What exactly is a Digital Service Provider in the context of NIS Directive? Could you be a DSP and not know it?

Written By

esme strathcole Module
Esme Strathcole

Associate
UK

I am an associate in the Commercial Group in London where I advise clients on a range of commercial issues, often where there is a technology aspect involved. I have a particular focus on work in the media, technology and retail sectors.

simon shooter module
Simon Shooter

Partner
United Arab Emirates

I am the head of the firm's International Commercial Group, and established the cyber-security team back in 2010. I am a commercial lawyer engaged in providing a full spectrum of legal support to clients for their day to day business.

Bird & Bird's Simon Shooter and Esme Strathcole take a look at the definition of a Digital Service Provider (DSP) in the context of NISD and ask how a business might understand if it qualifies as a DSP.

Watch Simon's video on the NIS Directive >

Are you a Digital Service Provider?

The NIS Directive requires the adequate prevention of security risks, incident response procedures and notification of incidents having a substantial impact on the provision of services to the Information Commissioner's Office (ICO). For the UK, breach of the NIS Directive is expected to carry a maximum financial penalty of £17m which will cover all contraventions.

Alongside Essential Operators, Digital Service Providers (DSPs) will be required to comply with the requirements of the Directive driven NIS Regulation. It is therefore crucial that companies determine whether they qualify as a DSP before 9 May 2018.

In the UK, companies that "normally provide a service for remuneration, at a distance, by electronic means and at the individual request of a recipient of services" will be within scope of the Directive if they are operators of an online market place, an online search engine or a cloud computing service.

Online Market Places

Platforms that act as an intermediary between buyers and sellers, facilitating the sale of goods or services and representing the final destination for the conclusion of those contracts will qualify as online market places. Sites will be out of scope if they redirect users to other services to make the final contract (e.g. price comparison sites), only connect buyers and sellers to trade with each other (e.g. classified advert sites) or sell directly to consumers on behalf of themselves (e.g. online retailers). 

Online Search Engines

Online search engines are defined as digital services that allow users to perform searches of the internet in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and return links containing information related to the requested content. Sites that offer search engine facilities powered by another search engine will not be within scope of the Directive but the underlying search engine will be.

Cloud Computing Services

Cloud computing services cover digital services that enable access to a scalable and elastic pool of shareable physical or virtual resources. Public cloud services including 'infrastructure as a service' (the delivery of hardware or computing infrastructure), 'platform as a service' (to provide developers with environments on which they can build applications to be delivered over the internet) and 'software as a service' (provided the resources available to the customer are changeable in an elastic and scalable way) will need to comply with the requirements of the Directive. The UK Government expects that most online gaming, entertainment or Voice over Internet Protocol (VoIP) services will be excluded as the resources available to the user are not scalable. However, services such as email or online storage may be within scope where the resources are scalable. 

About the Bird & Bird Cyber team:

The long established multidisciplinary Cyber team at Bird & Bird is tracking developments in the adoption of NISD and the guidance that is issued and anticipated from the Government, NCSC and Competent Authorities. We are on hand to assist in any aspect of support that may be needed in respect of cyber-security from gap analyses and establishing resilience programmes to regulatory compliance and incident response.

Despite the definitions provided there still remains significant room for uncertainty as to whether you may qualify as a DSP. If you need any help with this we will be delighted to assist. Equally if you would like to know more on the obligations that will come with the NIS Regulations - and how you may be affected -  we are here to help.

Latest insights

More Insights
featured image

Guiding through ‘the maze of food labelling’ – The most recent European Court of Auditors’ special report

6 minutes Dec 20 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More