NIS Directive: Who are the Operators of Essential Services (OES)?

Work for a bank or ISP? Systems going down because of attacks, or negligence, or both? Congratulations, NIS applies to you…:

The NIS Directive does not define explicitly which entities are to be considered as OES under its scope. Instead, it provides criteria that Member States need to apply in order to carry out an identification process to determine which enterprises will be considered operators of essential services and therefore subject to the obligations under the Directive.

According to Article 5(2), the criteria for the identification of the operators of essential services are the following:

  • the entity provides a service which is essential for the maintenance of critical societal and/or economic activities
  • the provision of that service depends on network and information systems
  • an incident would have significant disruptive effects on the provision of that service.

Article 4(4) of the Directive states that an OES is a “public or private entity of a type referred to in Annex II” that meets above criteria. The sectors and sub-sectors subject to the provisions of the Directive are included in the following table.

Sector Subsector Type of Entity
Energy Electricity Electricity undertakings which carry out the function of “supply”
Oil Operators of transmission pipelines
Operators of oil production, refining, and treatment facilities, storage and transmission
Gas Supply undertakings
Distribution, transmission, and storage system operators
LNG system operators
Natural gas undertakings
Operators of natural gas refining and treatment facilities
Transport Air transport Air carriers
Airport managing bodies, airports, and entities operating ancillary installations within airports
Traffic management control operators providing air traffic control (ATC) services
Rail transport Infrastructure managers
Railway undertakings
Water transport Inland, sea and coastal passenger and freight water transport companies
Managing bodies of ports including their port facilities
Operators of vessel traffic services
Road transport Road authorities responsible for traffic management control
Operators of Intelligent Transport Systems
Banking Credit institutions
Financial market Operators of trading venues and central counterparties
Health sector Healthcare settings including hospitals and private clinics Healthcare providers
Drinking water supply and distribution Suppliers and distributors of water intended for human consumption
Digital infrastructure Internet Exchange Points (IXPs)
DNS service providers
Top-Level Domain (TLD) name registries


While most of the entities belong to “traditional” critical infrastructure sectors, for the digital infrastructure sector, the European Commission provided further clarifications to help the Member States identify the organizations that fall under this category.

In addition to the above critical sectors, the European Commission has directed the Member States “to expand the security and notification obligations under Article 14 to entities belonging to other sectors and sub-sectors,” such as public administrations, food sector, postal sector, chemical and nuclear industry, environmental sector, and civil protection.

Original article here