In a previous article, we discussed what the NIS Directive is. The European Union developed the Directive in response to the emerging cyber threats to critical infrastructure and the impact cyber-attacks have on society and the European digital market. The NIS Directive sets three primary objectives:
- to improve the national information security capabilities of the Member States,
- to build mutual cooperation at EU level, and
- to promote a culture of risk management and incident reporting among actors of particular importance for the maintenance of key economic and societal activities in the Union.
The “actors of particular importance” are the operators providing essential services (OES) and digital service providers (DSP) in the EU. In this post, we are going to discuss digital service providers (DSPs).
Who are Digital Service Providers (DSPs)?
A “digital service” is defined within the Directive (EU) 2015/1535 as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. For the scope of the NIS Directive, DSPs are limited to only three types of services, as defined in Annex III of the Directive:
- Cloud computing service.
- Online marketplace.
- Online search engines.
The Directive does not require Member States to identify which digital service providers are subject to the relevant obligations. Therefore, the Directive’s obligations, i.e. the security and notifications requirements set out in Article 16, apply to all DSPs within its scope.
Cloud Computing Services
Article 4(19) of the NIS Directive defines cloud computing service as “a digital service that enables access to a scalable and elastic pool of shareable computing resources.” The NIS definition has a close alignment with that of NIST Special Publication 800-145:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Recital 17 of the Directive provides further clarification to the definition of cloud computing services:
- Cloud computing resources include infrastructure, applications and services accessible in the cloud.
- The term “scalable” refers to the flexibility of the cloud computing resources to accommodate fluctuations in workload irrespective of the geographical location of the resources.
- The term “elastic pool” is used to describe the availability and the provisioning of the cloud computing resources according to the fluctuations of the workloads.
- The term “shareable” is used to describe the ability to provide access to the same cloud computing resources to multiple users.
The European Commission further clarified the types of cloud computing services subject to the NIS Directive. These are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a service (SaaS).
However, there are also hybrid models as well as other examples of ‘[something] as a Service.’ If these models meet the definition of “cloud computing service,” then NIS also applies to them. The key is whether the service “enables access to a scalable and elastic pool of shareable computing resources.” As detailed in NIST SP 500-292 on Cloud Computing Reference Architecture, the following entities may, depending on the circumstances, enable access to these resources and can be subject to NIS Directive:
- Cloud provider – an entity responsible for making a service available to cloud customers because they build and manage cloud infrastructure.
- Cloud broker – an entity that manages the use, performance and delivery of cloud services, negotiating relationships between cloud providers and cloud customers.
Online Market Places
Article 4(17) of the NIS Directive defines online marketplaces as services that “allow consumers and traders to conclude online sales or service contracts with traders and is the final destination for the conclusion of those contracts.” Recital 15 further clarifies that the online marketplace does not cover online services that either serve “only as an intermediary” or “compare the price of particular products or services from different traders” and then redirect the user to the original vendor as Skyscanner does, for example. The European Commission further clarified that computing services provided by the online marketplace may include processing of transactions, aggregations of data or profiling of users. Application stores, which operate as online stores to digitally distribute applications or software programs from third parties, are also a type of online marketplace. For example, a provider such as eBay can be regarded as an online marketplace, as it allows others to set up shops on its platform in order to make their products and services available online to consumers or businesses.
Online Search Engines
Article 4(18) of the NIS Directive defines an online search engine as a digital service that allows users to perform searches on the basis of a query on any subject and returns links in which information related to the requested content can be found. Recital 16 clarifies that “search functions that are limited to the content of a specific website, irrespective of whether the search function is provided by an external search engine,” are not subject to the provisions of the Directive.
DSPs Security Responsibilities
Article 16(1) of the NIS Directive declares that Member States shall ensure that DSPs identify as well as take appropriate and proportionate security measures to manage the risks posed to the integrity, availability and confidentiality of the services they offer within the Union. These measures should consider the following elements:
- The security of systems and facilities
- Incident handling
- Business continuity management
- Monitoring, auditing and testing
- Compliance with international standards.
In addition, Article 16(2) states that Member States shall ensure that DSPs take measures to prevent and minimize the impact of security affecting the provision of services within the Union while ensuring the continuity of those services.
DSP Incident Reporting
The NIS Directive does not give a timeframe for incident reporting. Article 16(3) states that DSPs shall “notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service.” Notifications shall include information to enable the competent authority to determine the significance of any cross-border impact. Article 16(4) of the Directive lists the following five parameters that must be considered in order to determine whether the impact of an incident is substantial:
- The number of users affected by the incident, especially users relying on the (disrupted) service for the provision of their own services.
- The duration of the incident.
- The geographical spread regarding the area affected by the incident.
- The extent of the disruption of the functioning of the service.
- The extent of the impact on economic and societal activities.
An incident shall be considered as having a substantial impact where at least one of the following situations has taken place:
- The service provided by a digital service provider was unavailable for more than 5 million user hours. The term “user hour” refers to the number of affected users in the Union for a duration of 60 minutes.
- The incident has resulted in a loss of integrity, authenticity or confidentiality of stored, transmitted or processed data or the related services offered by a DSP affecting more than 100,000 users in the EU.
- The incident has created a risk to public safety, public security or loss of life.
- The incident has caused material damage to at least one user in the Union where the damage caused to that user exceeds 1,000,000€.
It is important to note that NIS Directive applicability extends beyond EU borders. While Article 18(1) states that “the Member State where the DSP has its main head office has jurisdiction over the company,” Article 18(2) imposes on a DSP the obligation to designate a representative in the EU if that DSP “offers services in the EU but is not established in the EU territory.” In that case, the Member State where the representative is established will have jurisdiction over the company. In cases where a DSP provides services in a Member State but has not designated a representative in the EU, the Member State can take actions against the DSP, as the provider is violating its obligations which derive from the Directive. Finally, DSPs that are micro or small enterprises, meaning they employ fewer than 50 persons and have an annual turnover and/or an annual balance sheet total not exceeding €10 million, are excluded from the scope of the security requirements and notification set forth under the Directive [Article 16(11)].
Enterprises that are digital service providers and fall under the provisions of the NIS Directive can seek guidance from either their National Competent Authority or by visiting the NIS Cooperation Group website, which has published guidelines to help DSPs identify cybersecurity incidents and to learn how to notify relevant authorities of such incidents.