Digital Service Providers (DSP)

A “digital service” is defined within the Directive (EU) 2015/1535 as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. For the scope of the NIS Directive, DSPs are limited to only three types of services: cloud, online market places and search engines.

Cloud Computing Services

Article 4 (19) of the NIS Directive defines cloud computing service as meaning “a digital service that enables access to a scalable and elastic pool of shareable computing resources”. Any company that offers any of the three services would fall under this area:

Online Market Places

Article 4 (17) Of the NIS Directive defines online market places as services that “allow consumers and traders to conclude online sales or service contracts with traders, and is the final destination for the conclusion of those contracts”. Intermediaries and price comparison services are excluded.

Online Search Engines

Article 4 (18) of the NIS Directive defines an online search engine as “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found”.

DSP Responsibilities

The NIS Directive declares that “Member States shall ensure that digital service providers identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services within the Union. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements, as stated in Article 16 (1) of the Directive:

The NIS Directive does not give a timeframe for incident reporting, only stating in Article 16 (3) that ‘Member States shall ensure that digital service providers notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service referred to in Annex III that they offer within the Union. Notifications shall include information to enable the competent authority or the CSIRT to determine the significance of any cross border impact’.

As stated in Article 16 (4) of the Directive, in order to determine whether the impact of an incident is substantial, the following parameters in particular shall be taken into account:

An incident shall be considered as having a substantial impact where at least one of the following situations has taken place

Unlike Operators of Essential Services, the State does not have the responsibility of officially designating entities as Digital Service Providers. Instead the onus is on the entities themselves to identify if they fall under the scope of the Directive and if so, to comply with the security measures and incident reporting guidelines.

It is important to note that micro and small enterprises are not covered by the Directive. This means that any enterprise that employs fewer than 50 people and whose annual turnover and/or annual balance sheet total is less than EUR 10 million does not come under the scope of the Directive and should not identify themselves as a Digital Service Provider in respect of the Directive.

The security measures for Digital Service Providers are set out in Commission Implementing Regulation (EU) 2018/151, along with the incident reporting requirements.

Further information on Digital Service Providers can be found here.

NIS Incident Reporting Form

When submitting this form please encrypt it using our public PGP Key or alternatively send it as password-protected zip file to