Regulations Regarding the Security Incident Relevance Criteria, Reporting Procedures, and Content of Report

Issued pursuant to
Section 6, Paragraph seven of the Law
on the Security of Information Technologies

1. The Regulation prescribes the information technologies security incident (hereinafter - the security incident) relevance criteria, the reporting procedures and the content of a report.

2. The security incident has a significant impact on the continuity of the essential service, if the security incident complies with at least one of the following features:

2.1. it lasts for more than 24 hours regardless of the number of users affected;

2.2. it affects 1 up to 10 per cent (inclusive) of the users of the essential service and lasts for at least four hours;

2.3. it affects 10 up to 15 per cent (inclusive) of the users of the essential service and lasts for at least two hours;

2.4. it affects more than 15 per cent of the users of the essential service and lasts for at least one hour;

2.5. it affects at least one user of the essential service that is included in the list of large enterprises in accordance with Section 10, Paragraph two of the Energy Efficiency Law;

2.6. it affects the users of the essential service in at least one other European Union Member State and lasts for at least two hours.

3. The security incident has a significant impact on the provision of the digital service, if it lasts for more than two hours.

4. The operator of essential services or the digital service provider shall, within four hours after discovering the security incident which has significantly impacted the continuity of the essential service or the provision of the digital service or as soon as it becomes possible, submit electronically to the competent Security Incidents Response Institution the initial report where contact details of the applicant (given name and surname, position, electronic mail address and phone number) and all available information concerning the discovered security incident are specified, including the following:

4.1. the time of detecting the security incident and duration thereof;

4.2. the service affected by the security incident;

4.3. the description of the security incident;

4.4. the number of users (in percentage or figures) affected by the security incident;

4.5. the measures taken to prevent the security incident;

4.6. the European Union Member States affected by the security incident;

4.7. the estimated time for the prevention of the security incident;

4.8. the necessary support from the competent Security Incidents Response Institution;

4.9. other information relating to the security incident.

5. If the operator of essential services depends on the digital service provider that is affected by the security incident referred to in Paragraph 3 of this Regulation, in addition to the information referred to in Paragraph 4 of this Regulation it shall indicate the information on the digital service provider.

6. The competent Security Incidents Response Institution, having received the initial report referred to in Paragraph 4 of this Regulation, shall register it and inform either electronically or by phone the operator of essential services or the digital service provider of receipt of the initial report.

7. Until the date of submitting the final report referred to in Paragraph 8 of this Regulation, the operator of essential services and the digital service provider shall inform the competent Security Incidents Response Institution regarding changes in the information specified in the initial report referred to in Paragraph 4 of this Regulation.

8. The operator of essential services and the digital service provider shall, within 10 working days after preventing the security incident which has significantly impacted the continuity of the essential service or the provision of the digital service, electronically submit to the competent Security Incidents Response Institution a final report where the following is stated:

8.1. the service affected by the security incident;

8.2. the description of the security incident;

8.3. duration of the prevention of the security incident;

8.4. the number of users (in percentage or figures) affected by the security incident;

8.5. the amount of loss caused by the security incident. If it is impossible to ascertain the exact amount of loss, the overall loss shall be estimated;

8.6. potential origin and cause of the security incident;

8.7. the European Union Member States affected by the security incident;

8.8. other information relating to the security incident.

9. The reports referred to in Paragraphs 4 and 8 of this Regulation shall be sent electronically by the operator of essential services or the digital service provider to the electronic mail address of the competent Security Incidents Response Institution. If the Internet connection is not available, the operator of essential services or the digital service provider shall provide the information referred to in Paragraph 4 of this Regulation to the competent Security Incidents Response Institution by phone.

Informative Reference to the European Union Directive

This Regulation contains legal norms arising from Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

Prime Minister Māris Kučinskis

Minister for Defence Raimonds Bergmanis

Translation © 2019 Valsts valodas centrs (State Language Centre)