NIS Directive: Who Are the Operators of Essential Services (OES)?

Image

The NIS Directive is the first EU horizontal legislation addressing cybersecurity challenges. It is a true game-changer for cybersecurity resilience and cooperation in Europe. As we noted in a previous blog post, the Directive has three main objectives:

• Improving national cybersecurity capabilities
• Building cooperation at EU level
• Promoting a culture of risk management and incident reporting among key economic actors, notably operators providing essential services (OES) for the maintenance of economic and societal activities and Digital Service Providers (DSPs)

The NIS Directive is the cornerstone of the EU’s response to the growing cyber threats and challenges which are accompanying the digitalization of our economic and societal life. This article will examine the obligations of the Operators of Essential Services. The Directive compels Member States to classify key entities in various critical infrastructure sectors as “Operators of Essential Services” and to ensure that these enterprises have reached a given level of security in terms of their IT systems while imposing a binding reporting obligation on these entities to report incidents. Secondly, and in addition to ensuring that a well-resourced CSIRT is in place, Member States will also be required to designate a National Competent Authority (or NCA) to manage reporting and compliance of the OES entities with the Directive. The rationale is that impacts of security incidents in such services may cause major disruptions to economic activities and to society at large, potentially undermining user confidence and causing major damage to the economy of the Union.

Who Are the Operators of Essential Services?

The NIS Directive does not define explicitly which entities are to be considered as OES under its scope. Instead, it provides criteria that Member States need to apply in order to carry out an identification process to determine which enterprises will be considered operators of essential services and therefore subject to the obligations under the Directive. According to Article 5(2), the criteria for the identification of the operators of essential services are the following:

• The entity provides a service which is essential for the maintenance of critical societal and/or economic activities.
• The provision of that service depends on network and information systems.
• An incident would have significant disruptive effects on the provision of that service.

Article 4(4) of the Directive states that an OES is a “public or private entity of a type referred to in Annex II” that meets above criteria. The sectors and sub-sectors subject to the provisions of the Directive are included in the following table.

  While most of the entities belong to “traditional” critical infrastructure sectors, for the digital infrastructure sector, the European Commission provides further clarifications to help the Member States identify the organizations that fall under this category. In addition to the above critical sectors, the European Commission has directed Member States “to expand the security and notification obligations under Article 14 to entities belonging to other sectors and sub-sectors” such as public administrations, food sector, postal sector, chemical and nuclear industry, environmental sector, and civil protection.

Security Requirements for the OES

The NIS Directive requires that Member States ensure designated operators of essential services:

• Take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems in the provision of their service [Article 14(1)].
• Take appropriate measures to prevent and minimize the impact of the incidents affecting the security of the network and information systems used in the provision of their service [Article 14(2)].

To help Member States develop a harmonized security policy for their OES, the NIS Cooperation Group has published reference security guidelines. According to the agreed principles, the security measures must be:

• Effective
• Tailored
• Compatible
• Proportionate
• Concrete
• Verifiable
• Inclusive

In addition to the above principles, the NIS Cooperation Group urges  Member States to “acknowledge the added-value of dialogue with public and private operators, in particular with regard to the implementation of the security measures” and to “find a proper cost-benefit balance so that to ensure efficient security measures, with respect to the security of essential services to the economy and the society, while taking into account their cost for OES.” Based on the Cooperation Group guidelines, each National Competent Authority has published a set of security requirements that OES must implement within their organization. It is the responsibility of the OES to be able to demonstrate to the National Competent Authority that they are applying the mandatory security principles and measures associated with those principles that allow for the protection of network and information security within their organization. OES is responsible for identifying the network and information systems that need to comply with the Directive’s security requirements, which are to be agreed with the National Competent Authority. The technical and organizational measures identified in the NIS Cooperation Group guidelines offer a best practice framework for ensuring the protection of network and information systems. The security guidelines consist of five themes that provide a high-level view of an organization’s management of cybersecurity risk. These five themes are Identify, Protect, Detect, Respond and Recover, which are in line with the Core themes of the NIST Cybersecurity Framework. The use of internationally accepted standards and specifications relevant to the security of network and information systems is encouraged in order to promote primary implementations of the requirements. In fact, Ireland’s National Cyber Security Center (NCSC) has published compliance guidelines that provide a mapping with already established critical infrastructure security frameworks such as CIS Controls, ISA/IEC 62443 standards, ISO 27001:2013 and NIST SP 800-53.

Incident Notification Requirements

According to Article 14(3), Member States must ensure that OES notify without any delay “any incident having a significant impact on the continuity of the essential services.” Hence, the OESs should only notify serious incidents affecting the continuity of the essential service. Article 4(7) defines an incident as “any event having an actual adverse effect on the security of network and information systems.” The term ‘security of network and information systems’ is further defined under Article 4(2) as “the ability of network to resists, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.” Consequently, any event having an adverse effect not only on the availability but also on authenticity, integrity or confidentiality of data or related services could trigger the notification obligation. In fact, the continuity of the service can be compromised not only in cases where the physical availability is concerned but also by any other security incident affecting the proper provision of the service. In order to determine the significance of the impact of an incident, Article 14(4) states that the following parameters shall be considered:

• the number of users affected by the disruption of the essential service
• the duration of the incident
• the geographical spread regarding the area affected by the incident.

Finally, the NIS Cooperation Group has published a reference document of circumstances that trigger the notification obligations. According to these guidelines, the Member States can also consider the following parameters to initiate the notification process:

• the dependency of other OES sectors on the service provided by the affected entity;
• the impact that incidents have, in terms of degree and duration, on economic and societal activities or public safety;
• the market share of that entity;
• the importance of the entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service.

Further Guidance Enterprises that are digital service providers and fall under the provisions of the NIS Directive can seek guidance from either their National Competent Authority or by visiting the NIS Cooperation Group website, which has published guidelines to help DSPs identify cybersecurity incidents and on how to notify such incidents.