- Improving national cybersecurity capabilities
- Building cooperation at EU level
- Promoting a culture of risk management and incident reporting among key economic actors, notably operators providing essential services (OES) for the maintenance of economic and societal activities and Digital Service Providers (DSPs)
Who Are the Operators of Essential Services?The NIS Directive does not define explicitly which entities are to be considered as OES under its scope. Instead, it provides criteria that Member States need to apply in order to carry out an identification process to determine which enterprises will be considered operators of essential services and therefore subject to the obligations under the Directive. According to Article 5(2), the criteria for the identification of the operators of essential services are the following:
- The entity provides a service which is essential for the maintenance of critical societal and/or economic activities.
- The provision of that service depends on network and information systems.
- An incident would have significant disruptive effects on the provision of that service.
|Sector||Subsector||Type of Entity|
|Energy||Electricity||Electricity undertakings which carry out the function of “supply”|
|Oil||Operators of transmission pipelines|
|Operators of oil production, refining, and treatment facilities, storage and transmission|
|Distribution, transmission, and storage system operators|
|LNG system operators|
|Natural gas undertakings|
|Operators of natural gas refining and treatment facilities|
|Transport||Air transport||Air carriers|
|Airport managing bodies, airports, and entities operating ancillary installations within airports|
|Traffic management control operators providing air traffic control (ATC) services|
|Rail transport||Infrastructure managers|
|Water transport||Inland, sea and coastal passenger and freight water transport companies|
|Managing bodies of ports including their port facilities|
|Operators of vessel traffic services|
|Road transport||Road authorities responsible for traffic management control|
|Operators of Intelligent Transport Systems|
|Financial market||Operators of trading venues and central counterparties|
|Health sector||Healthcare settings including hospitals and private clinics||Healthcare providers|
|Drinking water supply and distribution||Suppliers and distributors of water intended for human consumption|
|Digital infrastructure||Internet Exchange Points (IXPs)|
|DNS service providers|
|Top-Level Domain (TLD) name registries|
Security Requirements for the OESThe NIS Directive requires that Member States ensure designated operators of essential services:
- Take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems in the provision of their service [Article 14(1)].
- Take appropriate measures to prevent and minimize the impact of the incidents affecting the security of the network and information systems used in the provision of their service [Article 14(2)].
Incident Notification RequirementsAccording to Article 14(3), Member States must ensure that OES notify without any delay “any incident having a significant impact on the continuity of the essential services.” Hence, the OESs should only notify serious incidents affecting the continuity of the essential service. Article 4(7) defines an incident as “any event having an actual adverse effect on the security of network and information systems.” The term ‘security of network and information systems’ is further defined under Article 4(2) as “the ability of network to resists, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.” Consequently, any event having an adverse effect not only on the availability but also on authenticity, integrity or confidentiality of data or related services could trigger the notification obligation. In fact, the continuity of the service can be compromised not only in cases where the physical availability is concerned but also by any other security incident affecting the proper provision of the service. In order to determine the significance of the impact of an incident, Article 14(4) states that the following parameters shall be considered:
- the number of users affected by the disruption of the essential service
- the duration of the incident
- the geographical spread regarding the area affected by the incident.
- the dependency of other OES sectors on the service provided by the affected entity;
- the impact that incidents have, in terms of degree and duration, on economic and societal activities or public safety;
- the market share of that entity;
- the importance of the entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service.