OIV and OSE are the two French-law categories for organizations subject to heightened cybersecurity obligations. OIV (Opérateur d'Importance Vitale) predates NIS2 and applies under the 2013 Military Programming Law (LPM). OSE (Opérateur de Services Essentiels) is the French transposition of the original NIS Directive, now extended under NIS2.
The distinction
OIV status is assigned by decree to operators whose disruption would seriously affect the military or economic potential, security, or survival capacity of the nation. The list is classified. OIVs are regulated by ANSSI (the French cybersecurity agency) and must implement the Règles de Sécurité des Systèmes d'Information d'Importance Vitale (SIIV) — technical and organizational rules that predate and exceed NIS2 in several areas.
OSE status applies more broadly across sectors defined in the NIS2 Directive: energy, transport, banking, financial markets, health, drinking water, digital infrastructure, public administration, space, postal services, waste management, food, chemicals, research, and manufacturing. The list is public. OSEs are regulated under the French NIS2 transposition law and supervised by ANSSI or sector-specific authorities.
What OIVs must do
The SIIV rules cover 20 topic areas including identity management, network segmentation, incident detection, audit logging, and supply-chain security. Three features distinguish OIV obligations from general NIS2 requirements:
- Mandatory audit by ANSSI-qualified assessors (PASSI). Self-assessment is not acceptable.
- Sovereign-cloud constraint. CUI-equivalent French data classifications must remain in qualified-sovereign infrastructure.
- Annual attestation to ANSSI. Formal reporting, not voluntary disclosure.
What OSEs must do under NIS2
The NIS2 baseline for OSEs aligns with Article 21 of the Directive: risk management, incident handling, business continuity, supply-chain security, vulnerability handling, cryptography, access control, MFA, and secure development. France adds reporting obligations and penalty structures through its transposition.
Critical operators (entités essentielles) face stricter supervision than important operators (entités importantes). Essential operators include most former OSEs plus new sectors added by NIS2.
Why this matters for OT
Most OIV and OSE sectors operate substantial OT footprints — power transmission, water treatment, rail signalling, manufacturing controls. The technical obligations map directly to network segmentation, identity-based access, audit logging, and incident detection at the OT layer. Cloud-only security products rarely satisfy the sovereign-data and on-premise-control expectations that ANSSI enforces for OIVs.
Related terms
- NIS2 Directive
- Critical Infrastructure Protection
- Industrial Cybersecurity Standards
- Operational Technology Security
- IEC 62443
Access Gate connection
Access Gate runs fully on-premise, produces audit evidence aligned with ANSSI SIIV requirements, and satisfies the sovereign-infrastructure expectations that OIV and critical-sector OSE operators face. See NIS2 Compliance On-Premise.
