Public Services > Central Government

Government steps up cyber pressure on critical industries

David Bicknell Published 29 January 2018

UK’s implementation of European NIS directive threatens fines of up to £17m for energy, transport, water and health firms if they fail to act to prevent cyber attacks


The government’s implementation of the European Commission’s Network and Information Systems (NIS) directive has warned it will fine bosses of Britain’s most critical industries if they leave themselves vulnerable to cyber attacks,

Leaders of critical energy, transport, water and health firms have been told that a failure to have “robust safeguards” to prevent cyber attacks could see them being fined up to £17m.

The European Commission’s directive, which the government supports, was introduced with the intention of increasing the security of network and information systems within the European Union (EU).

The government said the NIS Directive will help ensure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats.

It plans to appoint new regulators able to assess critical industries to ensure cyber protection plans are as robust as possible.

It will also cover other threats affecting IT such as power outages, hardware failures and environmental hazards. Under the new measures, the government said, recent cyber breaches such as WannaCry and high profile systems failures would be covered by the NIS Directive.

Margot James, minister for digital and the creative Industries, said, “Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online.

“We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services.

“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

In accordance with the directive, the National Cyber Security Centre (NCSC) published  guidance  on the security measures to help organisations comply. It is based around 14 key principles set out in the government’s recent consultation , which are also aligned with existing cyber security standards.

National Cyber Security Centre chief executive Ciaran Martin said, “Our new guidance will give clear advice on what organisations need to do to implement essential cyber security measures.

“Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.

NCSC said the implementation of Article 14 of the NIS Directive is described via 4 top-level objectives, which will be realised through implementation of a set of sector-agnostic security principles. Each principle describes mandatory security outcomes to be achieved.

The first objective, Managing Security Risk, covers the appropriate organisational structures, policies, and processes that must be in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services.

Principles under the objective include:

  • Governance: Putting in place the policies and processes which govern your organisation's approach to the security of network and information systems.
  • Risk Management: Identification, assessment and understanding of security risks. And the establishment of an overall organisational approach to risk management.
  • Asset management: Determining and understanding all systems and/or services required to maintain or support essential services, and
  • Supply chain: Understanding and managing the security risks to networks and information systems which arise from dependencies on external suppliers.

The other objectives are protecting against cyber attack: having proportionate security measures in place to protect essential services and systems from cyber attack; detecting cyber security events: having the capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services; and minimising the impact of cyber security incidents: having the capabilities to minimise the impact of a cyber security incident on the delivery of essential services including the restoration of those services where necessary.

The new measures follow the consultation held last year by the Department for Digital, Culture, Media and Sport (DCMS) which sought views from industry on how to implement the NIS Directive, which will come into force from May 10 this year.

The government said the fines would be a last resort and would not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.