Companies that operate without effective cybersecurity measures risk fines of up to £17 million. Businesses which operate in ‘essential services’ are targeted by the new directive, so UK operators in electricity, transport, water, energy, transport, health and digital infrastructure need to be particularly vigilant. The National Cyber Security Centre (NCSC), the UK’s centre of cyber excellence established in 2017, has published detailed guidance on the security measures to help organisations comply.
Minister for Digital and the Creative Industries, Margot James, said that the implementation of the EU’s August 2016 Network and Information Systems (NIS) Directive will help minimise the likelihood of cyber-threats disrupting the UK’s essential services and infrastructure. James went on to encourage “all public and private operators in these essential sectors to take action now”.
Fourteen key principles should be used as guidance by companies to ensure they implement essential cyber security measures where necessary. The summary table of these 14 principles is here, and it includes multiple guidance documents under every heading, broadly collected into four main objective categories as follows; managing security risk, defending systems against cyber attack, detecting cyber security events, and minimising the impact of cyber security incidents.
The new directive becomes law from 10th May 2018 and would cover security breaches and ransomware outbreaks like the WannaCry attack that hit the NHS, among others, in May 2017. Importantly, fines will be imposed as a last resort, they will not be levied on organisations that appear to have adequately assessed risks, undertaken best practice security measures, and engaged with regulators.