|
|
|
Providers to notify Commission of any incident of significant impact on networks or services
|
| |
11. (1) A provider shall, where any security incident occurs that has had or is having a significant impact on the operation of the provider’s electronic communications networks or services, notify the Commission in accordance with subsection (3) without undue delay.
|
|
| |
(2) In order to determine whether the impact of a security incident is significant for the purposes of subsection (1) a provider shall have regard to the following matters in respect of the incident:
|
|
| |
(a) the duration of the incident;
|
|
| |
(b) the number of users affected;
|
|
| |
(c) any class of users particularly affected;
|
|
| |
(d) the geographical area affected;
|
|
| |
(e) the extent to which the functioning of the network or service was affected;
|
|
| |
(f) the impact of the incident on economic and societal activities;
|
|
| |
(g) the cause of the incident and any particular circumstances that resulted in the security incident.
|
|
| |
(3) A notification made under subsection (1) shall contain the following information in relation to the incident:
|
|
| |
(a) the provider’s name;
|
|
| |
(b) the public electronic communications network or publicly available electronic communications services provided by it affected by the incident;
|
|
| |
(c) the date and time the incident occurred and its duration;
|
|
| |
(d) the information specified in paragraphs (a) to (g) of subsection (2).
|
|
| |
(e) information concerning the nature and impact of the incident;
|
|
| |
(f) information concerning any or any likely cross-border impact;
|
|
| |
(g) such other information as the Commission may specify.
|
|
| |
(4) Where a provider notifies the Commission of an incident in accordance with this section it shall, as soon as practicable, notify the Commission when the incident is resolved and of the actions taken by it to remedy the incident and, where applicable, any actions taken to reduce the likelihood of a similar incident occurring in the future.
|
|
| |
(5) Where the Commission is notified of a security incident under subsection (1) it shall—
|
|
| |
(a) inform the Minister of the notification, and
|
|
| |
(b) where the Commission, having consulted with the Minister, considers it appropriate to do so, notify the competent authorities of other Member States and ENISA.
|
|
| |
(6) Where the Commission determines, having consulted with the Minister, that the disclosure of a security incident notified under subsection (1) is in the public interest it may inform the public of the incident or require the provider concerned to do so.
|
|
| |
(7) Subsections (1), (2), (3) and (4) are regulatory provisions.
|
|
| |
(8) A provider—
|
|
| |
(a) who fails to notify the commission in accordance with subsection (1).
|
|
| |
(b) who fails to make all reasonable efforts to provide the information referred to in subsection (3), or
|
|
| |
(c) that is required by the Commission under subsection (6) to inform the public of a security incident and that fails to do so,
|
|
| |
commits an offence and is liable on summary conviction to a class A fine.
|
|
| |
(9) The Commission shall in each year submit a summary report to the Minister, the European Commission and ENISA on the notifications received and the actions taken by the Commission in accordance with this section.
|
