The provisions on digital services in the NIS Directive apply to:
- online marketplace providers,
- search engine providers, and
- cloud service providers.
The provisions do not apply to micro and small enterprises.
These enterprises are defined in Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises (External link). In the Recommendation, a small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. The Recommendation contains instructions on, for example, how ownership within an enterprise is taken into account in calculating staff numbers and financial ceilings.
In other words, if staff numbers or financial figures of a digital service provider, that is a provider of an online market place, search engine or cloud service, exceed the thresholds, the NIS Directive applies to the service provider's operations.
Security obligations and incident reports in digital services
The Act on Electronic Communications Services contains general provisions on digital service providers’ obligations. In practice, service providers must take measures to manage the risks posed to the security of their network and information systems.
In addition, digital service providers must notify Traficom immediately of any significant information security incidents affecting their services.
The NCSC-FI also invites voluntary reports on incidents in digital services even if the service provider size or the incident did not exceed the thresholds. Such reports help the CERT-FI at the NCSC-FI to compile a situation picture and provide information on how to prevent incidents and recover from them. Statutory incident reports, too, are primarily handled within the CERT activities instead of as an administrative supervision task.
The Commission Implementing Regulation (EU) 2018/151 (‘DSP Regulation’) (External link) contains more specific obligations on risk management and incident reports.
The Regulation specifies the issues to be considered in risk management:
- Security elements
- security of systems and facilities
- security threat and incident handling
- business continuity management
- monitoring, auditing and testing
- compliance with international standards.
The Regulation contains provisions on determining the substantiality of an incident and notification thresholds:
- Parameters for determining whether the impact of an incident is substantial
- number of users affected by an incident
- duration of an incident
- geographical area affected by the incident
- impact on the availability, authenticity, integrity or confidentiality of data or related services
- impact on economic and societal activities
- digital service providers are not required to collect additional information to which they do not have access.
- Substantial impact of an incident (thresholds)
- service was unavailable for more than 5,000,000 user-hours
- loss of integrity, authenticity or confidentiality affects more than 100,000 users in the EU
- risk to public safety, public security or of loss of life
- material damage exceeding EUR 1,000,000 to at least one user in the EU.
Furthermore, under the Act on Electronic Communications Services, Traficom may issue further regulations on the content, form and delivery of the reports. So far, Traficom has not exercised this right. Traficom evaluates whether it is necessary to issue such regulation based on the reports it receives.
Digital infrastructure providers include Internet Exchange Points (IXP), DNS (Domain Name Server) service providers and TLD (Top-Level Domain) name registries, which in Finland are .fi and .ax.
In Finland, the provision of internet exchange points and domain name servers is covered by the regulation on public telecommunications in cases where the IXPs interconnect public communications networks, and where DNS is provided as a part of internet access services. Operators providing these digital infrastructure elements are telecommunications operators, which are subject to the regulatory framework for public telecommunications.
The requirements for information security in telecommunications services and incident reports are provided in the Act on Electronic Communications Services and Traficom's technical regulations supplementing the Act.
In Finland, country-code top-level domains are governed by authorities: the Finnish Transport and Communications Agency Traficom is responsible for the .fi domain and the Government of Åland governs the .ax domain. Provisions concerning these digital infrastructure elements are laid down in the Act on Electronic Communications Services and in the legislation on the openness and information security of government activities. In Finland, we apply the so-called registry-registrar model to domain names. Registrars’ obligations regarding information security and incident reports are laid down in the Act on Electronic Communications Services and Traficom Regulation on domain names that end with .fi or .ax and the registration of such names.