For Digital Service Providers (NIS Directive)

A “digital service” is defined by the Directive (EU) 2015/1535 as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” . Nonetheless, in the context of the NISD, DSPs are limited to only three types of services: cloud, online market places and search engines.

Recital 48 from the NIS Directive mentions that: “Many businesses in the Union rely on digital service providers for the provision of their services. As some digital services could be an important resource for their users, including operators of essential services, and as such users might not always have alternatives available” the NIS Directive applies also to providers of such services. “The security, continuity and reliability of the type of digital services referred to in this Directive are of the essence for the smooth functioning of many businesses. A disruption of such a digital service could prevent the provision of other services which rely on it and could thus have an impact on key economic and societal activities in the Union. Such digital services might therefore be of crucial importance for the smooth functioning of businesses that depend on them and, moreover, for the participation of such businesses in the internal market and cross- border trade across the Union.”

In this respect security measures and incident reporting obligations are applied for DIGITAL SERVICE PROVIDERS (DSPs) in the context of the NIS Directive. Member States must ensure that DSPs notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service.

This section includes all ENISA work related to incident notification for DSPs.

Note: The NIS Directive is the first piece of EU legislation specifically aimed at improving cybersecurity through-out the Union. By ratifying a definite number of obligations across the EU, the Directive will help ensure a consistent approach to cybersecurity “with a view to achieving a high common level of security of net-works and information systems within the Union so as to improve the functioning of the internal market”. The main points of the NIS Directive can be summarised as follows: improved cybersecurity capabilities at national level, increased EU-level cooperation, security measures and incident reporting obligations for Operators of Essential Services (OES) and Digital Service Providers (DSP).


For more information please contact: incidents [at] enisa [dot] europa [dot] eu.

Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies