Digital Service Providers

The Directive also aims to improve the security of certain key online services. These services, known as Digital Service Providers, include online marketplaces, online search engines and cloud computing services. The Directive obliges Digital Service Providers to identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering the aforementioned services.

Unlike Operators of Essential Services, the State does not have the responsibility of officially designating entities as Digital Service Providers. Instead the onus is on the entities themselves to identify if they fall under the scope of the Directive and if so, to comply with the security measures and incident reporting guidelines.

It is important to note that micro and small enterprises are not covered by the Directive. This means that any enterprise that employs fewer than 50 people and whose annual turnover and/or annual balance sheet total is less than EUR 10 million does not come under the scope of the Directive and should not identify themselves as a Digital Service Provider in respect of the Directive.

The security measures for Digital Service Providers are set out in Commission Implementing Regulation (EU) 2018/151, along with the incident reporting requirements.

Further information on Digital Service Providers can be found here.

For the reporting of incidents, please complete this form ​and email it to or