On 14 February 2023, the government adopted a proposal for an Act on Combating Abuses in Electronic Communication (ACAEC). The Act will impose new obligations on telecommunications entrepreneurs and e-mail providers. The ACAEC will now go to the parliament for further work.
The ACAEC would prohibit electronic communications abuses such as the generation of artificial traffic, smishing, CLI spoofing, and change-of-address scams. New obligations will be imposed on telecommunications entrepreneurs with a view to preventing these activities, such as:
- blocking text messages containing content found on the message template published by the CSIRT NASK;
- blocking voice calls or concealing caller ID (relating to numbers registered with the President of the Office of Electronic Communications);
- applying organizational and technical measures to monitor, detect and share information about CLI spoofing;
- preventing users from gaining access to websites that use domains featured on the CSIRT NASK warning list;
- blocking access to a number or service named in a decision issued by the President of the Office of Electronic Communications and stopping the charging of fees for these calls or services;
- recording details of telecommunications services not performed as a result of fulfilling obligations under the ACAEC.
In addition, e-mail providers that provide services for at least 500 000 users or a public entity, will be required to deploy SPF, DMARC and DKIM mechanisms to operate collectively. E-mail providers for a public entity will also be required to provide multi-factor authentication.
For failing to comply with certain obligations provided for in the ACAEC, telecommunications entrepreneurs could face a fine of up to 3% of the entrepreneur’s revenue generated in the previous calendar year.
Importantly, the proposal for the ACAEC contains references and uses terminology taken from the Telecommunications Law in effect today. As a result, once the current work on the Electronic Communications Law is completed and enacted, there will be an urgent matter of aligning the ACAEC with the new laws.
If the ACAEC is passed, it will enter into force thirty days from its publication. Once it enters into force, e-mail providers for a public entity will have three months to introduce SPF, DMARC and DKIM mechanisms, and six months to present public entities with an offer of e-mail services enabling multi-factor authentication.