- to improve the national information security capabilities of the Member States,
- to build mutual cooperation at EU level, and
- to promote a culture of risk management and incident reporting among actors of particular importance for the maintenance of key economic and societal activities in the Union.
Who are Digital Service Providers (DSPs)?A “digital service” is defined within the Directive (EU) 2015/1535 as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. For the scope of the NIS Directive, DSPs are limited to only three types of services, as defined in Annex III of the Directive:
- Cloud computing service.
- Online marketplace.
- Online search engines.
Cloud Computing ServicesArticle 4(19) of the NIS Directive defines cloud computing service as “a digital service that enables access to a scalable and elastic pool of shareable computing resources.” The NIS definition has a close alignment with that of NIST Special Publication 800-145:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.Recital 17 of the Directive provides further clarification to the definition of cloud computing services:
- Cloud computing resources include infrastructure, applications and services accessible in the cloud.
- The term “scalable” refers to the flexibility of the cloud computing resources to accommodate fluctuations in workload irrespective of the geographical location of the resources.
- The term “elastic pool” is used to describe the availability and the provisioning of the cloud computing resources according to the fluctuations of the workloads.
- The term “shareable” is used to describe the ability to provide access to the same cloud computing resources to multiple users.
- Cloud provider – an entity responsible for making a service available to cloud customers because they build and manage cloud infrastructure.
- Cloud broker – an entity that manages the use, performance and delivery of cloud services, negotiating relationships between cloud providers and cloud customers.
Online Market PlacesArticle 4(17) of the NIS Directive defines online marketplaces as services that “allow consumers and traders to conclude online sales or service contracts with traders and is the final destination for the conclusion of those contracts.” Recital 15 further clarifies that the online marketplace does not cover online services that either serve “only as an intermediary” or “compare the price of particular products or services from different traders” and then redirect the user to the original vendor as Skyscanner does, for example. The European Commission further clarified that computing services provided by the online marketplace may include processing of transactions, aggregations of data or profiling of users. Application stores, which operate as online stores to digitally distribute applications or software programs from third parties, are also a type of online marketplace. For example, a provider such as eBay can be regarded as an online marketplace, as it allows others to set up shops on its platform in order to make their products and services available online to consumers or businesses.
Online Search EnginesArticle 4(18) of the NIS Directive defines an online search engine as a digital service that allows users to perform searches on the basis of a query on any subject and returns links in which information related to the requested content can be found. Recital 16 clarifies that “search functions that are limited to the content of a specific website, irrespective of whether the search function is provided by an external search engine,” are not subject to the provisions of the Directive.
DSPs Security ResponsibilitiesArticle 16(1) of the NIS Directive declares that Member States shall ensure that DSPs identify as well as take appropriate and proportionate security measures to manage the risks posed to the integrity, availability and confidentiality of the services they offer within the Union. These measures should consider the following elements:
- The security of systems and facilities
- Incident handling
- Business continuity management
- Monitoring, auditing and testing
- Compliance with international standards.
DSP Incident ReportingThe NIS Directive does not give a timeframe for incident reporting. Article 16(3) states that DSPs shall “notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service.” Notifications shall include information to enable the competent authority to determine the significance of any cross-border impact. Article 16(4) of the Directive lists the following five parameters that must be considered in order to determine whether the impact of an incident is substantial:
- The number of users affected by the incident, especially users relying on the (disrupted) service for the provision of their own services.
- The duration of the incident.
- The geographical spread regarding the area affected by the incident.
- The extent of the disruption of the functioning of the service.
- The extent of the impact on economic and societal activities.
- The service provided by a digital service provider was unavailable for more than 5 million user hours. The term “user hour” refers to the number of affected users in the Union for a duration of 60 minutes.
- The incident has resulted in a loss of integrity, authenticity or confidentiality of stored, transmitted or processed data or the related services offered by a DSP affecting more than 100,000 users in the EU.
- The incident has created a risk to public safety, public security or loss of life.
- The incident has caused material damage to at least one user in the Union where the damage caused to that user exceeds 1,000,000€.