Operator of Essential Services
Contents
- 1 Definitions
- 1.1 European Definitions
- 1.2 National Definitions
- 1.2.1 Austria
- 1.2.2 Belgium
- 1.2.3 Benin
- 1.2.4 Bulgaria
- 1.2.5 Congo
- 1.2.6 Croatia
- 1.2.7 Cyprus
- 1.2.8 Czech Republic
- 1.2.9 Denmark
- 1.2.10 Estonia
- 1.2.11 Finland
- 1.2.12 France
- 1.2.13 Germany
- 1.2.14 Greece
- 1.2.15 Hungary
- 1.2.16 Ireland
- 1.2.17 Italy
- 1.2.18 Kosovo
- 1.2.19 Latvia
- 1.2.20 Lithuania
- 1.2.21 Luxembourg
- 1.2.22 Malta
- 1.2.23 Mauritania/Mauritanie
- 1.2.24 Montenegro
- 1.2.25 Netherlands
- 1.2.26 Poland
- 1.2.27 Portugal
- 1.2.28 Romania
- 1.2.29 Slovakia
- 1.2.30 Slovenia
- 1.2.31 Spain
- 1.2.32 Sweden
- 1.2.33 United Kingdom
- 1.3 Standard Definition
- 1.4 Other Definitions
- 2 See also
- 3 Notes
- 4 References
Definitions
European Definitions
European Commission
Operador de Serviços Essenciais: Uma entidade pública ou privada pertencente a um dos tipos referidos no anexo II da Diretiva (UE) n.º 2016/1148 do Parlamento Europeu e do Conselho, de 6 de julho de 2016, e que cumpre os critérios previstos no n.º 2 do artigo 5.º, da mesma Diretiva. [1]
Annex II of the Directive contains the list of essential ICT-controlled / ICT-based services: energy (power, gas, oil), transport (air, rail, water, road), banking, financial market infrastructures, health sector, drinking water supply & distribution, and Digital Infrastructure (IXPs, DNS service providers, TLD name registries).
Article 5(2): The criteria for the identification of the operators of essential services shall be as follows: (a) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (b) the provision of that service depends on network and information systems; and (c) an incident would have significant disruptive effects on the provision of that service.
Article 5(2)
The criteria for the identification of the operators of essential services shall be as follows:
- (a) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
- (b) the provision of that service depends on network and information systems; and
- (c) an incident would have significant disruptive effects on the provision of that service.
Sector | Subsector | Type of entity |
---|---|---|
Energy | Electricity | Electricity undertakings as defined in point (35) of Article 2 of Directive 2009/72/EC of the European Parliament and of the Council [2], which carry out the function of ‘supply’ as defined in point (19) of Article 2 of that Directive |
Distribution system operators as defined in point (6) of Article 2 of Directive 2009/72/EC | ||
Transmission system operators as defined in point (4) of Article 2 of Directive 2009/72/EC | ||
Oil | Operators of oil transmission pipelines | |
Operators of oil production, refining and treatment facilities, storage and transmission | ||
Gas | Supply undertakings as defined in point (8) of Article 2 of Directive 2009/73/EC of the European Parliament and of the Council [3] | |
Distribution system operators as defined in point (6) of Article 2 of Directive 2009/73/EC | ||
Transmission system operators as defined in point (4) of Article 2 of Directive 2009/73/EC | ||
Storage system operators as defined in point (10) of Article 2 of Directive 2009/73/EC | ||
LNG system operators as defined in point (12) of Article 2 of Directive 2009/73/EC | ||
Natural gas undertakings as defined in point (1) of Article 2 of Directive 2009/73/EC | ||
Operators of natural gas refining and treatment facilities | ||
Transport | Air transport | Air carriers as defined in point (4) of Article 3 of Regulation (EC) No 300/2008 of the European Parliament and of the Council |
Airport managing bodies as defined in point (2) of Article 2 of Directive 2009/12/EC of the European Parliament and of the Council ( 4), airports as defined in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/2013 of the European Parliament and of the Council ( 5), and entities operating ancillary installations contained within airports | ||
Traffic management control operators providing air traffic control (ATC) services as defined in point (1) of Article 2 of Regulation (EC) No 549/2004 of the European Parliament and of the Council | ||
Rail transport | Infrastructure managers as defined in point (2) of Article 3 of Directive 2012/34/EU of the European Parliament and of the Council | |
Railway undertakings as defined in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities as defined in point (12) of Article 3 of Directive 2012/34/EU | ||
