In a previous article, we discussed what the NIS Directive is. The European Union developed the Directive in response to the emerging cyber threats to critical infrastructure and the impact cyber-attacks have on society and the European digital market.

The NIS Directive sets three primary objectives:

  • to improve the national information security capabilities of the Member States,
  • to build mutual cooperation at EU level, and
  • to promote a culture of risk management and incident reporting among actors of particular importance for the maintenance of key economic and societal activities in the Union.

The “actors of particular importance” are the operators providing essential services (OES) and digital service providers (DSP) in the EU. In this post, we are going to discuss digital service providers (DSPs).

Who are Digital Service Providers (DSPs)?

A “digital service” is defined within the Directive (EU) 2015/1535 as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.

For the scope of the NIS Directive, DSPs are limited to only three types of services, as defined in Annex III of the Directive:

  • Cloud computing service.
  • Online marketplace.
  • Online search engines.

The Directive does not require Member States to identify which digital service providers are subject to the relevant obligations. Therefore, the Directive’s obligations, i.e. the security and notifications requirements set out in Article 16, apply to all DSPs within its scope.

Cloud Computing Services

Article 4(19) of the NIS Directive defines cloud computing service as “a digital service that enables access to a scalable and elastic pool of shareable computing resources.” The NIS definition has a close alignment with that of NIST Special Publication 800-145:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of (Read more...)