New cybersecurity regulators to be given power to fine critical services providers £17m

Written by Sam Trendall on 30 January 2018 in News

Organisations offering water, energy, health, or transport services must implement effective preventive measures or face serious consequences


Credit: Adobe Stock

The government is to appoint a clutch of new regulators to monitor whether organisations delivering critical services have adequate cybersecurity measures. 
The energy, transport, health, digital infrastructure, and water sectors will each get a dedicated cybersecurity regulator. Service providers that are found to be lacking appropriate security procedures and technology could be fined up to £17m. 

These plans have been unveiled by the government following the conclusion of a consultation by the Department for Digital, Culture, Media and Sport into the EU Network and Information Systems (NIS) directive. The legislation, which is designed to improve the cybersecurity credentials of businesses and public-services providers, must be passed into national law by member states on or before 10 May. 

For its part, the government has pledged to provide “a simple, straightforward reporting system” for reporting cyber breaches. Once incidents have been reported, the regulator for each sector will “assess whether appropriate security measures were in place” prior to the attack. Regulators will have the power to mandate that firms improve their security, as well as issuing fines of up to £17m.

Related content

“Fines would be a last resort and will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack,” the government added.

Operators will also be expected to show adequate preparedness for “other threats affecting IT such as power outages, hardware failures, and environmental hazards”, the government said.

Margot James, minister for digital and the creative industries, said: “We want our essential services and infrastructure to be primed and ready to tackle cyberattacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cybersecurity.”

The National Cyber Security Centre has published guidance on what firms and public bodies need to do to ensure they comply with the directive.

“Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible,” said NCSC chief executive Ciaran Martin


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Government opted not to encrypt Cold War Kremlin hotline as £20,000 cost was deemed too high
31 July 2018

Newly published former top-secret documents reveal that a direct communications link between Downing Street and Mikhail Gorbachev was not encrypted – despite the wishes of the government’s ‘...

ICO flags urgent need for laws on political parties’ use of data and hits Facebook with £500k fine
11 July 2018

Commissioner’s progress report includes revelations about UKIP’s non-compliance and a six-figure penalty for a pregnancy website that supplied data for Labour Party marketing

ICO appoints first-ever technology director
15 August 2018

Simon McDougall joins regulator in the role of executive director for technology policy and innovation


Related Sponsored Articles

Don’t Gamble with your password resets!
20 June 2018

The cautionary tale of the Leicestershire teenager who hacked high-ranking officials of NATO allies shows the need for improved password security