Decree No. 380 / 2022 Coll.

Decree on criteria for the identification of a serious breach of network security and service and the loss of network integrity and the extent and form of transmission of information on the breach

Valid Order Effective from 01.01.2023
380
DECLARATION
of 29 November 2022
on the criteria for determining the serious breach of network security and service and the loss of network integrity and the extent and form of transmission of information on the breach
Pursuant to Article 150 (5) of Act No. 127 / 2005 Coll., on Electronic Communications and on the amendment of certain related laws (Act on Electronic Communications), as amended by Act No. 310 / 2006 Coll., Act No. 304 / 2007 Coll., Act No. 247 / 2008 Coll., Act No. 153 / 2010 Coll., Act No. 468 / 2011 Coll., Act No. 311 / 2019 Coll. and Act No. 374 / 2021 Coll., implementing Section 98 (4) of the Act on Electronic Communications:
§ 1
Criteria for determining a serious breach of network and service security
(1) A security incident meeting the criteria in terms of duration and the current total number of users affected by the interruption or restriction of the provision of a publicly available electronic communications service or by the refusal of access to it (hereinafter referred to as "the interruption of the provision of a service ') in relation to a particular type of publicly available electronic communications service shall be considered as a serious breach of network and service security. The number of users concerned shall be expressed for each type of service by the values referred to in paragraph 2.
(2) The criteria for determining a serious breach of network security and services by type of publicly available electronic communications services are:
(a) for voice communication service in a fixed place
1. more than 1 hour and more than 15 000 participating stations concerned;
2. more than 2 hours and more than 10 000 participating stations concerned;
3. more than 4 hours and more than 5 000 participating stations concerned,
4. more than 6 hours and more than 2 000 participating stations concerned; or
5. more than 8 hours and more than 1 000 participating stations concerned;
(b) for Internet access services in a fixed location
1. more than 1 hour and more than 60 000 approaches concerned;
2. more than 2 hours and more than 40 000 approaches concerned;
3. more than 4 hours and more than 20 000 approaches concerned,
4. more than 6 hours and more than 8 000 approaches concerned; or
5. more than 8 hours and more than 4 000 approaches concerned,
(c) for mobile voice communication service
1. more than 1 hour and more than 225 000 SIM cards concerned,
2. more than 2 hours and more than 150 000 SIM cards concerned,
3. more than 4 hours and more than 75 000 SIM cards concerned,
4. more than 6 hours and more than 30 000 SIM cards concerned; or
5. more than 8 hours and more than 15 000 SIM cards concerned,
(d) for a mobile Internet access service
1. more than 1 hour and more than 150 000 SIM cards concerned,
2. more than 2 hours and more than 100 000 SIM cards concerned,
3. more than 4 hours and more than 50 000 SIM cards concerned,
4. more than 6 hours and more than 20 000 SIM cards concerned; or
5. more than 8 hours and more than 10 000 SIM cards concerned,
(e) for a number-independent interpersonal communication service, radio and television broadcasting service and radio communications service
1. more than 1 hour and more than 150 000 users concerned,
2. more than 2 hours and more than 100 000 users concerned,
3. more than 4 hours and more than 50 000 users concerned,
4. more than 6 hours and more than 20 000 users concerned; or
5. more than 8 hours and more than 10 000 users concerned,
(f) for machine-to-machine communication service
1. more than 1 hour and more than 18000 SIM cards concerned,
2. more than 2 hours and more than 12000 SIM cards concerned,
3. more than 4 hours and more than 6 000 SIM cards concerned,
4. more than 6 hours and more than 2,400 SIM cards concerned; or
5. more than 8 hours and more than 1,200 SIM cards concerned.
§ 2
Network integrity loss
The loss of integrity of the public communications network is a condition where, as a result of a security incident, some of the conditions of the network plans issued by the Czech Telecommunications Authority (hereinafter "the Office ') are not met under Section 98 (2) of the Electronic Communications Act.
§ 3
Scope of the information transmitted
(1) A person providing a public communications network or providing a publicly available electronic communications service in carrying out an obligation under Section 98 (4) of the Electronic Communications Act when transmitting information to the Office and to entities operating emergency communications centres shall indicate:
(a) the date and time of the serious disturbance;
