General Cybersecurity Duties for Essential and OVI Operators

1. Setting the Scene: Who Has General Cybersecurity Duties?

In many jurisdictions (especially in the EU after NIS2 entered into force in 2023 and must be applied by Member States from October 2024 onward), essential and important/OVI operators have baseline cybersecurity duties.

For this module, assume a national law aligned with NIS2 and supervised by a central authority similar to ANCI (a national cybersecurity authority) plus sectoral regulators.

Who is covered?

• Essential operators (e.g., electricity grids, hospitals, major transport operators).
• Operators of Vital Importance (OVI/OIV) – a subset of critical operators identified via ANCI-led procedures (see previous module).
• Other institutions and ICT/digital service providers that support these essential/OVI operators.

All of them share general cybersecurity duties, but the depth and strictness scale with:

• The size of the organization (SME vs large operator).
• The criticality of services they provide.
• The risk profile (likelihood and impact of incidents).

You will now walk through these duties step by step, focusing on what an operator must actually do in practice.

2. Core Duty: Continuous Cybersecurity (Not One-Off Compliance)

The law does not see cybersecurity as a one-time project. It imposes a continuous duty of care.

At a minimum, covered entities must implement and maintain:

1. Technological measures

• Firewalls, intrusion detection/prevention systems (IDS/IPS).
• Endpoint protection, anti-malware, email security gateways.
• Secure configuration, patch management, encryption.

1. Organizational measures

• Clear cybersecurity policies approved by top management.
• Defined roles and responsibilities (e.g., CISO or security officer).
• Regular training and awareness for all staff.
• Supplier/third-party risk management procedures.

1. Physical measures

• Controlled access to server rooms and critical infrastructure.
• CCTV, access badges, visitor logs.
• Environmental protections (fire, flooding, power backup).

1. Informational measures

• Classification of information (e.g., public, internal, confidential).
• Secure handling, storage, and destruction of data.
• Clear incident reporting and communication procedures.

Key point: These measures must be ongoing: monitored, reviewed, and improved regularly, not only during audits.

3. Example: Turning the Continuous Duty into Daily Practice

Imagine a regional hospital classified as an OVI because it provides critical emergency services.

How does it fulfill the continuous cybersecurity duty?

• Technological
• All medical devices on the network are inventoried and patched monthly.
• Network segments separate administrative PCs from life-support equipment.
• Multi-factor authentication (MFA) is required for remote access.

• Organizational
• A Cybersecurity Committee meets quarterly to review incidents and risks.
• New staff receive mandatory security training in their first week.
• Third-party maintenance contractors must sign security clauses and use dedicated accounts.

• Physical
• Access to the data center requires a badge and PIN; logs are reviewed weekly.
• Backups are stored in a physically separate, access-controlled room.

• Informational
• Patient records are labeled as highly confidential; access is strictly role-based.
• There is a documented incident response plan that includes how to inform ANCI and sectoral health authorities.

This example shows how the law’s abstract duty of “continuous cybersecurity” becomes concrete, day-to-day practice.

4. Risk-Based Approach: Necessity, Proportionality, Rationality

Modern cybersecurity laws (including NIS2-style frameworks) rely on a risk-based approach rather than fixed lists of controls.

Three key principles guide what you must implement:

1. Necessity

• Measures must be necessary to address the specific risks you face.
• Example: If you do not allow remote access, complex remote-access controls may not be necessary.

1. Proportionality

• Measures must be proportionate to the potential impact.
• A national power grid operator must invest far more in cybersecurity than a small local library, even if both are technically “covered entities”.

1. Rationality

• Measures must be reasonable and justifiable based on current best practices and your resources.
• You should be able to explain to ANCI why you chose certain controls and not others, based on risk assessments.

In practice, this means:

• You start with risk assessment: assets, threats, vulnerabilities, impact, likelihood.
• You prioritize: high-risk systems and processes get stronger controls.
• You document your reasoning: so you can demonstrate necessity, proportionality, and rationality during supervision or after an incident.

5. Thought Exercise: Applying the Risk-Based Principles

Consider two operators:

1. Cloud provider A: Hosts data and applications for several hospitals and banks (classified as an essential ICT service provider).
2. Municipal IT Department B: Manages email and basic web hosting for a small town, with no critical services.

Task:

1. List two controls that are necessary and proportionate for Cloud provider A but may be excessive for Municipal IT Department B.
2. For each control, explain in 1–2 sentences why it is rational for A but not for B.

Write your answers as if you were preparing for an ANCI inspection. Use phrases like:

• “Given the high impact on healthcare and finance, it is necessary to…”
• “For a small municipal operator with limited impact, this control would not be proportionate because…”

(You can jot down bullet points; focus on the reasoning, not perfect wording.)

