eBook - ePub
A concise introduction to the NIS Directive
A pocket guide for digital service providers
Alan Calder
This is a test
Share book
- 57 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
A concise introduction to the NIS Directive
A pocket guide for digital service providers
Alan Calder
Book details
Book preview
Table of contents
Citations
About This Book
This pocket guide is an introduction to the EU's NIS Directive (Directive on security of network and information systems). It outlines the key requirements, details which digital service providers are within scope, and explains how the security objectives from ENISA's Technical Guidelines and international standards can help DSPs achieve compliance. This pocket guide is a primer for any DSP that needs to comply with the NIS Directive.
The pocket guide helps DSPs:
- Gain insight into the NIS Directive and who is regulating it;
- Identify if they are within the scope of the Directive;
- Understand the key requirements; and
- Understand how guidance from international standards and ENISA can help them comply.
Your essential guide to understanding the EU's NIS Directive â buy this book today and get the help and guidance you need.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is A concise introduction to the NIS Directive an online PDF/ePUB?
Yes, you can access A concise introduction to the NIS Directive by Alan Calder in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
CHAPTER 1: SCOPE AND APPLICABILITY
Article 4(6) of the Directive specifies that DSPs are âany legal person that provides a digital serviceâ. A âdigital serviceâ, in turn, is defined as âany service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of servicesâ.14
Unlike OES, governments arenât expected to identify DSPs â the Directive simply applies to all that provide any of the services that are categorised and listed in Annex III of the NIS Directive. As Recital 57 explains, âMember States should not identify digital service providers, as this Directive should apply to all digital service providers within its scope. [âŚ] This should enable digital service providers to be treated in a uniform way across the Unionâ.
The Directive does not require Member States to explicitly identify DSPs in order to ensure that DSPs can expect equal treatment wherever they operate, streamlining business and providing a guaranteed minimum level of reliability for organisations and consumers across the EU. This is quite different from how operators of essential services (OES) are treated, for which the NIS Directive simply provides a set of parameters, letting individual Member States determine how these apply within local law.
Note that some competent authorities may require DSPs to identify themselves and self-register.
Online marketplaces
Online marketplaces provide a digital service that âallows consumers and traders to conclude online sales or service contracts with traders, and is the final destination for the conclusion of those contractsâ (Recital 15).
This emphasis on being able to âconcludeâ their shopping is important, as the Recital goes on to explain that âIt should not cover online services that serve only as an intermediary to third-party services through which a contract can ultimately be concluded. It should therefore not cover online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product.â
In other words, websites that redirect users to another service to set up the final contract, such as price comparison sites, are out of scope. The same is true for classified advert sites, as they merely connect buyers and sellers who complete their trades elsewhere, and do not conclude on the website itself. Note that simple online retailers that sell directly to consumers on their own behalf are also out of scope.
Finally, the Recital explains that âComputing services provided by the online marketplace may include processing of transactions, aggregations of data or profiling of users. Application stores, which operate as online stores enabling the digital distribution of applications or software programmes from third parties, are to be understood as being a type of online marketplace.â
Online search engines
Online search engines provide a digital service that âallows the user to perform searches of, in principle, all websites on the basis of a query on any subject. It may alternatively be focused on websites in a particular languageâ (Recital 16).
The Recital goes on to explain that the Directive does ânot cover search functions that are limited to the content of a specific website, irrespective of whether the search function is provided by an external search engine. Neither should it cover online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the productâ. This puts sites that have a search function powered by a different organisation â an online search machine â out of scope, even if the search function indexes content across the wider Internet.
Cloud computing services
Cloud computing services provide a digital service allowing âaccess to a scalable and elastic pool of shareable computing resources. Those computing resources include resources such as networks, servers or other infrastructure, storage, applications and servicesâ (Recital 17).
Recital 17 also provides the following definitions:
⢠Scalable: âcomputing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demandâ.
⢠Elastic pool: âthose computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workloadâ.
⢠Shareable: âthose computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipmentâ.
Given these definitions, services likely in scope are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
Some special cases
Recital 53 and Article 16(11) of the Directive specify that micro and small enterprises do not fall under the scope of the Directive. The European Commissionâs definitions identify these as digital service providers that employ fewer than 50 people and whose annual turnover and/or annual balance sheet total does not exceed âŹ10 million.15
Some organisations established outside the Union may also be designated DSPs and bound by the Directiveâs requirements. In line with Recital 65, if âit is apparent that the digital service provider is offering services to persons in one or more Member Statesâ, then the organisation should designate a representative within the Union, so it will fall under the jurisdiction of that Member State. This representative will be designated in writing to act on the DSPâs behalf in relation to the Directive, so will need to be available to any relevant CSIRTs and competent authorities. Likewise, if a DSP is based within a Member State, but offers services outside of that state, its competent authority is still responsible for overseeing those cross-border activities within the EU.
While it may be difficult to enforce the Directive on DSPs based outside the EU, it is nonetheless an important point. After all, OES will essentially be limited to using the services of DSPs that comply with the Directive. In addition, common consumers and other organisations will also want the reassurance that the services they are using and investing in are actually reliable.
Operators of essential services
While this pocket guide focuses on DSPs, the Directive also imposes requirements on OES. These are stricter than those imposed on DSPs â particularly from a supervisory point of view â due to the higher risk OES typically face. These requirements may also vary per Member State.
Â
14 Directive (EU) 2015/1535, Article 1(b).
15 Micro and small enterprises are defined in 2003/361/EC, which states that âa small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 millionâ, and that âa microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 millionâ.
CHAPTER 2: AUTHORITIES AND BODIES
Alongside requiring Member States to set âsecurity and notification requirements for operators of essential services and for digital service providersâ, the NIS Directive also specifies that they must âdesignate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systemsâ.16 Each of these bodies will play an important role in how the Directive is applied in the Member States and across the EU.
Competent authorities
Competent authorities are the agencies or organisations that oversee compliance with laws and regulations implemented on the basis of the NIS Directive. There is no specified limit on the number of competent authorities a Member State can set; several countries have decided to assign them on a sectoral or regional basis, while others have appointed just one competent authority.
Although the competent authorities are meant to oversee compliance, the Directive states that they should have âno general obligation to supervise digital service providersâ and should âonly take action when provided with evidence...