Art. 95 (1) TKG 2003 obliges operators of public communications services to issue data security measures for each service provided by the operator. In case of a particular risk of a violation of confidentiality, the operator must, according to Art. 95 (2) TKG 2003, inform the subscriber concerning such risk and, where the risk lies outside the scope of the measures to be taken by the operator, of any possible remedies including their costs. Moreover, operators of public communications services must take data security measures for the following purposes in any case:
RTR as the competent regulatory authority according to Art. 95 (3) TKG 2003 may review the measures taken by the operators of public communications services and issue recommendations with regard to the security level to be reached. In order to review the measures, RTR may request the operator according to Art. 90 TKG 2003 to provide the required information.