6. Alignment with ANCI Protocols, Standards, and Sectoral Rules

Beyond general principles, the law typically requires alignment with standards and protocols issued or endorsed by:

• ANCI (or equivalent national authority)
• Issues binding technical regulations and guidelines (e.g., minimum security measures, incident reporting formats).
• Publishes reference frameworks aligned with international standards (e.g., ISO/IEC 27001, ISO/IEC 27019 for energy, ISO 22301 for business continuity).

• Sectoral authorities
• For example, financial supervisors, health ministries, transport regulators.
• They may impose additional sector-specific rules, such as resilience testing for banks or medical device security requirements for hospitals.

Your duties include:

1. Monitoring updates: Regularly checking ANCI and sectoral authority websites for new regulations, technical instructions, and threat advisories.
2. Mapping controls to standards: For example, mapping your internal policies to ISO 27001 controls and ANCI’s minimum baseline.
3. Participating in exercises: Joining national or sectoral cyber drills coordinated by ANCI or CSIRTs.

Historical context: Earlier frameworks often relied on softer, voluntary guidelines. Since NIS2 (applied in the EU from late 2024) and similar national reforms, obligations are more explicit, enforceable, and backed by significant penalties for non-compliance.

7. Quick Check: Standards and Authorities

Test your understanding of alignment duties.

8. Differentiated Obligations: SMEs vs Large Operators

Most modern cybersecurity laws explicitly recognize the need for differentiated obligations:

• Large operators / OVI / high-risk entities
• Must implement comprehensive security management systems.
• Face stricter supervision, more frequent audits, and sometimes mandatory external certifications.
• May be required to maintain a 24/7 Security Operations Center (SOC) or equivalent monitoring.

• Small and Medium-sized Enterprises (SMEs)
• If they are not critical, they may only need to meet simplified or baseline requirements.
• However, if an SME is designated as an OVI or essential operator (e.g., a small company running a critical water treatment plant), it must still meet higher-level obligations proportionate to the risk, not just its size.

Scaling in practice:

• Documentation, incident reporting, and governance structures can be lighter for low-risk SMEs.
• High-risk or OVI entities, regardless of size, must have:
• Formal risk assessments and treatment plans.
• Clear top-management accountability for cybersecurity.
• Regular testing (e.g., penetration tests, business continuity exercises).

9. Example: Same Sector, Different Sizes

Consider two ICT service providers in the energy sector:

1. Provider X (Large, OVI)

• Manages the SCADA systems for a national electricity transmission grid.
• Classified as an OVI by ANCI.

1. Provider Y (Small SME)

• Provides billing software for a few local energy retailers.
• Not classified as OVI; still covered as a digital service provider.

Obligations for Provider X:

• Full Information Security Management System (ISMS) aligned with ISO 27001 and ANCI’s critical infrastructure rules.
• 24/7 monitoring and incident response capability.
• Mandatory participation in national cyber exercises for the energy sector.
• Regular reporting to ANCI and the energy regulator.

Obligations for Provider Y:

• Baseline controls: patching, backups, access control, staff awareness training.
• Risk assessment and incident reporting, but with simpler documentation and less frequent audits.
• Must still comply with any sectoral minimum security standards (e.g., for handling customer data), but not necessarily a full SOC.

This shows how risk and criticality, not just size, determine the intensity of obligations.

10. Check Understanding: Risk vs Size

Apply the differentiation concept.

11. Mini-Checklist: Assessing Compliance for an Operator

Imagine you are the security officer for a medium-sized cloud provider that hosts services for several municipalities and one regional hospital (so you are an essential ICT service provider, but not necessarily an OVI).

Create a short compliance checklist under these headings:

1. Continuous Measures

• List 3–4 ongoing technical/organizational/physical/informational measures you must maintain.

1. Risk-Based Approach

• Write 2 questions you would ask during your annual risk assessment (e.g., “What is the impact if our main data center is offline for 24 hours?”).

1. Alignment with ANCI and Sectoral Rules

• Identify at least 2 types of documents you need to review or follow (e.g., ANCI baseline controls, health sector data protection rules).

1. Scaling by Size and Risk

• Note 1 area where you can reasonably keep things simple (e.g., streamlined documentation), and 1 area where you must invest heavily despite being medium-sized (e.g., incident response for the hospital client).

(Write this as bullet points; imagine you will present it to your CISO.)

12. Flashcards: Key Terms and Concepts

Use these flashcards to reinforce the main ideas from this module.