Incident reporting pursuant to Art. 17 Communications Act
According to Art. 17 para. 4 of the Communications Act, operators of public communications networks or services must notify the Office for Communications of security breaches or a loss of integrity in the form outlined by the Office for Communications if the incident has had considerable impact on network or service operation. The corresponding form on incident reporting can be found here (in German).
In applying this provision, the Office for Communications bases its work on the requirements set forth in the Technical Guideline on Incident Reporting published by the European Union Agency for Cybersecurity (ENISA).
This relates in particular to the definition of cases in which the impact of an incident is so significant that it must be reported to the Office for Communications. Whether the incident needs to be reported depends, on the one hand, on the reachability of emergency numbers, and, on the other hand, on the duration of the incident and the number of affected customers in the respective service category. Here, a distinction is made between the categories fixed networks, mobile networks, fixed and mobile internet access.
Which incidents must be reported?
- An incident must be reported if an emergency number (even if it is just one) is unreachable.
- Otherwise, an incident must be reported if it lasts for more than x hours and affects more than y customers (as a % of the customer base) in the respective service category.
The variables x (duration) and y (number of customers) can be derived from the following table:
Green means no reporting to the Office for Communications, red means reporting to the Office for Communications.
Scheduled maintenance is not considered an incident and does therefore not need to be reported.