Operators of Essential Services
The Directive will have direct implications for many companies and utilities in the State. A number of these companies and utilities will be designated as 'Operators of Essential Services' by the Department, with security obligations and incident reporting requirements being placed upon them. The criteria for identification are as follows:
(1) The entity should provide a service which is essential for the maintenance of critical societal and economic activities;
(2) The provision of that service should depend on network and information systems; and
(3) A security incident would have significant disruptive effects on the essential service.
The following sectors and subsectors are included for consideration by Member States:
- Energy: electricity, oil and gas
- Transport: air, rail, water and road
- Banking: credit institutions
- Financial market infrastructures: trading venues and central counterparties
- Health: healthcare providers
- Water: drinking water supply and distribution
- Digital infrastructure: internet exchange points, domain name system service providers and top level domain name registries
There are three key processes relating to Operators of Essential Services which are detailed below.
The Identification Process
The formal identification process, which began in 2017, is an ongoing process. The Department has been engaging with the companies and utilities in both the private and public sector which have been identified as potential Operators of Essential Services. Official designation will take place before November 9th 2018.
A set of security requirements will be placed on those companies and utilities that are officially designated as Operators of Essential Services. These take the form of a set of security measures which have been drafted to address both the technical and the procedural/organisational elements of the Directive. The security measures consist of five themes which provide a high level view of an organisation's management of cybersecurity risk. These are - Identify, Protect, Detect, Respond and Recover.
Draft Security Measures were published for public consultation in November 2017 and can be found here. The final version of these will be published shortly.
Operators of Essential Services will be required to report incidents which fall under the scope of the Directive. A reportable incident is any incident which has a significant impact on the continuity of an essential service which an Operator of Essential Services provides. In this context, significant impact means that the essential service provided by the Operator of Essential Services must be interrupted, and must not be operational for a given period of time. A reportable incident is determined using the significant disruptive effect parameters contained in the Directive and outlined in the Incident Reporting Guidelines which will be published shortly.