Water transport | Inland, sea and coastal passenger and freight water transport companies, as defined for maritime transport in Annex I to Regulation (EC) No 725/2004 of the European Parliament and of the Council ( 8), not including the individual vessels operated by those companies | |
Managing bodies of ports as defined in point (1) of Article 3 of Directive 2005/65/EC of the European Parliament and of the Council ( 9), including their port facilities as defined in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports | ||
Operators of vessel traffic services as defined in point (o) of Article 3 of Directive 2002/59/EC of the European Parliament and of the Council | ||
Road transport | Road authorities as defined in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/962 ( 11) responsible for traffic management control | |
Operators of Intelligent Transport Systems as defined in point (1) of Article 4 of Directive 2010/40/EU of the European Parliament and of the Council | ||
Banking | Credit institutions as defined in point (1) of Article 4 of Regulation (EU) No 575/2013 of the European Parliament and of the Council | |
Financial market infrastructures | Operators of trading venues as defined in point (24) of Article 4 of Directive 2014/65/EU of the European Parliament and of the Council | |
Central counterparties (CCPs) as defined in point (1) of Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council | ||
Health sector | Health care settings (including hospitals and private clinics) | Healthcare providers as defined in point (g) of Article 3 of Directive 2011/24/EU of the European Parliament and of the Council |
Drinking water supply and distribution | Suppliers and distributors of water intended for human consumption as defined in point (1)(a) of Article 2 of Council Directive 98/83/EC ( 17) but excluding distributors for whom distribution of water for human consumption is only part of their general activity of distributing other commodities and goods which are not considered essential services | |
Digital infrastructure | IXPs | |
DNS service providers | ||
TLD name registries |
National Definitions
Austria
Wesentliche Dienste und Sicherheitsvorfälle: Energie, Verkehr, Bankwesen, Finanzinfrastrukturen, Gesundheitswesen, Trinkwasserversorgung, Digitale infrastruktur) [5]
Belgium
«Opérateur de services essentiels»: une entité publique ou privée dont le type figure à l'annexe II et qui répond aux critères énoncés à l'article 5, paragraphe 2. [7]
„Betreiber wesentlicher Dienste“ eine öffentliche oder private Einrichtung einer in Anhang II genannten Art, die den Kriterien des Artikels 5 Absatz 2 entspricht. [8]
Benin
Bulgaria
The list of OES are the same listed out in the NIS Directive. [11]
Congo
Croatia
Cyprus
Additional industries that are considered OESs include electronic communications, wastewater, food, government and national security/ emergency services and environmental. OESs must report any ‘data incidents’ to CSIRT without undue delay. [15]
Czech Republic
Considered additional OES: chemical industry and digital infrastructure. [17]
Denmark
Estonia
Additional OES: electronic communication service providers, public broadcasting, providers of digital identification and digital signing service and district heating service providers. [20]
Finland
Considered additional OES: online marketplaces, search engine, cloud providers and other digital infrastructures. [22]
France
Considered OES: industries involved in the civil activities of the State, judicial activities, military activities of the State, food, electronic, audio-visual and information communication, space and research, and finance industries. For non-compliance OES can face an administrative fine either 75,000 EURO, 100,000 EURO or 150,000 EURO. [26]
Germany
No additional OES have been appointed. [28]
Greece
Hungary
No additional OES have been appointed. Any ‘data incident’ should be reported to the competent authority immediately, however further stipulations on ‘extraordinary incidents’ are described. [31]
Ireland
: Sectors that revolve around energy, transport, banking, financial market infrastructure, health, water and digital infrastructure are all considered OES. [33]
Italy
No additional appointed OES. [35]
Kosovo
a) The entity provides a service which is essential for the maintenance of critical societal and/or economic activities.
