Operators of Essential Services (OES)

The Directive has direct implications for many companies and utilities in the State. A number of these companies and utilities have been designated as 'Operators of Essential Services' by the Department, and are subject to security obligations and incident reporting requirements.  The criteria for identification was as follows:

  1. The entity should provide a service which is essential for the maintenance of critical societal and economic activities;
  2. The provision of that service should depend on network and information systems; and
  3. A security incident would have significant disruptive effects on the essential service.

The following sectors and subsectors were included for consideration by Member States:

The Identification Process

The formal identification process, which began in 2017, is now complete. The Department is engaging with the companies and utilities in both the private and public sector which have been identified as Operators of Essential Services.

Security Guidelines

The companies and utilities that have been officially designated as Operators of Essential Services are now subject to a set of security requirements as set out in Regulation 17 of SI No. 360 of 2018. The NSCS has produced guidelines to assist OES in meeting these requirements. The security guidelines consist of five themes which provide a high level view of an organisation's management of cybersecurity risk. These are -  Identify, Protect, Detect, Respond and Recover. 

A draft version of these Security Guidelines was published for public consultation in November 2017 and the final version of the guidelines can be found in English here and in Irish here.

Incident Reporting

Operators of Essential Services are required to report incidents which fall under the scope of the Directive. A reportable incident is any incident which has a significant impact on the continuity of an essential service which an Operator of Essential Services provides. In this context, significant impact means that the essential service provided by the Operator of Essential Services must be interrupted, and must not be operational for a given period of time. A reportable incident is determined using the significant impact parameters contained in the Directive. Further information on incident reporting can be found in the above mentioned Security Guidelines.

NIS Compliance Guidelines for Operators of Essential Services

For the Irish translation of this document, click this link.

NIS Incident Reporting Form

When submitting this form please encrypt it using our public PGP Key or alternatively send it as password-protected zip file to nis-report@ncsc.gov.ie