eBook - ePub

A concise introduction to the NIS Directive

Name: A concise introduction to the NIS Directive
Author: Alan Calder

A pocket guide for digital service providers

Alan Calder

Share book

57 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

A concise introduction to the NIS Directive

A pocket guide for digital service providers

Alan Calder

Book details

Book preview

Table of contents

Citations

About This Book

This pocket guide is an introduction to the EU's NIS Directive (Directive on security of network and information systems). It outlines the key requirements, details which digital service providers are within scope, and explains how the security objectives from ENISA's Technical Guidelines and international standards can help DSPs achieve compliance. This pocket guide is a primer for any DSP that needs to comply with the NIS Directive.

The pocket guide helps DSPs:

Gain insight into the NIS Directive and who is regulating it;
Identify if they are within the scope of the Directive;
Understand the key requirements; and
Understand how guidance from international standards and ENISA can help them comply.

Your essential guide to understanding the EU's NIS Directive – buy this book today and get the help and guidance you need.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is A concise introduction to the NIS Directive an online PDF/ePUB?

Yes, you can access A concise introduction to the NIS Directive by Alan Calder in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher

ITGP

Year

2018

ISBN

9781787781047

Topic

Computer Science

Subtopic

Cyber Security

Index

Computer Science

CHAPTER 1: SCOPE AND APPLICABILITY

Article 4(6) of the Directive specifies that DSPs are “any legal person that provides a digital service”. A “digital service”, in turn, is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.¹⁴

Unlike OES, governments aren’t expected to identify DSPs – the Directive simply applies to all that provide any of the services that are categorised and listed in Annex III of the NIS Directive. As Recital 57 explains, “Member States should not identify digital service providers, as this Directive should apply to all digital service providers within its scope. […] This should enable digital service providers to be treated in a uniform way across the Union”.

The Directive does not require Member States to explicitly identify DSPs in order to ensure that DSPs can expect equal treatment wherever they operate, streamlining business and providing a guaranteed minimum level of reliability for organisations and consumers across the EU. This is quite different from how operators of essential services (OES) are treated, for which the NIS Directive simply provides a set of parameters, letting individual Member States determine how these apply within local law.

Note that some competent authorities may require DSPs to identify themselves and self-register.

Online marketplaces

Online marketplaces provide a digital service that “allows consumers and traders to conclude online sales or service contracts with traders, and is the final destination for the conclusion of those contracts” (Recital 15).

This emphasis on being able to “conclude” their shopping is important, as the Recital goes on to explain that “It should not cover online services that serve only as an intermediary to third-party services through which a contract can ultimately be concluded. It should therefore not cover online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product.”

In other words, websites that redirect users to another service to set up the final contract, such as price comparison sites, are out of scope. The same is true for classified advert sites, as they merely connect buyers and sellers who complete their trades elsewhere, and do not conclude on the website itself. Note that simple online retailers that sell directly to consumers on their own behalf are also out of scope.

Finally, the Recital explains that “Computing services provided by the online marketplace may include processing of transactions, aggregations of data or profiling of users. Application stores, which operate as online stores enabling the digital distribution of applications or software programmes from third parties, are to be understood as being a type of online marketplace.”

Online search engines

Online search engines provide a digital service that “allows the user to perform searches of, in principle, all websites on the basis of a query on any subject. It may alternatively be focused on websites in a particular language” (Recital 16).

The Recital goes on to explain that the Directive does “not cover search functions that are limited to the content of a specific website, irrespective of whether the search function is provided by an external search engine. Neither should it cover online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product”. This puts sites that have a search function powered by a different organisation – an online search machine – out of scope, even if the search function indexes content across the wider Internet.

Cloud computing services

Cloud computing services provide a digital service allowing “access to a scalable and elastic pool of shareable computing resources. Those computing resources include resources such as networks, servers or other infrastructure, storage, applications and services” (Recital 17).

Recital 17 also provides the following definitions:

• Scalable: “computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand”.

• Elastic pool: “those computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload”.

• Shareable: “those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment”.

Given these definitions, services likely in scope are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).

Some special cases

Recital 53 and Article 16(11) of the Directive specify that micro and small enterprises do not fall under the scope of the Directive. The European Commission’s definitions identify these as digital service providers that employ fewer than 50 people and whose annual turnover and/or annual balance sheet total does not exceed €10 million.¹⁵

Some organisations established outside the Union may also be designated DSPs and bound by the Directive’s requirements. In line with Recital 65, if “it is apparent that the digital service provider is offering services to persons in one or more Member States”, then the organisation should designate a representative within the Union, so it will fall under the jurisdiction of that Member State. This representative will be designated in writing to act on the DSP’s behalf in relation to the Directive, so will need to be available to any relevant CSIRTs and competent authorities. Likewise, if a DSP is based within a Member State, but offers services outside of that state, its competent authority is still responsible for overseeing those cross-border activities within the EU.

While it may be difficult to enforce the Directive on DSPs based outside the EU, it is nonetheless an important point. After all, OES will essentially be limited to using the services of DSPs that comply with the Directive. In addition, common consumers and other organisations will also want the reassurance that the services they are using and investing in are actually reliable.

Operators of essential services

While this pocket guide focuses on DSPs, the Directive also imposes requirements on OES. These are stricter than those imposed on DSPs – particularly from a supervisory point of view – due to the higher risk OES typically face. These requirements may also vary per Member State.

¹⁴ Directive (EU) 2015/1535, Article 1(b).

¹⁵ Micro and small enterprises are defined in 2003/361/EC, which states that “a small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million”, and that “a microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million”.

CHAPTER 2: AUTHORITIES AND BODIES

Alongside requiring Member States to set “security and notification requirements for operators of essential services and for digital service providers”, the NIS Directive also specifies that they must “designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems”.¹⁶ Each of these bodies will play an important role in how the Directive is applied in the Member States and across the EU.

Competent authorities

Competent authorities are the agencies or organisations that oversee compliance with laws and regulations implemented on the basis of the NIS Directive. There is no specified limit on the number of competent authorities a Member State can set; several countries have decided to assign them on a sectoral or regional basis, while others have appointed just one competent authority.

Although the competent authorities are meant to oversee compliance, the Directive states that they should have “no general obligation to supervise digital service providers” and should “only take action when provided with evidence...