Appropriate levels of network and information security are exceptionally important factors for normal operations of the economy and the development of the society. Interference or a decrease in the operation of electronic communications services resulting from malicious acts, natural disasters, systemic or human errors can have a critical effect on the operation of the information society. The European Directive 2009/140/ES brought numerous legislative changes and amendments in the field of electronic communications. One of the directive’s most important objectives is the obligation that appropriate security and integrity of networks and services must be ensured. Slovenia has transposed this directive into its national legislation as part of the Electronic Communications Act.
In Chapter 7 the Act imposes on operators to adopt appropriate technical and organizational measures for appropriately mitigating the risk for network and service security, especially with the objective of preventing and reducing the effects of security incidents on users and inter-connected networks. Operators must adopt all the required measures for ensuring the integrity of their networks with the purpose of ensuring uninterrupted provision of services over these networks. Operators are also obligated to inform and report in the event of security or integrity breaches. In the scope of its authority the Agency informs the national contact point for managing security incidents (SI-CERT), the national regulatory bodies in other member countries and the European Network and Information Security Agency (ENISA) of individual breaches of security of services or network integrity if required and based on the level and scope of the breach.
In accordance with the Electronic Communications Act the Agency has published the General act on the security of networks and services, in which it detailed the organizational measures that operators must adopt to ensure the integrity of their networks and uninterrupted provision of services over these networks. In accordance with the General act, the operators must establish and maintain a documented system for information protection management (SIPM) and a system for uninterrupted operations management (SUOM). Technical measures were not defines, as they are dependent on the characteristics of operations, organization, location, size, and technology, as well as the risk assessment analysis of each individual operator. In the event of a breach of network or service security or network integrity that has a significant impact on the operation of public communication networks or the provision of public communication services, the operator must inform the Agency immediately upon detection.