Publication of the NIS Implementation Regulation (for digital service providers)

(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).

Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.

In fact, on 30 January, the Implementing Regulation (EU) 2018/151 of the Commission from 30 January 2018 was published, laying down rules for the application of the Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to the specification of the elements to be taken into account by digital service providers in order to manage the existing risks for the security of networks and information systems, as well as the parameters for determining whether an incident has a significant impact..

At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.

The main issue in determining the scope of the Implementing Regulation 2018/151 lies in determining what it understands by “digital service provider“. For this, the first point is to analyze its object, which is established in Article 1, and which refers directly to Directive 2016/1148 (throughout this text, the italics and bold are the author’s, not the original):

This Regulation specifies further the elements to be taken into account by digital service providers when identifying and taking measures to ensure a level of security of network and information systems which they use in the context of offering services referred to in Annex III to Directive (EU) 2016/1148 and specifies further the parameters to be taken into account to determine whether an incident has a substantial impact on the provision of those services.

In order to identify the nature of this service offer, it is necessary to review what Directive 2016/1148 on measures to ensure a high common level of security of networks and information systems in the Union, currently in the process of transposition to the Spanish legislation and known in the sector as NIS Directive, specifies in its annex III:

Types of digital services for the purposes of point (5) of article 4

1. Online marketplace.

2. Online search engine.

3. Cloud computing service.

If we go to article 4, point 5, of the same NIS Directive, it defines “digital service” as:

[…] a service within the meaning of point (b) of Article 1 of Directive (EU) 2015/1535 of the European Parliament and of the Council which is of a type listed in Annex III;

And ““digital service provider”” such as:

[…] any legal person that provides a digital service.

If we continue to unravel the skein and respond to what is specified in Article 1, paragraph 1, letter b of Directive 2015/1535, which establishes an information procedure regarding technical regulations and rules concerning the services of the information society, it defines “service” as:

[…] any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. 

For the purposes of this definition: 

i) «at a distance» means that the service is provided without the parties being simultaneously present;

ii) «by electronic means» means that the service is sent initially and received at its destination by means of
electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;

iii) «at the individual» request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

An indicative list of services not covered by this definition is set out in Annex I.

It is especially interesting to analyze the exceptions that the annex I makes reference to, in particular regarding point i):

1. Services not provided «at a distance»:

Services provided in the physical presence of the provider and the recipient, even if they involve the use of electronic devices:

a) medical examinations or treatment at a doctor’s surgery using electronic equipment where the patient is physically present;

b) consultation of an electronic catalogue in a shop with the customer on site;

c) plane ticket reservation at a travel agency in the physical presence of the customer by means of a network of computers;;

If in addition we focus on what are specified as exceptions to points ii) and iii), by performing a differential analysis, it seems clear that the concept of “service” as understood by the NIS Directive includes, by default, almost all web services and electronic commerce:

2. Services not provided «by electronic means»

— Services having material content even though provided via electronic devices:

a) automatic cash or ticket dispensing machines (banknotes, rail tickets);

b) access to road networks, car parks, etc., charging for use, even if there are electronic devices at the entrance/exit controlling access and/or ensuring correct payment is made.

— Offline services: distribution of CD-ROMs or software on diskettes.

— services which are not provided via electronic processing/inventory systems:

a) voice telephony services; 

b) telefax/telex services;

c) services provided via voice telephony or fax;

d) telephone/telefax consultation of a doctor;

e) telephone/telefax consultation of a lawyer;

f) telephone/telefax direct marketing.

3. Services not supplied «at the individual request of a recipient of services» 

Services provided by transmitting data without individual demand for simultaneous reception by an unlimited number of individual receivers (point to multipoint transmission):

a) television broadcasting services (including near-video on-demand services), covered by point (e) of Article 1(1) of Directive 2010/13/EU;

b) radio broadcasting services;

c) (televised) teletext.

In addition, the Draft Law NIS establishes in its article 2 as “Scope of application“:

1. This law shall apply to the provision of:

a) The essential services dependent on the networks and information systems included in the strategic sectors defined in the annex to Law 8/2011, of April 28, which establishes measures for the protection of critical infrastructures.

b) Digital services, considered as determined in article 3 e) that are online markets, online search engine and cloud computing services.

If we look at the definition of “digital service” in the preliminary draft in article 3, letter e, it is defined as:

[…] service of the information society understood in the sense included in letter a) of the annex of Law 34/2002, of July 11, on services of the information society and electronic commerce

What Law 34/2002, of July 11, on services of the information society and electronic commerce (LSSICE), defines as:

a) “Services of the information society” or “services”: any service normally provided for consideration, remotely, electronically and at the individual request of the recipient.

The information society’s concept of service also includes services not remunerated by their recipients, insofar as they constitute an economic activity for the service provider.

The following are services of the information society, among others and as long as they represent an economic activity:

1. The contracting of goods or services electronically.

2. The organization and management of auctions by electronic means or of virtual markets and shopping centers.

3. The management of purchases in the network by groups of people.

4. The sending of commercial communications.

5. The supply of information by telematic means.

The services of the information society will not be considered as those that do not meet the characteristics indicated in the first paragraph of this section and, in particular, the following:

[…]

Therefore, it is clear that the nature of the services affected by the implementing regulation object of this document are, in a broad sense and in addition to many others, all the pages devoted to electronic commerce and the provision of information to the user, if this it is framed in an economic activity of the person in charge.

However, the application of the specified measures would involve a disproportionate and unaffordable cost for a large number of companies, so the NIS Directive, in its article 16, paragraph 11, “Security requirements and notification of incidents”, specifies what:

This chapter will not apply to micro and small enterprises as defined in the Commission Recommendation 2003/361 / EC.

Recommendation 2003/361 / CE defines small businesses and micro-enterprises in its article 2 according to the following parameters:

1. The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer
than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet
total not exceeding EUR 43 million.

2. Within the SME category, a small enterprise is defined as an enterprise which employs fewer than 50 persons and
whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million.

3. Within the SME category, a microenterprise is defined as an enterprise which employs fewer than 10 persons and
whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.

Given that the regulation, object of this entry (2018/151), basically contains the development of Article 16 of the NIS Directive (Articles 2 and 3), it can be concluded that Regulation 2018/151 is applicable to, among others, companies of provision of digital services (electronic commerce, information provision via telematics in the framework of an economic activity, online advertising, etc.) that:

i) employ more than 50 people or

ii) whose turnover or annual balance sheet exceeds EUR 10 million.

(Note that by the laws of Morgan, the negation of the conjunction is the disjunction of the negations, or  ¬(P ∧ Q) is equivalent to (¬P ∨ ¬Q), which has important implications in the applicability).

That is, a good number of companies that probably do not know that they are affected by the regulation.

To finish, although it is not my intention to analyze the execution regulation, whose description is extensive although the regulation is short (just 2 pages, if we ignore the considerations), its application (as of May 10) is roughly summarized in a handful of points:

  1. Implement an Information Security Management System.
  2. Implement a Management System for Business Continuity.
  3. Implement a Cyber-Incident Management Procedure.

Which, expressed this way, it seems easy, but then perhaps it is somewhat more laborious.

And with this we conclude our entry for today. My thanks once again to Ana Marzo, and if any of you see an error or disagree with something of the above, I will be happy to discuss it and even correct my words, for you already know that nobody is infallible.

Have a good day.