show image

NIS Directive: Essential service providers could soon face £17m fines for poor cyber security

Essential service operators that fail to adopt effective cyber security measures could face fines of up to £17m or 4 per cent of annual turnover under new government proposals.

The penalties are designed to ensure that organisations providing critical services, including those in the digital, energy and healthcare sectors, maintain good cyber hygiene.

But DCMS has said the fines will be a last resort and won’t be used to punish operators that fall victim to strikes despite meeting the government’s security requirements.

“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” said digital minister Matt Hancock.

The move comes after WannaCry ransomware paralysed parts of the NHS in May, forcing doctors and nurses to cancel thousands of appointments and operations.

A DCMS spokesperson confirmed to NS Tech that the fines would apply to the NHS and other public sector organisations, as well as businesses.

The plans will be discussed as part of a consultation on how to implement the EU’s Network and Information Systems (NIS) Directive from May 2018. NIS is distinct from General Data Protection Regulation because it covers loss of service, rather than loss of data.

The government has committed to the directive, but is due to hold a series of workshops with operators to consult on who it should apply to, the size of the fines and other aspects of the proposals.

Hancock added: “The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”