The government confirmed yesterday that it will issue multi-million pound fines to companies who fail to protect the UK's infrastructure from foreign state cyber attacks.
Health, transport, water and energy companies could face fines of up to 17 million if they do not take effective action to prevent cyber attacks and breaches of Britain's critical infrastructure, as part of the government's new Network and Information Systems (NIS) directive.
"Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online," said Margot James, minister for digital and the creative industries. "We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services."
"I encourage all public and private operators in these essential sectors to take action now and consult NCSC's advice on how they can improve their cyber security."
The new measures, which come into force on 10 May, include an easy-to-use reporting system for security breaches and other IT issues, allowing firms to quickly alert new industry-specific regulatory bodies to any problems.
These regulators will be able to compel companies to improve their security, and will also be able to levy the fines if necessary.
Fines will be issued as a last resort only, the government said, and organisations that have taken all of the appropriate security preparation measures and collaborated with regulators will not be at risk of such penalties.
The decision comes after proposals for NIS were drawn up and put out to consultation in August. The UK is growing more alert to state actor hacking efforts, amid various countries suffering attacks on their critical infrastructure.
With Russia accused of interfering in the US 2016 presidential election, France withdrew an electronic vote amid fears it could be sabotaged by hackers in June 2017. Meanwhile, an attack dubbed BlackEnergy wiped out much of Ukraine's power grid in 2015, before a similar attack a year later.
In order to help companies comply with the new directive, the National Cyber Security Centre (NCSC) has released in-depth guidance regarding which organisations need to comply, and how to do so.
"Our new guidance will give clear advice on what organisations need to do to implement essential cyber security measures," said NCSC CEO Ciaran Martin. "Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible."
Martin warned in an interview with theGuardianthat such an attack on the UK's vital infrastructure is inevitable, stating that "it is a matter of when, not if".
The new regulations come less than a week after UK defence secretary Gavin Williamson warned that a successful Russian attack on Britain's energy network would cause "total chaos" and "thousands of deaths".
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Global PC shipments surge in Q3 2025, fueled by AI and Windows 10 refresh cyclesNews The scramble ahead of the Windows 10 end of life date prompted a spike in sales
-
Foreign states ramp up cyberattacks on EU with AI-driven phishing and DDoS campaignsNews ENISA warns of hacktivism, especially through DDoS attacks
-
A new 'top-tier' Chinese espionage group is stealing sensitive datanews Phantom Taurus has been operating for two years and uses custom-built malware to maintain long-term access to critical targets
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Cyber pros say the buck stops with the board when it comes to security failingsNews Fines, sanctions, and even prosecution are all on the table when it comes to cyber failings, practitioners believe
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
