Organisations that provide critical national infrastructure services including electricity, water, energy, transport, and healthcare could face fines of £17m or four percent of their global turnover if they fail to protect themselves from cyberattacks.
The plan is being considered by the UK government as it examines how to implement the European Union’s Network and Information Systems (NIS) Directive from May 2018. The directive represents the first piece of EU-wide legislation on cybersecurity and provides legal measures in an effort to protect member states and their essential services from cyberattacks.
This consultation on protecting essential services comes a few months after parts of the National Health Service were crippled — in some case for over a week — by the global WannaCry ransomware outbreak.
According to the Department for Digital, Culture, Media, and Sport, the fines would be a last resort — and they won’t apply to organisations that have put proper cybersecurity protections in place and still suffered a system outage as a result of a cyberattack. At this stage, the government isn’t clear about exactly what constitutes taking proper precautions.