CHAPTER 1: SCOPE AND APPLICABILITY
The NIS Directive is very clear about the definitions it uses for OES. However, its approach is to provide a set of parameters and to then require each Member State to identify the precise bounds of those parameters and to âidentify the operators of essential services with an establishment on their territoryâ (Article 5(1)).
According to the NIS Directive, an OES is an organisation that provides services that are essential for âthe maintenance of critical societal and/or economic activitiesâ (Article 5(2)), which the NIS Regulations set out in section 8(1):
8(1) If a person provides an essential service of a kind referred to in paragraphs 1 to 9 of Schedule 2 and that service â
a) relies on network and information systems; and
b) satisfies a threshold requirement described for that kind of essential service,
that person is deemed to be designated as an OES for the subsector that is specified with respect to that essential service in that Schedule.
Schedule 2 of the Regulations sets out the key sectors within the UK based on the list defined in the NIS Directive, which identified the following essential sectors:
âą Water (drinking water supply and distribution)
âą Energy (electricity, oil and gas)
âą Digital infrastructure (Internet exchange point (IXP) operators, domain name systems (DNS) and top-level domain (TLD) name registries)
âą Health (healthcare providers)
âą Transport (air, rail, water and road)
âą Banking (credit institutions)
âą Financial market infrastructures (trading venues and central counterparties)
Schedule 2 of the Regulations differs slightly from the set of sectors provided in the Directive on the basis of âlex specialisâ â there are existing special conditions in law for the banking and financial market infrastructure sectors. The UK government has determined that these sectors are already bound by equivalent provisions set by the Bank of England and the Financial Conduct Authority, and so they are exempt from the NIS Regulations. This is in line with Recital 9 of the Directive, which recognises that âCertain sectors of the economy are already regulated or may be regulated in the future by sector-specific Union legal acts that include rules related to the security of network and information systemsâ.
It is likely there will be specific cases that do not quite fit within either the Directiveâs guidelines or the UK governmentâs thresholds â the EU is, after all, a huge entity, both geographically and demographically â but the Directive requires each Member State to formally identify its OES by 9 November 2018. The UK has taken a more ambitious approach, and so all OES were required to self-identify to their competent authority by 10 August 2018. Organisations that later meet the definition of an OES are required to self-identify within three months of doing so.
In the UK, the NIS Regulations specify in section 8(3) that competent authorities are also permitted to designate some âedge casesâ OES. This can only occur if three conditions are met:
1. The OES meets the sector, subsector and essential service requirements
2. The service provided relies on network and information systems
3. An incident has the potential to significantly disrupt the provision of the essential service
The government has set itself a deadline of 10 November 2018 to identify such edge cases.
Digital service providers
While this pocket guide focuses on OES, the Directive also imposes requirements on DSPs. It is entirely possible for an organisation to provide services both as an OES and as a DSP, while for other organisations it may be less clear whether they are one or the other.
To provide some measure of clarity, the Directive specifies that DSPs are organisations that provide digital services delivered âat a distance, by electronic means and at the individual request of a recipient of servicesâ.11 Annex III of the Directive categorises the types of services covered:
âą Online search engines
âą Online marketplaces
âą Cloud computing services
It is also important to note that the Directive does not require Member States to identify DSPs â unlike OES, the Directive is intended to apply to DSPs across the Union without exception or variance. This is made explicit in Recital 57, which explains that âMember States should not identify digital service providers, as this Directive should apply to all digital service providers within its scope. [âŠ] This should enable digital service providers to be treated in a uniform way across the Unionâ.
Â
11 Directive (EU) 2015/1535, Article 1(b).
CHAPTER 2: AUTHORITIES AND BODIES
Alongside requiring Member States to set âsecurity and notification requirements for operators of essential services and for digital service providersâ, the NIS Directive also specifies that they must âdesignate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systemsâ.12
Each of these bodies will play an important role in how the Directive is applied in the Member States and across the EU. In the UK, the NCSC will operate as the CSIRT and the single point of contact, and as a technical authority on cyber security, all under the auspices of GCHQ.
Competent authorities
Competent authorities in the UK have been defined for each sector in the NIS Regulations. Schedule 1 of the Regulations lists the relevant government bodies that will be responsible for each sector. In the majority of cases, these are secretaries of state or ministers, who will delegate the authority to an agency under their control. The competent authority for DSPs is the Information Commissionerâs Office (ICO).
Competent authorities are the organisations or agencies that oversee compliance with laws and regulations implemented on the basis of the NIS Directive. There is no specified limit on the number of competent authorities a Member State can set and several countries other than the UK have assigned them on a sectoral basis.
The primary question that each Member State needs to answer is âWhat makes a competent authority competent?â Recital 30 of the Directive offers guidance:
In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of operators of essential services and digital service providers under this Directive.
As does Recital 61:
Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information in order to assess the level of security of network and information systems.
Essentially, competent authorities should be able to both assess how organisations apply the principles and enforce them. As such, some authorities will doubtless be provided with additional funding or resources, and whole new agencies may be necessary for some sectors. The NIS Regulations provide specific powers for competent authorities in the UK to inspect OES and DSPs, as well as enforcement powers.
While competent authorities are regulators, the Directive makes it clear that cooperation, rather than dictatorial assertiveness, is key to making sure it is effective. As Recital 31 states:
As this Directive aims to improve the functioning of the internal market by creating trust and confidence, Member State bodies need to be able to cooperate effectively with economic actors and to be structured accordingly.
Fundamentally, the competent authorities should operate, where possible, to facilitate business rather than to repress it. âCooperationâ is a common theme throughout the Directive, and leads into the requirements for cooperation across the EU.
CSIRTs
The Directive requires each Member State to establish a CSIRT. CSIRTs already exist in a number of countries, the most famous team almost certainly being the first â the CERT Division â which was established at Carnegie Mellon University in the US and helped to create US-CERT. In the UK, the CSIRT is the NCSC.
CSIRTs are specialist units charged with providing guidance and support in the event of a significant incident, and tracking incidents globally so that useful information and lessons can be disseminated. In relation to the NIS Directive, this means the CSIRT must be able to react appropriately to incidents that could have significant consequences for critical national ...