At a glance
- If you provide an online search engine, online marketplace or cloud computing service (either alone or in combination) then you are a digital service provider (DSP).
- Your digital service must be provided to external customers – ie, to individuals or organisations. If you only maintain these services internally, you are not a DSP.
- If you provide one or more of these digital services, are not a small or micro business, and you either have a head office in the UK or have nominated a UK representative, then you are a ‘relevant digital service provider’ (RDSP) for the purposes of NIS.
- Online search engines are digital services that enable individuals to perform searches of all websites based on a particular query or search term. If you run a website that uses an embedded search from a search engine provider, your site is not covered by NIS and you are not deemed to be a DSP – it is the underlying search engine that is covered.
- Online marketplaces are digital services that allow individuals or traders to conclude sales or service contracts with traders, either on their own website or by means of providing services to traders’ websites. Online retailers that sell directly to individuals on their own behalf are not covered.
- Cloud services are digital services that ‘enable access’ to a scalable and elastic pool of shareable computing resources. This can include common cloud models like ‘Platform as a Service’ (PaaS) and ‘Infrastructure as a Service’ (IaaS). If you provide ‘Software as a Service’ (SaaS) you are also covered to the extent that your service is scalable and elastic.
- There is a general exemption for small and micro businesses. If you have fewer than 50 staff and a turnover and/or balance sheet of less than €10 million, NIS does not apply to you and you are not an RDSP. However, if your service is part of a larger group, you need to include the staff and turnover size of the group when assessing whether the small business exemption applies.
- RDSPs are required to register with the ICO by 1 November 2018.
- What types of digital services are covered?
- What is an online search engine?
- What is an online marketplace?
- What is a cloud computing service?
- We are a small business – does NIS apply?
- Do we have to be based in the UK?
- Do we have to register?
You are covered by NIS if you provide one or more of:
- an online search engine;
- an online marketplace; or
- a cloud computing service
If your head office is in the UK, and you are neither a micro nor small enterprise, then you are a ‘relevant digital service provider’ and NIS applies to you.
Importantly, you need to provide your digital service to external customers. You may, for example, operate a search engine within your own corporate network for your employees to use. However, whilst this may be a ‘digital service’ as defined by NIS, it does not make you a ‘digital service provider’ because the search engine is internal to your systems.
Regulation 1 of NIS defines an online search engine as:
a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found.
This describes a web search operator such as Google or Bing. However, most well-known search engines are not covered by NIS in the UK, as they are not based here. In these cases they are regulated by competent authorities in the Member States where they are established.
Websites that offer users a search function that is powered by another search engine (eg websites that embed a search engine provider) are also not included in this definition, although the underlying search engine may be covered provided it meets the definition of being an RDSP.
The definition of an online search engine does not include internal search engines that organisations may operate. You have to be providing the search engine to the public in order for this definition to apply.
Regulation 1 of NIS defines an online marketplace as:
‘a digital service that allows consumers and/or traders […] to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace’
For the purposes of NIS, online marketplaces are platforms that enable buyers (both consumers and traders) and sellers to conclude sales of goods and services. Not all platforms that allow individuals to buy goods and services online are covered; for example, the following are not ‘online marketplaces’ under NIS:
- sites that redirect users to other services to make a final contract, such as price comparison websites;
- classified ads; and
- online retailers that only sell directly to consumers on behalf of themselves.
Where an online marketplace uses a third-party payment provider to complete a purchase, the marketplace is still covered by NIS. This is because those concluding the sale do their business with the marketplace, not the payment provider.
Regulation 1 of NIS defines a cloud computing service as:
‘A digital service that enables access to a scalable and elastic pool of shareable computing resources.’
The definition has close alignment with that of NIST Special Publication 800-145:
‘Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.’
The term primarily, but not exclusively, includes the following types of cloud computing services:
- Software-as-a-Service (SaaS) providers: only to the extent that they provide a scalable and elastic pool of resources to the customer;
- Platform-as-a-Service (PaaS) providers; and
- Infrastructure-as-a-Service (IaaS) providers.
These are the three main categories of cloud computing services. However, there are also hybrid models, as well as other examples of ‘[something] as a Service’. If these models or concepts meet the definition of ‘cloud computing service’ then NIS will also apply to them.
The key is whether your service ‘enables access’ to a scalable and elastic pool of shareable computing resources.
As detailed in NIST SP 500-292 on Cloud Computing Reference Architecture, the following entities may, depending on the circumstances, ‘enable access’ to these resources:
- ‘cloud provider’ – the entity responsible for making a service available to cloud customers, ie they build and manage cloud infrastructure; and
- ‘cloud broker’ – an entity that manages the use, performance and delivery of cloud services, negotiating relationships between cloud providers and cloud customers.
Cloud brokers may provide a multiplicity of offerings and can essentially act as a single ‘service point’ where cloud customers can manage multiple cloud services. They can provide business and relationship support services, as well as technical support.
