The new report referenced in the article above, follows comprehensive guidelines (the “Guidelines“) published by ENISA in February 2017 for Member States and the European Commission on how to implement incident notification for “digital service providers” (“DSPs“) across the EU, in the context of the Cyber Security Directive.
DSPs: The Cyber Security Directive sets out obligations in respect of “operators of essential services” and DSPs, with a slightly “lighter touch” approach applying to the latter. DSPs are limited to three types of services:
- online marketplaces – which allow consumers and traders to conclude online sales or service contracts with traders and are the final entity where the contract is concluded. The term excludes both online “intermediaries” to third party services through which a contract can be concluded, as well as online price comparison services of different traders that redirect the user to the preferred trader to purchase the product;
- online search engines – excluding search functions that are limited just to the content of a specific website; or
- cloud computing service providers – spanning a wide range of activities that can be delivered according to different models.