Organisations that provide critical national infrastructure services including electricity, water, energy, transport, and healthcare could face fines of £17m or four percent of their global turnover if they fail to protect themselves from cyberattacks.
The plan is being considered by the UK government as it examines how to implement the European Union’s Network and Information Systems (NIS) Directive from May 2018. The directive represents the first piece of EU-wide legislation on cybersecurity and provides legal measures in an effort to protect member states and their essential services from cyberattacks.
This consultation on protecting essential services comes a few months after parts of the National Health Service were crippled — in some case for over a week — by the global WannaCry ransomware outbreak.
According to the Department for Digital, Culture, Media, and Sport, the fines would be a last resort — and they won’t apply to organisations that have put proper cybersecurity protections in place and still suffered a system outage as a result of a cyberattack. At this stage, the government isn’t clear about exactly what constitutes taking proper precautions.
NIS is separate from the EU’s General Data Protection Regulations — due to come into force by May 2018 — which are designed to protect against loss of data, rather than loss of service.
Under the cybersecurity standards, infrastructure providers will be required to develop a strategy to understand and manage risk, as well as implement measures to prevent attacks and system failures, including raising staff awareness with training. Companies will also be obliged to report incidents as soon as they happen and ensure they can restore systems as quickly as possible in the event of an attack.
The government is set to host workshops with critical national infrastructure operators in order to pick their brains before any proposals for fines are introduced.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyberattack and more resilient against other threats such as power failures and environmental hazards,” said minister for digital Matt Hancock.
“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim,” he added.
The National Cyber Security Centre — the arm of GCHQ responsible for helping to protect the UK from cyberattacks — has also encouraged organisations to take part in discussions with government.
“We welcome this consultation and agree that many organisations need to do more to increase their cyber security,” said NCSC CEO Ciaran Martin.
The public consultation will cover the essential services the directive needs to cover, the proposed penalties, proposed security measures, timelines for incident reporting, and how it will affect digital service providers.
Those interested in responding have until 11:45pm on 30 September 2017 to fill out the online form.
The proposals for fining essential service providers for having poor cybersecurity comes after the government also issued a set of guidelines for connected and autonomous vehicles in order to better protect them from hackers and cyberattacks.