DCMS waves cyber security stick over essential services

Department’s proposals include tough sanctions for organisations found to have neglected cyber security when suffering a loss of service

NHS organisations could be liable for heavy fines for failings in cyber security under new proposals announced by the Department for Digital, Culture, Media and Sport (DCMS).

Cyber Security Strategy coverHealthcare has been listed among a number of services deemed as essential under the Network Information Systems (NIS) Directive – due to be implemented in May of next year – and in which organisations that lose services due to shortcomings in cyber security could be subject to sanctions.

Other sectors affected include electricity, water, energy, transport and digital infrastructure.

DCMS said the NIS Directive – part of the National Cyber Security Strategy – will compel essential service operators to make sure they are taking the necessary action to protect their IT systems. It relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).

Its proposal – which has been put out for consultation  –  includes scope for fines of up to £17 million or 4% of global turnover; although it said the fines would be a last resort and not apply to operators that take appropriate security measures but still suffer an attack.

Operators' obligations

Operators will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.

DCMS said that any operator that takes cyber security seriously should already have such measures in place.

Minister for Digital Matt Hancock said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.

“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”

The Government is planning to hold workshops with operators so they can provide feedback on the proposals.