The government is warning firms involved in critical industries and essential services including transport, energy, health and digital infrastructure that they could be fined as much as £17m if they don’t have adequate cybersecurity safeguards in place.
The Network and Information Systems (NIS) Directive comes into effect on 10 May, and the government wants to see a voluntary uptake of the new rules ahead of implementation.
Margot James, the digital minister, said: ‘We are setting out new and robust cybersecurity measures to help ensure the UK is the safest place in the world to live and be online . . . We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services.’
Some infrastructure is 'wide open' to attack
The new measures cover oil and gas companies, water and electricity suppliers, healthcare providers, air, sea, road and rail transport, telecoms firms, and digital businesses including cloud service providers.
Robert Hannigan, the former head of GCHQ, noted that the energy sector was ‘wide open’ and ‘very vulnerable’; now susceptible to attacks that at one time could only be achieved through military force.
‘What is new is the ability of hackers to remotely attack infrastructure in a way you couldn't without bombing before,’ he said.
Major requirements for organisations will include having the right people, software and apparatus in place to handle an attack; possessing the necessary capabilities to detect if an attack has taken place; and ensuring the right systems are in place to minimise the impact of an attack if a system is breached.
A spokesman for the Department for Digital, Culture, Media and Sport described the financial penalties as a 'last resort'; and that fines would only reach their maximum level if organisations had failed to adequately assess risks and improve their security.
NCSC also publishes new guidance on cybersecurity
The National Cyber Security Centre has also published guidance based on 14 key principles that the Department for Digital, Culture, Media and Sport detailed in its consultation last year, and which are in accordance with the UK's existing cybersecurity standards.
Ciaran Martin, chief executive of the NCSC, said: ‘Our new guidance will give clear advice on what organisations need to do to implement essential cybersecurity measures . . . Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.’
Sign-up to our weekly cybersecurity news digest
Want to read more stories like this? Sign up to our weekly news digest to keep you up-to-date with cybersecurity news stories relevant to the legal sector.