Work for a bank or ISP? Systems going down because of attacks, or negligence, or both? Congratulations, NIS applies to you…:
The NIS Directive does not define explicitly which entities are to be considered as OES under its scope. Instead, it provides criteria that Member States need to apply in order to carry out an identification process to determine which enterprises will be considered operators of essential services and therefore subject to the obligations under the Directive.
According to Article 5(2), the criteria for the identification of the operators of essential services are the following:
- the entity provides a service which is essential for the maintenance of critical societal and/or economic activities
- the provision of that service depends on network and information systems
- an incident would have significant disruptive effects on the provision of that service.
Article 4(4) of the Directive states that an OES is a “public or private entity of a type referred to in Annex II” that meets above criteria. The sectors and sub-sectors subject to the provisions of the Directive are included in the following table.
Sector Subsector Type of Entity Energy Electricity Electricity undertakings which carry out the function of “supply” Oil Operators of transmission pipelines Operators of oil production, refining, and treatment facilities, storage and transmission Gas Supply undertakings Distribution, transmission, and storage system operators LNG system operators Natural gas undertakings Operators of natural gas refining and treatment facilities Transport Air transport Air carriers Airport managing bodies, airports, and entities operating ancillary installations within airports Traffic management control operators providing air traffic control (ATC) services Rail transport Infrastructure managers Railway undertakings Water transport Inland, sea and coastal passenger and freight water transport companies Managing bodies of ports including their port facilities Operators of vessel traffic services Road transport Road authorities responsible for traffic management control Operators of Intelligent Transport Systems Banking Credit institutions Financial market Operators of trading venues and central counterparties Health sector Healthcare settings including hospitals and private clinics Healthcare providers Drinking water supply and distribution Suppliers and distributors of water intended for human consumption Digital infrastructure Internet Exchange Points (IXPs) DNS service providers Top-Level Domain (TLD) name registries
While most of the entities belong to “traditional” critical infrastructure sectors, for the digital infrastructure sector, the European Commission provided further clarifications to help the Member States identify the organizations that fall under this category.
In addition to the above critical sectors, the European Commission has directed the Member States “to expand the security and notification obligations under Article 14 to entities belonging to other sectors and sub-sectors,” such as public administrations, food sector, postal sector, chemical and nuclear industry, environmental sector, and civil protection.