(b) the expected date for the removal of the cause of the interruption of the provision of the service and, where appropriate, the date and time of termination of the serious disruption;
(c) the type of serious disturbance;
(d) the reason for the interruption of the provision of a publicly available electronic communications service;
(e) the area and extent of the disruption of the public communications network or technological facilities, the territorial extent of the interruption of the provision of the service and the measures taken to restore the network and the provision of services;
(f) the type of publicly available electronic communications services affected;
(g) the type of public communications network affected;
(h) the number of users of the publicly available electronic communications service of the events concerned, for the services referred to in paragraph 1 (a) and (c), indicating the number of users without access to emergency communications;
(i) a description of the measures taken to prevent or reduce recurrence;
(j) the name and surname of the person authorised to act for that person in respect of the performance of the information obligation, including his contact details, at least within the scope of the telephone number and e-mail address.
(2) A person providing a public communications network or providing a publicly available electronic communications service when carrying out an obligation under Article 98 (4) of the Electronic Communications Act when transmitting information to users of publicly available electronic communications services shall provide at least the information referred to in paragraph 1 (a), (b), (d), (e) and (f).
§ 4
Form of the information transmitted
(1) A person providing a public communications network or providing a publicly available electronic communications service shall transmit the information referred to in Article 3 (1) using the form set out in the Annex.
(2) A person providing a public communications network or providing a publicly available electronic communications service shall transmit the notification referred to in paragraph 1:
(a) by e-mail, in the form of a data message signed by a recognised electronic signature, via the Office's data box or by telephone, unless the written communication form can be used; the electronic mail address and telephone number for this purpose shall be published by the Office on its website; where the notification is made by telephone, the person providing the public communications network or providing a publicly available electronic communications service shall transmit the notification by means of the form referred to in paragraph 1 to the Office without undue delay upon the expiry of the obstacle to the transmission of the information in writing;
(b) entities operating emergency communication centres by e-mail, in the form of a data message signed by a recognised electronic signature, by a data box or by telephone, where electronic mail cannot be used, by means of contacts for this purpose by an entity operating an emergency communication centre designated and published.
(3) The information referred to in Article 3 (2) shall be transmitted by a person providing a public communications network or providing a publicly available electronic communications service to users of publicly available electronic communications services by means of a communication published in the mass media, in a manner that allows remote access or, where appropriate, in the light of the number of participants and the nature of the case, in another similar manner.
(4) The information referred to in Article 3 (3) shall be transmitted by a person providing a public communications network or providing a publicly available electronic communications service to the Office, to entities operating emergency communications centres and to users of publicly available electronic communications services in the manner referred to in paragraphs 2 and 3.
§ 5
Repeal
Decree No. 242 / 2012 Coll., on the determination of the scope and form of the transmitted information on the security breach and loss of network integrity, is deleted.
§ 6
Efficacy
This Decree shall take effect on 1 January 2023.
President of the Council of the Czech Telecommunications Office:
Mgr. Ing. Tovarková v. r.

Annex to Decree No 380 / 2022 Coll.
Model form

Sign in for notes, favorites and notifications

Rating:

Comments 0

To write comments, please sign in.

Regulation Information

CitationDecree No 380 / 2022 Coll., on the criteria for determining the serious breach of network security and service and the loss of network integrity and the extent and form of transmission of information on the breach
Regulation TypeOrder
Author-
CollectionCode of Laws
Date of Promulgation07.12.2022
Effective from01.01.2023
Effective until-
Status Valid

Public Contracts 1

6 043 800 CZK
12.02.2024
Notifications
Source: Hlídač státu (CC BY 3.0 CZ)
The regulation text is for informational purposes only.
Favorites
Browsing History