New cyber security regulators to be given power to fine critical services providers up to £17m

Written by Sam Trendall on 30 January 2018 in News

Organisations supplying water, energy, health or transport services must implement effective measures against cyber attacks

Cyber security padlock - Image credit: Holyrood

The UK Government is to appoint a clutch of new regulators to monitor whether organisations delivering critical services have adequate cyber security measures in place – and to find those that don’t. 

The energy, transport, health, digital infrastructure and water sectors will each get a dedicated cyber security regulator to ensure they comply with the requirements of the EU Network and Information Systems (NIS) directive.

Service providers that are found to be lacking appropriate security procedures and technology could be fined up to £17m. 

These plans have been unveiled by the UK Government following the conclusion of a consultation last year by the Department for Digital, Culture, Media and Sport (DCMS) into implementation of the NIS directive.

The directive, which is designed to improve the cyber security credentials of businesses and public services providers, must be passed into national law by all EU member states on or before 10 May 2018. 

Whenever a cyber security incident is reported, the regulator for the sector will “assess whether appropriate security measures were in place” prior to the attack.

Regulators will have the power to mandate that firms improve their security, as well as issuing fines of up to £17m.

For its part, the UK Government has pledged to provide “a simple, straightforward reporting system” for reporting cyber breaches and that fines will only be given “as a last resort”.

“Fines would be a last resort and will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack,” the UK Government said.

Operators will also be expected to show adequate preparedness for “other threats affecting IT such as power outages, hardware failures, and environmental hazards”, the UK Government added.

Margot James, minister for digital and the creative industries, said: “We want our essential services and infrastructure to be primed and ready to tackle cyberattacks and be resilient against major disruption to services.

“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

The National Cyber Security Centre has published guidance on what firms and public bodies need to do to ensure they comply with the directive.



Related Articles

UK resurrects plans for technological solution to Irish border post-Brexit
21 November 2018

Cabinet yesterday discussed whether so-called "maximum facilitation" – or Max Fac – could be used to avoid having to erect customs posts

Scottish Government public sector cyber resilience action plan aims to address lack of guidance on cyber security
8 November 2017

The Scottish Government has published an action plan for public sector cyber resilience in the wake of high profile attacks

Securing the digital world: cyber security and GDPR
22 June 2017

A series of cyber attacks has grabbed the headlines – what is being done to protect our data and our safety?

Related Sponsored Articles

Balancing security and digital transformation
24 October 2018

With the annual worldwide cost of cybercrime set to double from $3tn in 2015 to $6tn by 2021, BT offers advice on how chief information security officers can better...

Associate feature: 5 ways IoT is transforming the public sector
5 February 2018

Vodafone explores some of the ways IoT is significantly improving public sector service delivery

Associate feature: Who keeps your organisation secure?
19 February 2018

BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.

Share this page