Operators of Essential Services (OES)
The Directive has direct implications for many companies and utilities in the State. A number of these companies and utilities have been designated as 'Operators of Essential Services' by the Department, and are subject to security obligations and incident reporting requirements. The criteria for identification was as follows:
- The entity should provide a service which is essential for the maintenance of critical societal and economic activities;
- The provision of that service should depend on network and information systems; and
- A security incident would have significant disruptive effects on the essential service.
The following sectors and subsectors were included for consideration by Member States:
- Energy: electricity, oil and gas
- Transport: air, rail, water and road
- Banking: credit institutions
- Financial market infrastructures: trading venues and central counterparties
- Health: healthcare providers
- Water: drinking water supply and distribution
- Digital infrastructure: internet exchange points, domain name system service providers and top level domain name registries
The Identification Process
The formal identification process, which began in 2017, is now complete. The Department is engaging with the companies and utilities in both the private and public sector which have been identified as Operators of Essential Services.
The companies and utilities that have been officially designated as Operators of Essential Services are now subject to a set of security requirements as set out in Regulation 17 of SI No. 360 of 2018. The NSCS has produced guidelines to assist OES in meeting these requirements. The security guidelines consist of five themes which provide a high level view of an organisation's management of cybersecurity risk. These are - Identify, Protect, Detect, Respond and Recover.
A draft version of these Security Guidelines was published for public consultation in November 2017 and the final version of the guidelines can be found in English here and in Irish here.
Operators of Essential Services are required to report incidents which fall under the scope of the Directive. A reportable incident is any incident which has a significant impact on the continuity of an essential service which an Operator of Essential Services provides. In this context, significant impact means that the essential service provided by the Operator of Essential Services must be interrupted, and must not be operational for a given period of time. A reportable incident is determined using the significant impact parameters contained in the Directive. Further information on incident reporting can be found in the above mentioned Security Guidelines.