Notifications of information security violations
The measures applicable to the notification of personal data breaches are regulated in European Commission Regulation 611/2013. The Regulation harmonizes procedures on how to notify to FICORA and to users about personal data breaches and the content of these notifications. The Regulation is directly applicable legislation hence it applies to all telecoms operators as it is. Notifying of other information security violations are regulated in FICORA's regulation 66 on disturbances in telecommunications services.
In practice, all notifications of security incidents are done by using the form provided for reporting in annex 2 of Regulation 66 (Telecoms operator's notification of information security incident). The notification can also be made by, for example, e-mail. The text can be free-form as long as it provides the same information that is included in the notification form. If there is reason to suspect that the information security of the message delivery system used for submitting the notification has been violated, or the situation calls for immediate measures from FICORA, the first notification should be made immediately by telephone based on the existing information. In long-term cases, the telecoms operator must keep FICORA up-to-date on how the situation develops. An electronically submitted notification that can be produced in a written and readable form is considered a written notification.
FICORA needs the information requested in the notification to form a controlled, up-to-date and analysed overview of the national information security situation of communications networks and services. In addition, drafting a notification helps the organisation to follow its information security management process and form an overview of its information security situation. The requested information is basic information needed in analysing information security incidents.