The UK government has introduced new legislation that could hit operators of essential infrastructure assets with hefty fines in the event of a cyber-attack.
The government’s NIS Directive proposes penalties of £17 million ($22.1 million; €18.8 million), or 4 percent of global turnover, for infrastructure operators who fail to implement “effective” cybersecurity measures.
Action considered preventative by the government includes developing security monitoring, raising staff awareness and training, reporting incidents as soon as they happen and having systems in place to ensure that they can recover quickly after any attack.
Operators taking “cybersecurity seriously should already have such measures in place”, the Department for Digital, Culture, Media and Sport warned. The DCMS admitted fines would be “a last resort” and would not apply to organisations that have taken the necessary measures, but have still been hit by an attack. The new rules, to be implemented in May 2018, would apply across the electricity, transport, water, energy, transport, health and digital infrastructure sectors.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards,” said Matt Hancock, minister for digital. “The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”
The consultation will end 30 September.
The NIS directive was mandated by the European Commission, although it is up to member states to implement more specific measures into domestic legislation. The DCMS noted that all EU obligations remain in force while the UK remains a member of the bloc and the government intends to retain this legislation once it leaves.
The new measures are similar to the EC’s General Data Protection Regulation, which will see penalties of up to €20 million imposed, or 4 percent of turnover. However, the GDPR applies only to a loss of data, while the NIS Directive is the only legislative action taken to protect infrastructure assets from cyber-attacks.
At the time of publication, the DCMS was yet to clarify whether fines would apply to asset owners or asset operators in cases where they may differ.