Notifications of information security violations

Under the Information Society Code (section 275), a telecoms operator must notify FICORA of significant information security violations or threats to information security in the services. The operator must also notify FICORA of the estimated duration and consequences of information security violations and threats, corrective measures taken as well as measures undertaken to prevent the reoccurrence of such violations.

The measures applicable to the notification of personal data breaches are regulated in European Commission Regulation 611/2013. The Regulation harmonizes procedures on how to notify to FICORA and to users about personal data breaches and the content of these notifications. The Regulation is directly applicable legislation hence it applies to all telecoms operators as it is. Notifying of other information security violations are regulated in FICORA's regulation 66 on disturbances in telecommunications services.


In practice, all notifications of security incidents are done by using the form provided for reporting in annex 2 of Regulation 66 (Telecoms operator's notification of information security incident). The notification can also be made by, for example, e-mail. The text can be free-form as long as it provides the same information that is included in the notification form. If there is reason to suspect that the information security of the message delivery system used for submitting the notification has been violated, or the situation calls for immediate measures from FICORA, the first notification should be made immediately by telephone based on the existing information. In long-term cases, the telecoms operator must keep FICORA up-to-date on how the situation develops. An electronically submitted notification that can be produced in a written and readable form is considered a written notification.

FICORA needs the information requested in the notification to form a controlled, up-to-date and analysed overview of the national information security situation of communications networks and services. In addition, drafting a notification helps the organisation to follow its information security management process and form an overview of its information security situation. The requested information is basic information needed in analysing information security incidents.


Key words: Information security, Forms


LinkedIn Print