Identification of operators of essential services
8.—(1) If a person provides an essential service of a kind referred to in paragraphs 1 to 9 of Schedule 2 and that service—
(a)relies on network and information systems; and
(b)satisfies a threshold requirement described for that kind of essential service,
that person is deemed to be designated as an OES for the subsector that is specified with respect to that essential service in that Schedule.
(2) A person who falls within paragraph (1) must notify the designated competent authority of that fact before the notification date.
(3) Even if a person does not meet the threshold requirement mentioned in paragraph (1)(b), a competent authority may designate that person as an OES for the subsector in relation to which that competent authority is designated under regulation 3(1), if the following conditions are met—
(a)that person provides an essential service of a kind specified in paragraphs 1 to 9 of Schedule 2 for the subsector in relation to which the competent authority is designated under regulation 3(1);
(b)the provision of that essential service by that person relies on network and information systems; and
(c)the competent authority concludes that an incident affecting the provision of that essential service by that person is likely to have significant disruptive effects on the provision of the essential service.
(4) In order to arrive at the conclusion mentioned in paragraph (3)(c), the competent authority must have regard to the following factors—
(a)the number of users relying on the service provided by the person;
(b)the degree of dependency of the other relevant sectors on the service provided by that person;
(c)the likely impact of incidents on the essential service provided by that person, in terms of its degree and duration, on economic and societal activities or public safety;
(d)the market share of the essential service provided by that person;
(e)the geographical area that may be affected if an incident impacts on the service provided by that person;
(f)the importance of the provision of the service by that person for maintaining a sufficient level of that service, taking into account the availability of alternative means of essential service provision;
(g)the likely consequences for national security if an incident impacts on the service provided by that person; and
(h)any other factor the competent authority considers appropriate to have regard to, in order to arrive at a conclusion under this paragraph.
(5) A competent authority must designate an OES under paragraph (3) by notice in writing served on the person who is to be designated and provide reasons for the designation in the notice.
(6) Before a competent authority designates a person as an OES under paragraph (3), the authority may—
(a)request information from that person under regulation 15(4); and
(b)invite the person to submit any written representations about the proposed decision to designate it as an OES.
(7) A competent authority must consult with the relevant authorities in another Member State before designating a person as an OES under paragraph (3) if that person already provides an essential service in that Member State.
(8) A competent authority must maintain a list of all the persons who are deemed to be designated under paragraph (1) or designated under paragraph (3) for the subsectors in relation to which that competent authority is designated under regulation 3(1).
(9) The competent authority must review the list mentioned in paragraph (8) at regular intervals and in accordance with paragraph (10).
(10) The first review under paragraph (9) must take place before 9th May 2020, and subsequent reviews must take place, at least, biennially.
(11) In this regulation the “notification” date means—
(a)10th August 2018, in the case of a person who falls within paragraph (1) on the date these Regulations come into force; or
(b)in any other case, the date three months after the date on which the person falls within that paragraph.