The NIS Directive is the first EU horizontal legislation addressing cybersecurity challenges and a true game-changer for cybersecurity resilience and cooperation in Europe. The Directive has three main objectives:

  • Improving national cybersecurity capabilities
  • Building cooperation at EU level
  • Promoting a culture of risk management and incident reporting among key economic actors, notably operators providing essential services (OES) for the maintenance of economic and societal activities and Digital Service Providers (DSPs)

The NIS Directive is the cornerstone of the EU’s response to the growing cyber threats and challenges which are accompanying the digitalization of our economic and societal life. In the previous article, we covered the security responsibilities and incident notification obligations for DSPs, and this one is going to examine the obligations of the Operators of Essential Services.

The Directive compels Member States to classify key entities in various critical infrastructure sectors as “Operators of Essential Services” and to ensure that these enterprises have reached a given level of security in terms of their IT systems while imposing a binding reporting obligation on these entities to report incidents. Secondly, and in addition to ensuring that a well-resourced CSIRT is in place, Member States will also be required to designate a National Competent Authority (or NCA) to manage reporting and compliance of the OES entities with the Directive.

The rationale is that impacts of security incidents in such services may constitute a major threat to the operation of such services which may cause major disruptions to economic activities and to society at large, potentially undermining user confidence and causing major damage to the economy of the Union.

Who Are the Operators of Essential Services?

The NIS Directive does not define explicitly which entities are to be considered as OES under its scope. Instead, it provides criteria that Member States need (Read more...)