Operator of Essential Services

From CIPedia
Jump to: navigation, search

Definitions

European Definitions

European Commission

Operator of essential services means a public or private entity of a type referred to in Annex II [of the EU Directive 2016/1148], which meets the criteria laid down in Article 5(2).

Operador de Serviços Essenciais: Uma entidade pública ou privada pertencente a um dos tipos referidos no anexo II da Diretiva (UE) n.º 2016/1148 do Parlamento Europeu e do Conselho, de 6 de julho de 2016, e que cumpre os critérios previstos no n.º 2 do artigo 5.º, da mesma Diretiva. [1]

Annex II of the Directive contains the list of essential ICT-controlled / ICT-based services: energy (power, gas, oil), transport (air, rail, water, road), banking, financial market infrastructures, health sector, drinking water supply & distribution, and Digital Infrastructure (IXPs, DNS service providers, TLD name registries).
Article 5(2): The criteria for the identification of the operators of essential services shall be as follows: (a) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (b) the provision of that service depends on network and information systems; and (c) an incident would have significant disruptive effects on the provision of that service.
Article 5(2) The criteria for the identification of the operators of essential services shall be as follows:

  1. (a) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
  2. (b) the provision of that service depends on network and information systems; and
  3. (c) an incident would have significant disruptive effects on the provision of that service.


ANNEX II Table
Sector Subsector Type of entity
Energy Electricity Electricity undertakings as defined in point (35) of Article 2 of Directive 2009/72/EC of the European Parliament and of the Council [2], which carry out the function of ‘supply’ as defined in point (19) of Article 2 of that Directive
Distribution system operators as defined in point (6) of Article 2 of Directive 2009/72/EC
Transmission system operators as defined in point (4) of Article 2 of Directive 2009/72/EC
Oil Operators of oil transmission pipelines
Operators of oil production, refining and treatment facilities, storage and transmission
Gas Supply undertakings as defined in point (8) of Article 2 of Directive 2009/73/EC of the European Parliament and of the Council [3]
Distribution system operators as defined in point (6) of Article 2 of Directive 2009/73/EC
Transmission system operators as defined in point (4) of Article 2 of Directive 2009/73/EC
Storage system operators as defined in point (10) of Article 2 of Directive 2009/73/EC
LNG system operators as defined in point (12) of Article 2 of Directive 2009/73/EC
Natural gas undertakings as defined in point (1) of Article 2 of Directive 2009/73/EC
Operators of natural gas refining and treatment facilities
Transport Air transport Air carriers as defined in point (4) of Article 3 of Regulation (EC) No 300/2008 of the European Parliament and of the Council
Airport managing bodies as defined in point (2) of Article 2 of Directive 2009/12/EC of the European Parliament and of the Council ( 4), airports as defined in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/2013 of the European Parliament and of the Council ( 5), and entities operating ancillary installations contained within airports
Traffic management control operators providing air traffic control (ATC) services as defined in point (1) of Article 2 of Regulation (EC) No 549/2004 of the European Parliament and of the Council
Rail transport Infrastructure managers as defined in point (2) of Article 3 of Directive 2012/34/EU of the European Parliament and of the Council
Railway undertakings as defined in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities as defined in point (12) of Article 3 of Directive 2012/34/EU
Water transport Inland, sea and coastal passenger and freight water transport companies, as defined for maritime transport in Annex I to Regulation (EC) No 725/2004 of the European Parliament and of the Council ( 8), not including the individual vessels operated by those companies
Managing bodies of ports as defined in point (1) of Article 3 of Directive 2005/65/EC of the European Parliament and of the Council ( 9), including their port facilities as defined in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports
Operators of vessel traffic services as defined in point (o) of Article 3 of Directive 2002/59/EC of the European Parliament and of the Council
Road transport Road authorities as defined in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/962 ( 11) responsible for traffic management control
Operators of Intelligent Transport Systems as defined in point (1) of Article 4 of Directive 2010/40/EU of the European Parliament and of the Council
Banking Credit institutions as defined in point (1) of Article 4 of Regulation (EU) No 575/2013 of the European Parliament and of the Council
Financial market infrastructures Operators of trading venues as defined in point (24) of Article 4 of Directive 2014/65/EU of the European Parliament and of the Council
Central counterparties (CCPs) as defined in point (1) of Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council
Health sector Health care settings (including hospitals and private clinics) Healthcare providers as defined in point (g) of Article 3 of Directive 2011/24/EU of the European Parliament and of the Council
Drinking water supply and distribution Suppliers and distributors of water intended for human consumption as defined in point (1)(a) of Article 2 of Council Directive 98/83/EC ( 17) but excluding distributors for whom distribution of water for human consumption is only part of their general activity of distributing other commodities and goods which are not considered essential services
Digital infrastructure IXPs
DNS service providers
TLD name registries

