Technical guidelines for the implementation of minimum security measures for digital service Providers

Online marketplaces, online search engines and cloud computing services are considered as Digital Service Providers (DSPs) in the context of the recently adopted Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, hereafter referred to as the Network and Information Security (NIS) Directive. The NIS Directive aims to bring cybersecurity capabilities on the same level of development in all the EU Member States. Its purpose is to ensure that exchange of information and cooperation related to security amongst Member States are efficient, including at the cross-border level. With NIS becoming a requirement, the introduction of specific laws in this area across the European Union will have a significant impact to all industry sectors including those relating to DSP categories. Many businesses in the Union rely on these DSPs for the provision of their services. Some digital services could be an important resource for their users, including Operators of Essential Services (OES), and as such users might not always have alternatives available. The security, continuity and reliability of the type of digital services referred to in this Directive are of the essence for the smooth functioning of many businesses. A disruption of such a digital service could prevent the provision of other services which depend on it and could consequently have an impact on key economic and societal activities in the Union. Such digital services might therefore be critical for the smooth functioning of businesses that depend on them, for the internal market and cross- border trade across the Union. It is essential for all Member States to make sure that they have minimum capabilities to ensure a high level of NIS in their territory and to improve the functioning of the internal market. Commonly defined security measures can support harmonised security practices across EU Member States and potentially enhance the overall level of NIS in the EU. Therefore, ENISA has issued this report to assist Member States and DSPs in providing a common approach regarding the security measures for DSPs. Although ENISA has already drafted a set of security objectives in the context of cloud security in 2014, this study goes further than that by broadening the scope of its work and by including security objectives for all three categories of digital service providers. This study lists 27 Security Objectives (SOs) for DSPs. In those 27 SOs, security measures that map to the NIS Directive requirements are also included. This particular initiative has been achieved by examining current information and network security practices for the DSPs across the EU. It has brought light to some important findings that can add to existing security objectives and measures in information technology infrastructures in Europe. It is recommended that stakeholders and responsible parties analyse their information security needs in detail in order to evaluate and adapt each of the security objectives and measures according to their specific business requirements.