b) The provision of that service depends on network and information systems; and
c)An incident would have significant disruptive effects on the provision of that service. [36]
Latvia
No additional OES have been appointed. [38]
Lithuania
Considered as additional OES are: the industrial sector, chemical and nuclear sub-sector, state administration, civil safety, environmental, national defence and foreign and security affairs. [40]
Luxembourg
Malta
Mauritania/Mauritanie
Montenegro
Netherlands
See tables below. For any ‘data incidents’, OES must report without undue delay to National Cyber Security Centre in addition to the relevant competent authority. Significant ‘data incidents' can result in an administrative fine of 5 million euro. In addition, an administrative fine of up to 1 million euro for OES entities that fail to cooperate. [47]
Sector | Subsector | Type of entity |
---|---|---|
Energy | Electricity | |
Transmission system operator TenneT (Elektriciteitswet 1998 art 10.2 and 14) [49] | ||
Regional Distribution system operators (Elektriciteitswet 1998 art 10.9, 13.1 and 14) [49] | ||
Gas | ||
Transmission system operator (Gaswet art 2.1 and 5) [50] | ||
Regional Distribution system operators (Gaswet art 2.8 and 5) [50] | ||
Natural gas undertaking 'De Nederlandse Aardolie Maatschappij B.V.' | ||
Oil | Stichting Centraal Orgaan Voorraadvorming Aardolieproducten | |
Operators of oil production, refining and treatment facilities, storage and transmission | ||
Transport | Air transport | |
Royal Schiphol Group NV | ||
Luchtverkeersleiding Nederland | ||
Maastricht Upper Area Control Centre (MUAC) | ||
Koninklijke Marechaussee | ||
Each aircraft operator with over 25% of the total air movements at Schiphol in a year | ||
Harbours | ||
De Divisie Havenmeester van het Havenbedrijf Rotterdam N.V. | ||
Financial | Banking | The by De Nederlandse Bank N.V. appointed credit companies according to EU 575/2013 art 4.1 (payments and securities trading) |
Financial infrastructure | Operators of trading platforms as defined in point (24) of Article 4 of Directive 2014/65/EU of the European Parliament and of the Council | |
Central counterparties (CCPs) as defined in point (1) of Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council | ||
Health sector | NO AES | NO AES identified - decision of the Ministry of Ministry of Health, Welfare and Sport (VWS) [51] |
Drinking water | Drinking water supply and distribution | Suppliers and distributors of water as defined in the Drinkwaterwet art 1.1. [52] |
Digital infrastructure | IXP | Operators of IXPs as defined by art 4, under 13 of EU 2016/1148 connecting more than 300 autonomous systems |
TLD name registries | Any IANA registered TLD operator of a TLD register managing over 1 million domain names | |
DNS service providers | Any IANA registered TLD operator managing over 1 million domain names and operating as a DNS service provider as defined by art 4, under 14 and 15 of EU 2016/1148 |
Sector | Subsector | Type of entity |
---|---|---|
Nuclear | Holder of permit Kernenergiewet art 15b | Nuclear energy production, processing and storage facilities |
Facilities appointed under Geheimhoudingsbesluit Kernernergiewet, toepassingsbesluit 24/09/1971/nr 671/524 | Protection of nuclear facilities | |
Guaranteeing security and confidentiality of data, equipment and materials used in the uranium enrichment process by separating isotopes using gas ultracentrifuges | ||
Water | Flood defences, water management and surface water quality | to be determined by the Minister of Infrastructure and Water Management |
Financial | Settlement companies | appointed by De Nederlandse Bank based on Wet financieel toezicht art 1:1 |
Central securities depository | appointed by De Nederlandse Bank based on EU 909/2014 art 2.1
| |