National Definitions

Austria

„Betreiber wesentlicher Dienste“ eine öffentliche oder private Einrichtung einer in Anhang II genannten Art, die den Kriterien des Artikels 5 Absatz 2 entspricht. [4]


Belgium

„Aanbieder van essentiële diensten”: een publieke of private entiteit waarvan de soort is vermeld in bijlage II en die voldoet aan de criteria van artikel 5, lid 2. [5]

«opérateur de services essentiels»: une entité publique ou privée dont le type figure à l'annexe II et qui répond aux critères énoncés à l'article 5, paragraphe 2. [6]


Bulgaria

„оператор на основни услуги“ означава публичен или частен субект от посочените в приложение II категории, който отговаря на критериите, определени в член 5, параграф 2. [7]

The list of OES are the same listed out in the NIS Directive. [8]

Croatia

„Operator ključne usluge” znači javni ili privatni subjekt tipa navedenog u Prilogu II., koji ispunjava kriterije utvrđene u članku 5. stavku 2. [9]


Cyprus

«φορέας εκμετάλλευσης βασικών υπηρεσιών»: δημόσια ή ιδιωτική οντότητα είδους αναφερόμενου στο παράρτημα ΙΙ η οποία πληροί τα κριτήρια που ορίζονται στο άρθρο 5 παράγραφος 2. [10]
Additional industries that are considered OESs include electronic communications, wastewater, food, government and national security/ emergency services and environmental. OESs must report any ‘data incidents’ to CSIRT without undue delay. [11]


Czech Republic

„Provozovatelem základních služeb“ veřejný nebo soukromý subjekt, jehož druh je uveden v příloze II a jenž splňuje kritéria stanovené v čl. 5 odst. 2. [12]

Considered additional OES: chemical industry and digital infrastructure. [13]

Denmark

»Operatør af væsentlige tjenester«: en offentlig eller privat enhed af en type som omhandlet i bilag II, der opfylder kriterierne i artikel 5, stk. 2. [14]


Estonia

„Oluliste teenuste operaator“– II lisas osutatud liiki avaliku või erasektori üksus, mis vastab artikli 5 lõikes 2 sätestatud kriteeriumidele. [15]<
Additional OES: electronic communication service providers, public broadcasting, providers of digital identification and digital signing service and district heating service providers. [16]

Finland

’Keskeisten palvelujen tarjoajalla’ julkista tai yksityistä toimijaa, joka on liitteessä II tarkoitettua tyyppiä ja täyttää 5 artiklan 2 kohdassa säädetyt kriteerit. [17]

Considered additional OES: online marketplaces, search engine, cloud providers and other digital infrastructures. [18]

France

«Opérateur de services essentiels»: une entité publique ou privée dont le type figure à l'annexe II et qui répond aux critères énoncés à l'article 5, paragraphe 2. [19]

An operator of critical infrastructure: - exercises activities cited in Article R. 1332-2 and included in a critical sector; - manages or uses for this activity one or more organisations or works, one or more facilities, whose damage, unavailability or destruction due to malicious action, sabotage or terrorism would directly or indirectly seriously compromise the military or economic capabilities, the security or the survival ability of the nation or seriously threaten the lives of its population. [20]

