What are the regulations for OVI and OES?

OVI and OES

The multiplication of attacks and threats to organizations’ information systems has prompted the French government and the European Union to implement recommendations and rules for private companies and public administrations. The requirement level of these rules and recommendations varies according to the importance of the target organization. They are optional for organizations considered as non-sensitive, but, at different levels, mandatory for OVI (Operators of Vital Importance) and OES (Operators of Essential Services).

Limiting the cyber risk of OVI and OES to guarantee the proper functioning of the nation

In order to protect their ISVI (Information System of Vital Importance), the OVIs, operating in areas of activity that are sensitive for the integrity of the country and the population (sanitary (food, water management, health), regalian (civil activities of the State, judicial activities, military activities of the State), economic (energy, finance, transport), and technological (electronic communications, audiovisual and information, industry, space and research)) must comply with a set of rules issued by the French State, through the MPL (Military Programming Law).

The OES must comply with the regulations issued by the European Union through the NIS (Network and Information Security) directive. An OES is defined as providing an essential service whose interruption would have a significant impact on the functioning of the economy or society, bearing in mind that an OVI operates or uses facilities deemed essential to the nation’s survival.

More generally, all the organizations (including OVI and OES) must, as far as possible, comply with the recommendations of the ANSSI (French National Cybersecurity Agency) issued in the document PA-022: Recommendations to secure administration of IT systems. In the event of non-compliance with the regulations, the OVI and OES, in addition to seriously exposing the organization’s information system, which could also lead to significant consequences for the Nation or the population, also expose themselves, ultimately, to financial sanctions. Respecting these rules is therefore essential for these sensitive organizations, and as good practices, are strongly recommended for other organizations, depending on their means and maturity in terms of cybersecurity.

What are the security requirements for IS administration?

In France, there are three standards that must be particularly respected by the OVI and OES:

  • Recommendations to secure administration of IT systems (document PA-022 from the ANSSI).
  • The Military Programming Law (MPL) sets 20 security rules for information systems of vital importance.
  • The NIS Directive, enacting a series of rules aimed to ensure a high and common level of security for networks and information systems in the European Union and applying to OES.

Among these standards, 5 major themes relating to the administration of information systems stand out:

  • Governance, risks, compliance (GRC) and associated processes
  • Operational use and security incident management
  • The Administration Information System (AIS) and its architecture
  • Identity and Access Management (IAM) and administration rights and privileged accounts (PAM)
  • The administration workstation

A Europeanization of rules and entities

Furthermore, in the last few years, we have seen a genuine Europeanization of the rules and entities governing information system security, with a direct impact on the French OVI and OES.

The European NIS directive, adopted by the European institutions in 2016 and now incorporated into the French law, was in fact largely inspired by the French MPL, voted in 2013. The directive complements or adds new rules and circumvents some elements of the French LPM. The rules issued by the NIS directive must be respected by all EU OES in order to guarantee an increased security for these organizations considered as particularly sensitive. On the institutional side, the European cybersecurity has also evolved: the Cybersecurity Act, adopted in 2019, strengthens the European Cybersecurity Agency (ENISA) by assigning it a permanent mandate and additional resources. ENISA shall act as a “reference point for advice and expertise on cybersecurity for Union institutions, bodies, offices and agencies as well as for other relevant Union stakeholders.” The Cybersecurity Act also establishes a European framework for the certification of cybersecurity products and services in order to standardize the certification processes for cybersecurity products and services and their recognition in all EU countries.