UK Government Consults on Cyber Security Measures
The UK government is discussing the plans with regards to implementing the EU’s directive on security of network and information systems (NIS), which could result in businesses facing penalties and fines of up to £17m or 4% of global turnover if the businesses fail in their attempt to have in place effective measures to provide protection against IT hacking attacks and misconduct.
The Department for Digital, Culture, Media and Sport (DCMS) has said that fines will be used as a last resort, and the operators will not be fined who assessed the risks properly, took preventative measures and engaged with relevant authorities but still became the victim of hacking attacks.
The NIS directive basically relates to the loss of service rather than the loss of data, which falls under the General Data Protection Regulations (GDPR). The requirements of GDPR are being taken care of under a completely separate legislation.
The requirements of the NIS directive will be applicable to UK operators in energy, electricity, health and digital base, water, transport and will also cover cyber security along with other threats impacting IT such as hardware failures, power failures and environmental risks.
The NIS directive will provide guidance to the operators to ensure that they are taking the steps necessary to protect their IT systems.
As per the government’s plans, the operators in UK will be required to devise a strategy and also develop policies for understanding and managing their risks. The operators will also have to adopt security measures to avoid attacks or system failures, including the ones that will assist in detecting attacks, developing security monitoring, and to raise awareness in staff and to report incidents as soon as they happen.