Measures to protect the UK’s critical infrastructure and digital services from cyber attacks and computer network failure came into force on 10th May 2018. Health, water, energy, transport and digital infrastructure companies will now be expected to have robust safeguards in place against cyber threats and will have to report breaches and network outages to regulators within 72 hours or face fines of up to £17 million.
The new law will also give regulators powers to assess critical industries and make sure plans are in place to prevent attacks. The regulator will have the power to issue legally-binding instructions to improve security, and – if necessary – impose significant fines.
The legislation will also cover other threats affecting IT such as hardware failures and environmental hazards.
In a statement Margot James, Minister for Digital and the Creative Industries, said:
“It’s vital that we put in place tough new measures to strengthen the UK’s cyber security and make sure we are the safest place in the world to live and be online.
“Organizations must act now to make sure that they are primed and ready to stop potential cyber attacks and be resilient against major disruption to the services we all rely on.”
The Government says that fines would be a last resort and will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.