The UK Government has announced plans to impose fines on essential service operators of as much as £17M or 4% of global turnover for failure to implement essential effective cyber security measures.
The plans have been issued under the consultation on the implementation of the Network and Information Systems (NIS) Directive from May 2018.
The move by The Department for Digital, Culture, Media and Sport is designed to protect the essential infrastructure in the UK and applies to electricity, transport, water, energy, transport, health and digital services providers. The measures are targeted to ensure that these essential operators take action to ensure that services are not interrupted.
The fines do not apply to the actual security of data which is covered by similar fines imposed under GDPR but rather to a failure in supply.
Minister for Digital Matt Hancock said:
We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.
The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.
The Government stress that the use of these fines would be a last resort and that they would not be applied to providers that can demonstrate that they have taken all reasonable measures in the assessment of these cyber risks and have implemented a strategy that both recognises these risks and adopted an appropriate level of security to mitigate such risks.