consequences for undertakings, notably where the security incident at issue involves a personal data incident.
The requirement to notify the CNCS is a striking and noteworthy update, insofar as Regulation no. 303/2019 only states, with regard to this matter, that: (i) compliance with the obligation to notify ANACOM is without prejudice to the notification of incidents to other relevant authorities, such as the Public Prosecutor's Office, the CNCS, the CNPD and other regional, local, and sectoral authorities; and that (ii) ANACOM may, in cooperation with other relevant authorities, make recommendations as to how the different applicable notification procedures should be coordinated.
What does an incident with a significant impact on the operation of networks or services mean?
The New Electronic Communications Act sets forth an illustrative list of criteria to define the circumstances in which a security incident has a significant impact (and which must be considered by ANACOM in its assessment). Such criteria essentially correspond to factors and circumstances that already seem to be covered by the letter of Regulation 303/2019. Below is a list of the applicable criteria (Article 61(3)):
(i) The number of impacted users;
(ii) The duration of the incident;
(iii) The geographical distribution and size of the impacted area(s);
(iv) The extent to which the network or service operation is impacted;
(v) The extent of the impact on economic and social activities, including in connection with access to emergency services.
Are operators required to inform users affected by security incidents?
In a departure from the previous framework, operators are required, in the event of a specific and significant threat of a security incident, to inform potentially affected users, free of charge, of any possible preventive or response measures they may take and, if appropriate, inform of the threat itself (Article 60(2)).
Note that this obligation involves the requirement to inform users of both the occurrence and threat of an incident. Since the New Electronic Communications Act does not define the concept of ‘specific and significant threat’, its exact scope is unclear at this point.
How compatible are Regulation 303/2019 and the New Electronic Communications Act?
As a rule, the New Electronic Communications Act contains obligations and provisions already existing in Regulation 303/2019, which was enacted under the previous act to implement the general obligations and implementation measures provided for therein, including regarding the notification of security incidents.
However, seeing as the New Electronic Communications Act:
(i) Establishes that the approval of technical implementation measures and of measures defining the circumstances and procedures related to security incident notification obligations is subject to a prior binding opinion of the CNCS;
(ii) Introduces new obligations and implementation measures, such as the obligations to notify incidents to the CNCS, to inform users of security incident threats, or to satisfy specific conditions for the virtualisation of network functions; and
(iii) Makes provision for ANACOM to issue binding instructions, particularly on the prevention and mitigation of security incidents, and to approve the regulations necessary to implement the New Electronic Communications Act;
and given the need for coordination with the CNCS, as well as the need to implement obligations and implementation measures that depart from the previous act, it is likely that Regulation 303/2019 will be recast or a new regulation approved to accommodate new legislative developments on integrity and security.
Questions remain, however, as to how the solutions raised by the new framework will be brought into line with, and whether these changes will entail the partial or total repeal of existing integrity and security provisions under Regulation 303/2019, which remain in force until they are replaced or repealed (Article 10(2)).
Key takeaways
In keeping with the provisions of the EECC and bearing in mind the current risks and realities of the electronic communications sector and of our economic and technological context, the New Electronic Communications Act introduces new precautions and obligations regarding security and security incidents.
Following a burgeoning legislative and regulatory trend focusing on security and cybersecurity, the New Electronic Communications Act seems to embark on a first attempt to reconcile a myriad of legislative instruments and regulatory authorities that, although distinct, ultimately intersect around this issue.
For now, it is uncertain how the different legal instruments and obligations will be brought into line, and how the actions and powers of the relevant regulatory authorities will be coordinated. The multiplicity of potentially applicable legal provisions – for example, the personal data protection framework, the legal framework for cyberspace security and the framework applicable to critical infrastructures – and the proliferation of authorities and entities with powers in the matter (namely ANACOM, CNPD, CNCS and the National Council for Civil Emergency Planning) are particularly noteworthy.
The New Electronic Communications Act involves a significant set of provisions and relevant entities whose interpretation and construction will not be easy.