The UK government consulted on its plans to introduce the fee system in August and September last year. It will apply to "operators of essential services," a term that varies depending on the industry. In the transport sector, for instance, it includes airport operators and harbour authorities with more than 10 million annual passengers. The category can also apply to mainline railway operators, large passenger and freight water transport companies, and international rail services. In the "digital" realm, it covers Top Level Domain (TLD) name registries, Domain Name Services (DNS) service providers and Internet Exchange Point (IXP) operators.
Operators of essential services (OES) will need to report cybersecurity incidents above a yet to be determined threshold to their relevant Competent Authority (CA). These government-appointed regulators vary by industry: Ofcom will handle digital infrastructure, for instance, while the Secretary of State for Environment, Food and Rural Affairs (Defra) — supported by the Drinking Water Inspectorate — will deal with water supply and distribution. "Digital Service Providers," which include search engines, online marketplaces and cloud computing services, will need to report similar instances to the Information Commissioner's Office (ICO). It's not clear, however, if they fall under the same fee system as OES.
"The Government can reassure Digital Service Providers that both it, and the Competent Authority will approach implementation of the NIS Directive in a reasonable fashion," the government said in a consultation document last weekend. "Companies will be given time to implement the requirements of the Directive." Guidance on the NIS Directive has been released by the National Cyber Security Centre. The rules come into effect on May 10th and will, the government hopes, minimise the next WannaCry and persuade companies to keep up with best cybersecurity practices.