Notification of incidents with significant impact

Pursuant to Art. 16a (5) TKG 2003, operators of public communications networks or services must notify the regulatory authority of any security breach or loss of integrity as prescribed by the regulatory authority, if that has had a significant impact on network operation or service provision.

In applying this provision, the Regulatory Authority will follow the guidelines set out in the Technical Guideline on Incident Reporting published by the European Network and Information Security Agency (ENISA) and linked hereafter.

This concerns, in particular, the definition of the conditions under which the effects of an incident are so significant that the incident must be reported to the regulatory authority. Whether a notification requirement exists depends on the one hand on the availability of emergency numbers, on the other hand on the duration of the incident and on the number of participants in the respective service category, whereby a distinction is made between the service categories landline telephony, mobile telephony, fixed and mobile Internet access.

  • In any case, an incident must be reported if an emergency number from a communications network can not be reached by subscribers of an available public telephone service.
  • The unavailability of an emergency number is also to be notified if the telephone service from the point of view of the subscriber is only partially available (for example, if only a few numbers are available to subscribers, but at least one emergency number not).
  • In addition, an incident is also to be reported if the telephone service of the emergency call center at which an emergency call terminates is not available for passive calls, irrespective of whether the emergency number is reachable (for example by automatic forwarding) or not.
  • Otherwise, an incident is to be reported if it lasts more than x hours and more than y participants in the respective service category. The values ​​x (duration) and y (number of participants) result from the following table:
Service category / Duration≤1h>1h>2h>4h>6h>8h>16h
Fixed telephony500.000350.000240.000120.00050.00020.00010.000
Mobile telephony500.000500.000250.000150.000100.00050.00010.000
Fixed Internet access500.000380.000250.000130.00050.00030.00010.000
Mobile Internet access500.000500.000250.000150.000100.00050.00010.000

To simplify notifications to RTR, an input form is available in the e-government area, which should preferably be used. The PDF file "Mitteilungsformular", which is available for download at the bottom of the page, will remain as a supplement until further notice.

In the area of ​​notification obligations regarding emergency calls, the provision was clarified to the effect that an incident should in any case be notified to RTR if a connection to an Emergency Service PSAP can not be reached as planned. In addition, examples of notifications for the failure of emergency calls are available for information.

Downloads

The following documents are available in German only.