Businesses that provide essential services like energy and transport could be fined as much as £17m for failing to have effective cyber security measures in place following new proposals the government announced today.
The Department for Digital, Culture, Media and Sport (DCMS) is considering the plans as part of a consultation to decide how to implement the Network and Information Systems (NIS) Directive, the European Union's first piece of cyber security legislation. It will form part of the government's five-year, £1.9bn investment in cyber security.
The NIS Directive aims to ensure UK operators in electricity, transport, water, energy, health and digital infrastructure are prepared to handle a cyber threat.
It will also cover other threats to IT systems including power failures, hardware failures and environmental hazards.
Fines would be used a last resort, the government said.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards," said minister for digital Matt Hancock.
In May, the UK was one of 150 countries hit by a cyber virus called Wannacry that brought down NHS services, and in June, a ransomware attack called Petya hit London-based advertising giant WPP, Danish shipping group Maersk, Cadbury's owner Mondelez and a number of Ukrainian and Russian businesses.
The government is proposing a number of new security measures as part of its National Cyber Security Strategy (NCSS), announced in November last year.
The strategy included opening the National Cyber Security Centre (NCSC) and offering free online advice as well as training schemes to help businesses protect themselves.
Ciaran Martin, chief executive of the NCSC, said:
We welcome this consultation and agree that many organisations need to do more to increase their cyber security.
The NCSC is committed to making the UK the safest place in the world to live and do business online, but we can’t do this alone.
Penalties proposed for flaws in network and information systems under the NIS Directive will be similar to those coming for data protection with the General Data Protection Regulation, due to be in force by May 2018.