Digital infrastructure | Electronic communication networks and -services/ICT | Any operator of an electronic communication network or service which is directly or indirectly used for telephony, SMS, internet access for at least 1 million end users |
Poland
Addional OES are: heating and mining. [57]
Portugal
No additional OES defined. [59]
Romania
No additional OES defined. [61]
Slovakia
Additional OES sectors are pharmaceutical/ chemical industry, public administration, electronic communication, postal service. [63] A list of OES can be found here: [64]
Slovenia
Additional OES sectors are environmental protection industries. [66]
Spain
No additional OES sectors defined. [68]
Sweden
No additional OES sectors defined. [70]
United Kingdom
No additional OES sectors defined. [72]
Standard Definition
Other Definitions
See also
Notes
References
- ↑ DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
- ↑ Directive 2009/72/EC of the European Parliament and of the Council
- ↑ Directive 2009/73/EC of the European Parliament and of the Council
- ↑ Directive (EU) 2016/1148 -DE
- ↑ Bundesgesetzblatt für die Republik Österreich 17.07.2019 Teil II 215 NISV
- ↑ Directive (EU) 2016/1148 - - NL
- ↑ Directive (EU) 2016/1148 - - FR
- ↑ Directive (EU) 2016/1148 -DE
- ↑ DÉCRET N° 2023 - 060 DU 22 FEVRIER 2023 portant approbation des règles de politique de protection des infrastructures d’information critiques en République du Bénin
- ↑ Directive (EU) 2016/1148 - BG
- ↑ NIS tracker
- ↑ Stratégie nationale de cybersécurité 2022 - 2025 de la République Démocratique de Congo
- ↑ Directive (EU) 2016/1148 - HR
- ↑ Directive (EU) 2016/1148 - EL
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - CS
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - DA
- ↑ Directive (EU) 2016/1148 - ET
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - FI
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - FR
- ↑ Information Systems Defence and Security: France’s Strategy, Republique Francaise, 2011.
- ↑ Glossaire SSI.gouv.fr
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 -DE
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 – EL
- ↑ Directive (EU) 2016/1148 - HU
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - EN
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - IT
- ↑ NIS tracker
- ↑ National Cyber Security Strategy and Action Plan 2023 – 2026 (2023)
- ↑ Directive (EU) 2016/1148 - LV
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - LT
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - FR
- ↑ Directive (EU) 2016/1148 - MT
- ↑ Strategie nationale de cybersecurite 2022-2025 (2022)
- ↑ Strategija sajber bezbjednosti Crne Gore 2022-2026 (2021)
- ↑ Стратегија сајбер безбједности Црне Горе 2022-2026
- ↑ Directive (EU) 2016/1148 - NL
- ↑ NIS tracker
- ↑ Staatsblad van het Koninkrijk der Nederlanden, 388, 30-10-20-18
- ↑ 49.0 49.1 Elektriciteitswet 1998
- ↑ 50.0 50.1 Gaswet
- ↑ Commissiebrief Tweede Kamer inzake waarom ziekenhuizen en andere zorgaanbieders volgens de memorie van de toelichting van de Cybersecuritywet niet aangewezen worden als essentiële diensten en toezegging rapporteren voortgang Actieplan informatiebeveiliging, 2 juli 2018
- ↑ Drinkwaterwet
- ↑ Staatsblad van het Koninkrijk der Nederlanden, 388, 30-10-20-18
- ↑ Handreiking Cybercrime (2012)
- ↑ Directive (EU) 2016/1148 - PL
- ↑ Strategia Cyberbezpieczeństwa Rzeczypospolitej Polskiej na lata 2017-2022
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - PT
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - RO
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - SK
- ↑ NIS tracker
- ↑ Zoznam základných služieb/List of basic services SK
- ↑ Directive (EU) 2016/1148 - SL
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - ES
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - SV
- ↑ NIS tracker
- ↑ Directive (EU) 2016/1148 - EN
- ↑ NIS tracker