Un opérateur d’importance vitale : exerce des activités mentionnées à l’article R. 1332-2 et comprises dans un secteur d’activités d’importance vitale ; gère ou utilise au titre de cette activité un ou des établissements ou ouvrages, une ou des installations dont le dommage ou l’indisponibilité ou la destruction par suite d’un acte de malveillance, de sabotage ou de terrorisme risquerait, directement ou indirectement d’obérer gravement le potentiel de guerre ou économique, la sécurité ou la capacité de survie de la Nation ou de mettre gravement en cause la santé ou la vie de la population. [21]

Considered OES: industries involved in the civil activities of the State, judicial activities, military activities of the State, food, electronic, audio-visual and information communication, space and research, and finance industries. For non-compliance OES can face an administrative fine either 75,000 EURO, 100,000 EURO or 150,000 EURO. [22]

Germany

„Betreiber wesentlicher Dienste“ eine öffentliche oder private Einrichtung einer in Anhang II genannten Art, die den Kriterien des Artikels 5 Absatz 2 entspricht. [23]
No additional OES have been appointed. [24]

Greece

«φορέας εκμετάλλευσης βασικών υπηρεσιών»: δημόσια ή ιδιωτική οντότητα είδους αναφερόμενου στο παράρτημα ΙΙ η οποία πληροί τα κριτήρια που ορίζονται στο άρθρο 5 παράγραφος 2. [25]


Hungary

„alapvető szolgáltatásokat nyújtó szereplő”: a II. mellékletben említett típusú olyan közjogi vagy magánjogi szervezet, amely megfelel a 5. cikk (2) bekezdésében meghatározott kritériumoknak. [26]


No additional OES have been appointed. Any ‘data incident’ should be reported to the competent authority immediately, however further stipulations on ‘extraordinary incidents’ are described. [27]

Ireland

‘Operator of essential services’ means a public or private entity of a type referred to in Annex II, which meets the criteria laid down in Article 5(2) [of EU 2016/1148]. [28]
: Sectors that revolve around energy, transport, banking, financial market infrastructure, health, water and digital infrastructure are all considered OES. [29]

Italy

«Operatore di servizi essenziali», soggetto pubblico o privato, di un tipo di cui all'allegato II, che soddisfa i criteri di cui all'articolo 5, paragrafo 2. [30]
No additional appointed OES. [31]

Latvia

“Pamatpakalpojumu sniedzējs” ir tāda veida publiska vai privāta vienība, kā minēts II pielikumā, un kas atbilst 5. panta 2. punktā noteiktajiem kritērijiem. [32]
No additional OES have been appointed. [33]

Lithuania

Esminių paslaugų operatorius– viešojo arba privačiojo sektoriaus subjektas, kurio rūšis yra nurodyta II priede ir kuris tenkina 5 straipsnio 2 dalyje nustatytus kriterijus. [34]
Considered as additional OES are: the industrial sector, chemical and nuclear sub-sector, state administration, civil safety, environmental, national defence and foreign and security affairs. [35]

Luxembourg

«Opérateur de services essentiels»: une entité publique ou privée dont le type figure à l'annexe II et qui répond aux critères énoncés à l'article 5, paragraphe 2. [36]


Malta

“Operatur ta' servizzi essenzjali” tfisser entità pubblika jew privata ta' tip imsemmi fl-Anness II, li jissodisfa l-kriterji stabbiliti fl-Artikolu 5(2). [37]


Netherlands

„Aanbieder van essentiële diensten”: een publieke of private entiteit waarvan de soort is vermeld in bijlage II en die voldoet aan de criteria van artikel 5, lid 2 [38]

See tables below. For any ‘data incidents’, OES must report without undue delay to National Cyber Security Centre in addition to the relevant competent authority. Significant ‘data incidents' can result in an administrative fine of 5 million euro. In addition, an administrative fine of up to 1 million euro for OES entities that fail to cooperate. [39]

