Latest in Tomorrow

Image credit:

UK to fine companies up to £17 million for cybersecurity lapses

It's to ensure companies in 'critical industries' are ready for the next WannaCry.
Nick Summers, @nisummers
January 29, 2018
Share
Tweet
Share

Sponsored Links

Jack Taylor via Getty Images

The UK government will fine companies in "critical industries" up to £17 million if they have woefully inadequate cybersecurity defences. The penalty system is a response to an EU directive, passed in August 2016, that was drawn up to ensure its member states are prepared for modern cyber attacks. Known as the NIS directive, it will be transplanted into UK law to protect health, energy, transport and digital infrastructure. The fines will be a "last resort," however, and take into account how co-operative the company has been with their relevant regulator, the actions taken to remedy the situation, and any other law that might have been breached.

The UK government consulted on its plans to introduce the fee system in August and September last year. It will apply to "operators of essential services," a term that varies depending on the industry. In the transport sector, for instance, it includes airport operators and harbour authorities with more than 10 million annual passengers. The category can also apply to mainline railway operators, large passenger and freight water transport companies, and international rail services. In the "digital" realm, it covers Top Level Domain (TLD) name registries, Domain Name Services (DNS) service providers and Internet Exchange Point (IXP) operators.

Operators of essential services (OES) will need to report cybersecurity incidents above a yet to be determined threshold to their relevant Competent Authority (CA). These government-appointed regulators vary by industry: Ofcom will handle digital infrastructure, for instance, while the Secretary of State for Environment, Food and Rural Affairs (Defra) — supported by the Drinking Water Inspectorate — will deal with water supply and distribution. "Digital Service Providers," which include search engines, online marketplaces and cloud computing services, will need to report similar instances to the Information Commissioner's Office (ICO). It's not clear, however, if they fall under the same fee system as OES.

"The Government can reassure Digital Service Providers that both it, and the Competent Authority will approach implementation of the NIS Directive in a reasonable fashion," the government said in a consultation document last weekend. "Companies will be given time to implement the requirements of the Directive." Guidance on the NIS Directive has been released by the National Cyber Security Centre. The rules come into effect on May 10th and will, the government hopes, minimise the next WannaCry and persuade companies to keep up with best cybersecurity practices.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

LG's rollable OLED TV goes on sale for $87,000

LG's rollable OLED TV goes on sale for $87,000

View
The SSC Tuatara has broken 330 mph and shattered a world speed record

The SSC Tuatara has broken 330 mph and shattered a world speed record

View
Can Evernote make a comeback?

Can Evernote make a comeback?

View
Apple will reportedly add 5G support for iPhone 12 in dual SIM mode

Apple will reportedly add 5G support for iPhone 12 in dual SIM mode

View
Living with TCL's 8-series 4K TV: Quality without paying for OLED

Living with TCL's 8-series 4K TV: Quality without paying for OLED

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr