23.05.2018

”The analysis of the documents provided by Telekom Mobile regarding the security incident that affected its network in March this year revealed serious breaches of the conditions for ensuring service availability. It was the most significant incident in the electronic communications market in Romania, so we applied to this provider two fines totalling RON 1,100,000." declared Sorin Grindeanu, president of ANCOM.

ANCOM sanctioned Telekom Romania Mobile Communications by two fines amounting to RON 1,100,000 for failure to comply with the obligation, stipulated in their licence for the use of radio frequencies, to ensure that network unavailability does not exceed 35 minutes within a period of 6 months and, respectively, for failure to comply with the obligation to keep network logs at the granularity level required by the License.

Obligations provided in the licence for the use of radio frequencies

According to the obligations under the licence for the use of radio frequencies, the provider must ensure that network unavailability does not exceed 35 minutes within a period of 6 months. As this network unavailability incident has had serious consequences, affecting the users’ possibility to make calls, to access e-mail services and remote home monitoring services, or to remotely control safety/security devices, Telekom Mobile has been fined RON 600.000.

Another obligation provided in the licence requires the provider to keep network logs for a period of 6 months. These tools are needed to prove to the Authority that network availability has been ensured as required. The provider failed to meet ANCOM's request to transmit the network logs recorded for the past 6 months to the granularity level stipulated in the licence, thus hindering the analysis performed in order to assess the actual extent of unavailability of the Telekom Mobile network on 05.03.2018. For this failure, the Authority applied a fine of RON 500,000.

Providers’ obligations on reporting security incidents

According to the regulations currently in force, the providers of electronic communications networks and services have the obligation to take appropriate technical and administrative measures for adequately managing the risks regarding the security of electronic communications networks and services, especially in order to prevent and limit the impact of security incidents on the users and on the interconnected networks. Moreover, they are also required to take all necessary measures to ensure the integrity of their own networks so as to ensure the continuity of service provision through these networks.

Incidents affecting more than 5,000 connections for at least 60 minutes are incidents with significant impact that may directly or indirectly affect or threaten the security and integrity of electronic communications networks and services at national or European level.