UK government proposes large fines for critical infrastructure providers’ cyber failures

Published: Tuesday, 08 August 2017 08:54

Critical infrastructure providers who fail to implement effective cyber security measures could be fined as much as £17 million or 4 percent of global turnover, as part of plans to make Britain’s essential networks and infrastructure safe, secure and resilient against the risk of future cyber attacks.

The plans are being considered as part of a consultation launched by the Department for Digital, Culture, Media and Sport to decide how to implement the Network and Information Systems (NIS) Directive from May 2018.

Fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).
It will help make sure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT such as power failures, hardware failures and environmental hazards.

The UK government will be holding workshops with critical infrastructure operators so they can provide feedback on the proposals.

Read the consultation documents.