Are you a Digital Service Provider?
The NIS Directive requires the adequate prevention of security risks, incident response procedures and notification of incidents having a substantial impact on the provision of services to the Information Commissioner's Office (ICO). For the UK, breach of the NIS Directive is expected to carry a maximum financial penalty of £17m which will cover all contraventions.
Alongside Essential Operators, Digital Service Providers (DSPs) will be required to comply with the requirements of the Directive driven NIS Regulation. It is therefore crucial that companies determine whether they qualify as a DSP before 9 May 2018.
In the UK, companies that "normally provide a service for remuneration, at a distance, by electronic means and at the individual request of a recipient of services" will be within scope of the Directive if they are operators of an online market place, an online search engine or a cloud computing service.
Online Market Places
Platforms that act as an intermediary between buyers and sellers, facilitating the sale of goods or services and representing the final destination for the conclusion of those contracts will qualify as online market places. Sites will be out of scope if they redirect users to other services to make the final contract (e.g. price comparison sites), only connect buyers and sellers to trade with each other (e.g. classified advert sites) or sell directly to consumers on behalf of themselves (e.g. online retailers).
Online Search Engines
Online search engines are defined as digital services that allow users to perform searches of the internet in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and return links containing information related to the requested content. Sites that offer search engine facilities powered by another search engine will not be within scope of the Directive but the underlying search engine will be.
Cloud Computing Services
Cloud computing services cover digital services that enable access to a scalable and elastic pool of shareable physical or virtual resources. Public cloud services including 'infrastructure as a service' (the delivery of hardware or computing infrastructure), 'platform as a service' (to provide developers with environments on which they can build applications to be delivered over the internet) and 'software as a service' (provided the resources available to the customer are changeable in an elastic and scalable way) will need to comply with the requirements of the Directive. The UK Government expects that most online gaming, entertainment or Voice over Internet Protocol (VoIP) services will be excluded as the resources available to the user are not scalable. However, services such as email or online storage may be within scope where the resources are scalable.