Digital Service Providers (DSP)
A “digital service” is defined within the Directive (EU) 2015/1535 as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. For the scope of the NIS Directive, DSPs are limited to only three types of services: cloud, online market places and search engines.
Cloud Computing Services
Article 4 (19) of the NIS Directive defines cloud computing service as meaning “a digital service that enables access to a scalable and elastic pool of shareable computing resources”. Any company that offers any of the three services would fall under this area:
- ‘Infrastructure as a Service (IaaS) - Third party hosting of hardware, software, storage, servers and other infrastructure for its users.
- ‘Platform as a Service’ (PaaS) - Provides a platform for users to develop, run and manage applications on the providers cloud service.
- ‘Software as a Service’ (SaaS) - A software distribution model where a cloud service provider hosts applications and makes them available to customers over the internet (typically accessed using a thin client via a web browser)
Online Market Places
Article 4 (17) Of the NIS Directive defines online market places as services that “allow consumers and traders to conclude online sales or service contracts with traders, and is the final destination for the conclusion of those contracts”. Intermediaries and price comparison services are excluded.
Online Search Engines
Article 4 (18) of the NIS Directive defines an online search engine as “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found”.
The NIS Directive declares that “Member States shall ensure that digital service providers identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services within the Union. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements, as stated in Article 16 (1) of the Directive:
- the security of systems and facilities;
- incident handling;
- business continuity management;
- monitoring, auditing and testing;
- Compliance with international standards.
The NIS Directive does not give a timeframe for incident reporting, only stating in Article 16 (3) that ‘Member States shall ensure that digital service providers notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service referred to in Annex III that they offer within the Union. Notifications shall include information to enable the competent authority or the CSIRT to determine the significance of any cross border impact’.
As stated in Article 16 (4) of the Directive, in order to determine whether the impact of an incident is substantial, the following parameters in particular shall be taken into account:
- The number of users affected by the incident, in particular users relying on the service for the provision of their own services;
- The duration of the incident;
- The geographical spread with regard to the area affected by the incident;
- The extent of the disruption of the functioning of the service;
- The extent of the impact on economic and societal activities.
An incident shall be considered as having a substantial impact where at least one of the following situations has taken place
- The service provided by a digital service provider was unavailable for more than 5 000 000 user hours whereby the term user hour refers to the number of affected users in the Union for a duration of sixty minutes;
- The incident has resulted in a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via a network and information system of the digital service provider affecting more than 100 000 users in the Union;
- The incident has created a risk to public safety, public security or of loss of life;
- The incident has caused material damage to at least one user in the Union where the damage caused to that user exceeds EUR 1 000 000.
Unlike Operators of Essential Services, the State does not have the responsibility of officially designating entities as Digital Service Providers. Instead the onus is on the entities themselves to identify if they fall under the scope of the Directive and if so, to comply with the security measures and incident reporting guidelines.
It is important to note that micro and small enterprises are not covered by the Directive. This means that any enterprise that employs fewer than 50 people and whose annual turnover and/or annual balance sheet total is less than EUR 10 million does not come under the scope of the Directive and should not identify themselves as a Digital Service Provider in respect of the Directive.
The security measures for Digital Service Providers are set out in Commission Implementing Regulation (EU) 2018/151, along with the incident reporting requirements.
Further information on Digital Service Providers can be found here.