Digital Service Providers

Digital Service Providers

The Directive also aims to improve the security of certain key online services. These services, known as Digital Service Providers, include online marketplaces, online search engines and cloud computing services. The Directive obliges Digital Service Providers to identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering the aforementioned services.

According to the Directive, Digital Service Providers should be subject to light touch and reactive ex post supervisory activities. Unlike Operators of Essential Services, the State does not have the responsibility of officially designating corporations as Digital Service Providers. Instead the onus is on the corporations themselves to decide if they fall under the scope of the Directive and if so, to comply with the security measures and incident reporting guidelines.

It is important to note that micro and small enterprises are not covered by the Directive. This means that any enterprise that employs fewer than 50 people and whose annual turnover and/or annual balance sheet total is less than EUR 10 million does not come under the scope of the Directive and should not identify themselves as a Digital Service Provider in respect of the Directive.

The security measures for Digital Service Providers are set out in Commission Implementing Regulation (EU) 2018/151 , along with the incident reporting requirements.

Further information on Digital Service Providers can be found here.

For the reporting of incidents, please complete this form ​and email it to or