Bird & Bird's Simon Shooter and Esme Strathcole take a look at the definition of a Digital Service Provider (DSP) in the context of NISD and ask how a business might understand if it qualifies as a DSP.
The NIS Directive requires the adequate prevention of security risks, incident response procedures and notification of incidents having a substantial impact on the provision of services to the Information Commissioner's Office (ICO). For the UK, breach of the NIS Directive is expected to carry a maximum financial penalty of £17m which will cover all contraventions.
Alongside Essential Operators, Digital Service Providers (DSPs) will be required to comply with the requirements of the Directive driven NIS Regulation. It is therefore crucial that companies determine whether they qualify as a DSP before 9 May 2018.
In the UK, companies that "normally provide a service for remuneration, at a distance, by electronic means and at the individual request of a recipient of services" will be within scope of the Directive if they are operators of an online market place, an online search engine or a cloud computing service.
Platforms that act as an intermediary between buyers and sellers, facilitating the sale of goods or services and representing the final destination for the conclusion of those contracts will qualify as online market places. Sites will be out of scope if they redirect users to other services to make the final contract (e.g. price comparison sites), only connect buyers and sellers to trade with each other (e.g. classified advert sites) or sell directly to consumers on behalf of themselves (e.g. online retailers).
Online search engines are defined as digital services that allow users to perform searches of the internet in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and return links containing information related to the requested content. Sites that offer search engine facilities powered by another search engine will not be within scope of the Directive but the underlying search engine will be.
Cloud computing services cover digital services that enable access to a scalable and elastic pool of shareable physical or virtual resources. Public cloud services including 'infrastructure as a service' (the delivery of hardware or computing infrastructure), 'platform as a service' (to provide developers with environments on which they can build applications to be delivered over the internet) and 'software as a service' (provided the resources available to the customer are changeable in an elastic and scalable way) will need to comply with the requirements of the Directive. The UK Government expects that most online gaming, entertainment or Voice over Internet Protocol (VoIP) services will be excluded as the resources available to the user are not scalable. However, services such as email or online storage may be within scope where the resources are scalable.
The long established multidisciplinary Cyber team at Bird & Bird is tracking developments in the adoption of NISD and the guidance that is issued and anticipated from the Government, NCSC and Competent Authorities. We are on hand to assist in any aspect of support that may be needed in respect of cyber-security from gap analyses and establishing resilience programmes to regulatory compliance and incident response.
Despite the definitions provided there still remains significant room for uncertainty as to whether you may qualify as a DSP. If you need any help with this we will be delighted to assist. Equally if you would like to know more on the obligations that will come with the NIS Regulations - and how you may be affected - we are here to help.