The UK government is considering proposals that would impose tough penalties on unsecured essential services that succumb to a digital attack.
On 8 August, the Department for Digital, Culture, Media & Sport (DCMS) published a consultation for a government plan to defend against digital threats.
The proposal centers around the Security of Networks and Information Systems (NIS) Directive. Adopted by the European Parliament on 6 July 2016, this legislation covers measures that member states can take to boost the overall security of the European Union, which include participating in a threat intelligence sharing group and setting up a competent national NIS authority. Member states have until May 2018 to transpose the Directive into their national laws.
The United Kingdom might be in Brexit talks with the European Union, but the nation still sees value in implementing the NIS Directive. It’s drawn to one facet of the legislation in particular:
“a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority.”
Essentially, the DCMS doesn’t want a repeat of the WannaCry malware outbreak and the disruption it caused to the National Health Service (NHS). That’s why the United Kingdom wants to transpose the Directive to its own laws and encourage essential services to strengthen their defenses against digital threats. For those that succumb to a digital attack as a result of poor security, the UK government is contemplating heavy fines as penalty: £17 million or four percent of global turnover.
These costs would not apply to essential services that implemented adequate security measures and still fell victim to an attack. In effect, they would serve as a last resort to help achieve a higher purpose. Digital Minister Matt Hancock elaborates on that point for BBC News:
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack.”
NEWS: We’ve announced plans to ensure UK's essential services are protected from cyber attacks #CyberSecurity https://t.co/mbkKLvYRpt pic.twitter.com/h6FMIgX4hx
— DCMS (@DCMS) August 8, 2017
The penalties associated with the NIS Directive are similar to but distinct from those that the Information Commissioner’s Office could impose under new data protection laws, which the UK government will bring forward later this summer in an effort to make sure the nation remains compliant with the European Union’s General Data Protection Regulation (GDPR).
Industry, regulators, and other interested parties can respond to the DCMS consultation on the NIS Directive here until 23:45 on 30 September 2017.