This site uses cookies to improve your browsing experience and analyse use of our website. By clicking ‘I accept’ you agree and consent to our use of cookies. You can find out more about our cookies here. Find out more

Providers of essential services come under cyber security spotlight

John Stanford

Essential service operators could face fines of up to £17 million or 4% of global turnover if they fail to implement effective cyber security measures.

The Government is seeking feedback on these potential fines as part of its consultation on how to implement the Network and Information Systems (NIS) Directive from May 2018.

The NIS Directive, which focuses on loss of service, aims to make sure that operators in electricity, transport, water, energy, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT such as power failures, hardware failures and environmental hazards. The Government’s consultation addresses a number of issues, including the proposed penalties, the essential services covered and the proposed security measures required.

Under the Government’s proposals, operators would be required to:

  • develop a strategy and policies to understand and manage their risk;
  • implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training;
  • report incidents as soon as they happen; and
  • have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.

The fines would be a last resort. They would not apply to operators that, although suffering an attack, had assessed the risks adequately, taken appropriate security measures and engaged with competent authorities.

The NIS Directive, once implemented, will form part of the Government’s National Cyber Security Strategy announced in November 2016.

Matt Hancock, Minister for Digital, said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards. The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”

If you would like to discuss with our specialist Cyber Security team, please contact us.