APPOINTED OES (AED in Dutch) according to Art 2 of EU 2016/1148 in the Netherlands [40]
Sector Subsector Type of entity
Energy Electricity
Transmission system operator TenneT (Elektriciteitswet 1998 art 10.2 and 14) [41]
Regional Distribution system operators (Elektriciteitswet 1998 art 10.9, 13.1 and 14) [41]
Gas
Transmission system operator (Gaswet art 2.1 and 5) [42]
Regional Distribution system operators (Gaswet art 2.8 and 5) [42]
Natural gas undertaking 'De Nederlandse Aardolie Maatschappij B.V.'
Oil Stichting Centraal Orgaan Voorraadvorming Aardolieproducten
Operators of oil production, refining and treatment facilities, storage and transmission
Transport Air transport
Royal Schiphol Group NV
Luchtverkeersleiding Nederland
Maastricht Upper Area Control Centre (MUAC)
Koninklijke Marechaussee
Each aircraft operator with over 25% of the total air movements at Schiphol in a year
Harbours
De Divisie Havenmeester van het Havenbedrijf Rotterdam N.V.
Financial Banking The by De Nederlandse Bank N.V. appointed credit companies according to EU 575/2013 art 4.1 (payments and securities trading)
Financial infrastructure Operators of trading platforms as defined in point (24) of Article 4 of Directive 2014/65/EU of the European Parliament and of the Council
Central counterparties (CCPs) as defined in point (1) of Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council
Health sector NO AES NO AES identified - decision of the Ministry of Ministry of Health, Welfare and Sport (VWS) [43]
Drinking water Drinking water supply and distribution Suppliers and distributors of water as defined in the Drinkwaterwet art 1.1. [44]
Digital infrastructure IXP Operators of IXPs as defined by art 4, under 13 of EU 2016/1148 connecting more than 300 autonomous systems
TLD name registries Any IANA registered TLD operator of a TLD register managing over 1 million domain names
DNS service providers Any IANA registered TLD operator managing over 1 million domain names and operating as a DNS service provider as defined by art 4, under 14 and 15 of EU 2016/1148


APPOINTED OES according to Art 3 (Other OES) of EU 2016/1148 in the Netherlands [45]
Sector Subsector Type of entity
Nuclear Holder of permit Kernenergiewet art 15b Nuclear energy production, processing and storage facilities
Facilities appointed under Geheimhoudingsbesluit Kernernergiewet, toepassingsbesluit 24/09/1971/nr 671/524 Protection of nuclear facilities
Guaranteeing security and confidentiality of data, equipment and materials used in the uranium enrichment process by separating isotopes using gas ultracentrifuges
Water Flood defences, water management and surface water quality to be determined by the Minister of Infrastructure and Water Management
Financial Settlement companies appointed by De Nederlandse Bank based on Wet financieel toezicht art 1:1
Central securities depository appointed by De Nederlandse Bank based on EU 909/2014 art 2.1

Digital infrastructure Electronic communication networks and -services/ICT Any operator of an electronic communication network or service which is directly or indirectly used for telephony, SMS, internet access for at least 1 million end users


Poland

„Operator usług kluczowych” oznacza podmiot publiczny lub prywatny, należący do jednego z rodzajów, o których mowa w załączniku II, spełniający kryteria określone w art. 5 ust. 2. [46] [47]
Addional OES are: heating and mining. [48]


Portugal

«Operador de serviços essenciais», uma entidade pública ou privada pertencente a um dos tipos referidos no anexo II e que cumpre os critérios previstos no artigo 5.o, n.o 2. [49]
No additional OES defined. [50]

Romania

„Operator de servicii esențiale” înseamnă o entitate publică sau privată de tipul menționat în anexa II care îndeplinește criteriile prevăzute la articolul 5 alineatul (2). [51]
No additional OES defined. [52]

Slovakia

„Prevádzkovateľ základných služieb“ je verejný alebo súkromný subjekt, ktorého typ sa uvádza v prílohe II, spĺňajúci kritériá stanovené v článku 5 ods. 2. [53]
Additional OES sectors are pharmaceutical/ chemical industry, public administration, electronic communication, postal service. [54]

Slovenia

„Izvajalec bistvenih storitev“ pomeni javni ali zasebni subjekt, ki spada med vrste iz Priloge II in izpolnjuje merila, določena v členu 5(2). [55]
Additional OES sectors are environmental protection industries. [56]

