The plans under discussion are part of a consultation launched today by the Department for Digital, Culture, Media and Sport to decide how to implement the Network and Information Systems (NIS) Directive from May 2018.

According to the Government, fines would be issued as a last resort, and would not apply to operators that have judged the risks adequately, taken appropriate measures, and engaged with competent authorities but still suffered an attack.

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).

It’s thought that the measures will help ensure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover threats affecting IT such as power failures, hardware failures and environmental hazards.

Minister for Digital, Matt Hancock, said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.

“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”

The NIS Directive, once implemented, will form a significant part of the Government’s five-year £1.9 billion National Cyber Security Strategy. It will encourage essential service operators to make sure they are taking the necessary action to protect their IT systems.

Other factors under discussion are that operators will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.

In recent years, the Government has sought to adopt a solid stance against cyber attacks: a five-year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9 billion of investment. The strategy includes opening the National Cyber Security Centre and offering free online advice as well as training schemes to help businesses protect themselves.

NCSC CEO Ciaran Martin said: “We welcome this consultation and agree that many organisations need to do more to increase their cyber security.”

The consultation proposes similar penalties for flaws in network and information systems as those coming for data protection with the General Data Protection Regulation, due to be in force by May 2018. Failure to implement effective security could see penalties as large £17 million or 4 per cent of global turnover.

