The government has warned providers of “essential services” that they face fines of up to £17m if they fail to put in place robust cybersecurity to comply with the EU’s NIS Directive by May 10.
The Security of Network and Information Systems Directive, to give it its full name, is an attempt by the European Commission to improve baseline security across the region for critical infrastructure (CNI) providers. Like the GDPR, the UK government will adopt the law post-Brexit.
After a consultation period, the government has clarified certain elements of the new directive, which will apply to operators in electricity, water, energy, transport, health and digital infrastructure — with regulators to be appointed to oversee each sector.
They will be able to levy fines and force companies to improve security.
The directive covers all kinds of cyber-incident, including ones targeting data theft or seeking to cause service outages, as per the ransomware campaigns WannaCry and NotPetya last year.
Also covered will be other IT threats such as power outages, hardware failures and environmental hazards, the government claimed.
The National Cyber Security Centre (NCSC) has released detailed guidance for such operators designed to help them comply with the new law.
It is split into four objectives: managing security risk; protecting against attacks; detecting security “events”; and minimizing the impact of incidents.
Key recommendations cover areas such as: access controls, data security, vulnerability management, network segregation and resilience, staff training, incident response, and supply chain security.
“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services,” said digital minister, Margot James.
“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cybersecurity.”
Talal Rajab, head of programme, Cyber and National Security, at techUK, welcomed the new directive but warned that much work still needs to be done before the May deadline.
“However, we are particularly pleased to see that detailed guidance has already been published by the NCSC on the security measures that organizations need to adopt in order to comply,” he added.
“Operators of essential services must act now and take heed of this guidance, ensuring that the essential services that we rely on are cyber-resilient and secure.”
Rob Norris, head of enterprise and cybersecurity EMEIA at Fujitsu, argued that CNI organizations need to combine improved employee training with investments in security controls.
“In doing so, organizations can be on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen,” he said.
“Even the best-run company could suffer from a hack or data breach. The ripple effects of an attack no longer stay within the four walls of an organization, and businesses of all sizes must rethink their approach and stop defying cybersecurity practices.”