British businesses could face fines of up to £17 million or four per cent of their global turnover if their cyber security is not up to scratch under new government rules.
The Network and Information Systems (NIS) Directive, which could come into effect from May 2018, will hit operators of essential services with fines as “a last resort”.
It aims to ensure the UK’s electricity, transport, water, energy, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” said digital minister Matt Hancock.
“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”
The NIS Directive’s punishments for poorly-secured firms mirror those of the European Union’s General Data Protection Regulation (GDPR), which can fine businesses up to €20 million (£18 million) or four per cent of their global turnover if they do not have strong cyber security measures in place.
However, while the GDPR focuses on organisations that lose sensitive data, the government says the NIS Directive focuses on the loss of infrastructure services.
“We welcome this consultation and agree that many organisations need to do more to increase their cyber security,” said Ciaran Martin, CEO of the National Cyber Security Centre (NCSC).
“The NCSC is committed to making the UK the safest place in the world to live and do business online, but we can’t do this alone.
“Everyone has a part to play and that’s why since our launch we have been offering organisations expert advice on our website and the government’s Cyber Essentials scheme.”
For more on the NIS Directive, see the government website.
Photo © weerapat / 123RF Stock Photo