According to the NIST reference architecture, cloud brokers can be placed into three different categories:
- ‘service intermediation’ – where a cloud broker provides value-added services or additional functionality on top of the underlying cloud provision that it makes available to customers, such as identity management or security measures;
- ‘service aggregation’ – where a cloud broker essentially creates a new cloud service by combining and aggregating multiple other services into a single offering. In this context, the broker may provide service integration and can also be responsible for ensuring that data moves between the customer and the multiple providers in a secure manner; and
- ‘service arbitrage’ – similar to aggregation, except the services the cloud broker offers are not fixed and can be selected from multiple providers.
If you are a cloud broker, you may be covered by the NIS Regulations depending on your circumstances and the type of service(s) you offer. NIS states that for a service to fit the definition of ‘cloud computing service’, it must ‘enable access’ to a scalable and elastic pool of shareable computing resources. The pool does not necessarily have to be owned and operated by the organisation that enables access to it.
For example, if a cloud broker enables access to underlying cloud services by means of an identity management platform, if that platform suffers an incident that disrupts or reduces its functionality, the broker’s customers may be unable to access the cloud computing resources the broker offers to them.
What are “computing resources”?
Recital 17 of the Directive provides a non-exhaustive list of what is meant by ‘computing resources’ in the context of cloud computing services:
‘Those computing resources include resources such as networks, servers or other infrastructure, storage, applications and services’
This essentially the same as the NIST definition of cloud computing, which refers to ‘networks, servers, storage, applications and services’.
What does ‘scalable and elastic’ mean?
Recital 17 of the Directive describes these terms. It says:
‘The term “scalable” refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand.’
‘The term “elastic pool” is used to describe computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload’
This means that if your cloud computing service exhibits these properties, then it would be regarded as ‘scalable and elastic’. This may not necessarily include all aspects of your service – it will in practice depend on your specific circumstances, the nature of the services you offer, and the details of any contractual arrangements between you and your customers. The key is whether the service is able to respond to increases in demand or changes in workload.
What does ‘shareable’ mean?
Recital 17 defines ‘shareable’ as:
‘computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment.’
In addition to the computing pool being scalable and elastic, to be covered by NIS it also needs to be shareable. This essentially aligns the NIS definition with that of the standard description of cloud computing.
In more detail – ICO guidance
For more information on the distinction between SaaS, PaaS and IaaS, see our guidance on cloud computing (PDF). This guidance was written under the Data Protection Act 1998 and will be updated to reflect the GDPR soon, however it may provide useful information for you on terminology.
The US National Institute of Standards and Technology (NIST) has published a number of cloud computing guidance materials, including:
There is a general small business exemption in NIS. If your digital service has fewer than 50 staff and a turnover and/or balance sheet of less than €10m per year, then you are not classed as an RDSP. This also includes sole traders.
Regulation 1(3)(f)(ii) says that NIS does not apply to a DSP if:
‘the provider is not a micro or small enterprise as defined in Commission Recommendation 2003/361/EC.’
Commission Recommendation 2003/631/EC concerns the definitions of small and medium-sized businesses within the EU. The EU Commission has published a summary of the Recommendation which states that there are three categories of small and medium-sized businesses:
- ‘micro enterprise’: fewer than 10 employees and an annual turnover (the amount of money taken in a particular period) or balance sheet (a statement of a company's assets and liabilities) below €2 million.
- ‘small enterprise’: fewer than 50 employees and an annual turnover or balance sheet below €10 million.
- ‘medium-sized enterprise’: fewer than 250 employees and annual turnover below €50 million or balance sheet below €43 million.
The exemption covers the first two of these categories only, so NIS does apply to medium-sized businesses as well as larger companies.
Additionally, if your digital service is part of a larger organisation, or is controlled by one or more such organisations, you need to assess whether the total staffing numbers and annual turnover or balance sheet of the group exceeds the ‘micro’ and/or ‘small’ thresholds. If this is the case, then NIS applies to you.
For more information on the definition of an SME, you can read:
To be classed as an RDSP, you must have your head office in the UK, or have nominated a representative in the UK.
A DSP whose head office is in another EU state, but which has network and information systems inside the UK, is regulated by the competent authority in that state. In these cases, this competent authority and the ICO will co-operate and assist each other as necessary, including information exchanges and requests to undertake supervisory measures.
Yes. If you are an RDSP, Regulation 14 of NIS requires you to register with the ICO by 1 November 2018. Unlike registration under data protection law, there is no fee required for NIS. You should register with the ICO by emailing firstname.lastname@example.org with the subject line ‘RDSP registration details’, and include the following in your email:
- the name of your organisation;
- the name of your service;
- the address of your head office, or that of your nominated representative; and
- up-to-date contact details, including the name of a nominated individual who we can contact about NIS related matters if we need to, their email address and their telephone number.
You can also provide this information via our helpline on 0303 123 1113.
You also need to notify us of any change to these details as soon as possible, and no later than three months after the change taking place.
If you become an RDSP after 1 November 2018, you must notify us within three months.