Spain

«operador de servicios esenciales»: una entidad pública o privada de uno de los tipos que figuran en el anexo II, que reúna los criterios establecidos en el artículo 5, apartado 2. [57]
No additional OES sectors defined. [58]

Sweden

Leverantör av samhällsviktiga tjänster : en offentlig eller privat enhet av en typ som avses i bilaga II vilken uppfyller kriterierna i artikel 5.2. [59]
No additional OES sectors defined. [60]

United Kingdom

‘Operator of essential services’ means a public or private entity of a type referred to in Annex II, which meets the criteria laid down in Article 5(2) [of EU 2016/1148]. [61]
No additional OES sectors defined. [62]

Standard Definition

Other Definitions

See also

Notes

  1. DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
  2. Directive 2009/72/EC of the European Parliament and of the Council
  3. [ http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L1148&from=EN#ntr2-L_2016194EN.01002701-E0002 Directive 2009/73/EC of the European Parliament and of the Council]
  4. Directive (EU) 2016/1148 -DE
  5. Directive (EU) 2016/1148 - - NL
  6. Directive (EU) 2016/1148 - - FR
  7. Directive (EU) 2016/1148 - BG
  8. NIS tracker
  9. Directive (EU) 2016/1148 - HR
  10. Directive (EU) 2016/1148 - EL
  11. NIS tracker
  12. Directive (EU) 2016/1148 - CS
  13. NIS tracker
  14. Directive (EU) 2016/1148 - DA
  15. Directive (EU) 2016/1148 - ET
  16. NIS tracker
  17. Directive (EU) 2016/1148 - FI
  18. NIS tracker
  19. Directive (EU) 2016/1148 - FR
  20. Information Systems Defence and Security: France’s Strategy, Republique Francaise, 2011.
  21. Glossaire SSI.gouv.fr
  22. NIS tracker
  23. Directive (EU) 2016/1148 -DE
  24. NIS tracker
  25. Directive (EU) 2016/1148 – EL
  26. Directive (EU) 2016/1148 - HU
  27. NIS tracker
  28. Directive (EU) 2016/1148 - EN
  29. NIS tracker
  30. Directive (EU) 2016/1148 - IT
  31. NIS tracker
  32. Directive (EU) 2016/1148 - LV
  33. NIS tracker
  34. Directive (EU) 2016/1148 - LT
  35. NIS tracker
  36. Directive (EU) 2016/1148 - FR
  37. Directive (EU) 2016/1148 - MT
  38. Directive (EU) 2016/1148 - NL
  39. NIS tracker
  40. Staatsblad van het Koninkrijk der Nederlanden, 388, 30-10-20-18
  41. 41.0 41.1 Elektriciteitswet 1998
  42. 42.0 42.1 Gaswet
  43. https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/kamerstukken/2018/07/02/kamerbrief-over-ziekenhuizen-en-informatiebeveiliging/oortgang.pdf Commissiebrief Tweede Kamer inzake waarom ziekenhuizen en andere zorgaanbieders volgens de memorie van de toelichting van de Cybersecuritywet niet aangewezen worden als essentiële diensten en toezegging rapporteren voortgang Actieplan informatiebeveiliging, 2 juli 2018
  44. Drinkwaterwet
  45. Staatsblad van het Koninkrijk der Nederlanden, 388, 30-10-20-18
  46. Directive (EU) 2016/1148 - PL
  47. Strategia Cyberbezpieczeństwa Rzeczypospolitej Polskiej na lata 2017-2022
  48. NIS tracker
  49. Directive (EU) 2016/1148 - PT
  50. NIS tracker
  51. Directive (EU) 2016/1148 - RO
  52. NIS tracker
  53. Directive (EU) 2016/1148 - SK
  54. NIS tracker
  55. Directive (EU) 2016/1148 - SL
  56. NIS tracker
  57. Directive (EU) 2016/1148 - ES
  58. NIS tracker
  59. Directive (EU) 2016/1148 - SV
  60. NIS tracker
  61. Directive (EU) 2016/1148 - EN
  62. NIS tracker