Security

UK businesses could get hit with £17M fine for data breaches

As part of the EU's Network and Information Systems Directive, businesses will have to improve their ability to prevent attacks and alert authorities if they happen.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • UK firms in the energy, transport, water, and health sectors could face up to a £17 million fine if they aren't properly protected against cyberattacks.
  • As part of the European Union's Network and Information Systems Directive, regulators will be appointed to determine a company's level of cybersecurity preparedness.

If UK businesses leaders in certain industries don't prioritize their firm's cybersecurity, it could cost them millions.

Under the European Union's Network and Information Systems (NIS) Directive, companies in the energy, transport, water, and health fields could be slapped with a £17 million fine if their company isn't properly protected against cyberattacks. The UK government detailed the new fine in a Sunday press release.

According to the release, sector-specific regulators will be appointed to make sure that these "essential services" are protected from cyberthreats. Looking at these industries, the regulators will seek to determine if the company plans are "as robust as possible," the release said.

SEE: Encryption policy template (Tech Pro Research)

For businesses operating in the UK, or dealing with UK citizen data, it is imperative that the new directive is reviewed and its core issues are addressing in their security policy. The directive will also address issues like power outages, environmental hazards, and hardware failure as well, the release said.

In addition to being prepared, these companies also have to report any potential breaches they encounter. There will also be a new simple reporting system in place so these businesses can follow the proper chain of command for incident disclosure.

"These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place," the release said. "The regulator will have the power to issue legally-binding instructions to improve security, and - if appropriate - impose financial penalties."

Margot James, minister for digital and the creative industries, said in the release that the new initiatives aimed to "ensure the UK is the safest place in the world to live and be online." James also said the UK government wants essential services and infrastructure to "be primed and ready" for outages, or to respond to major cyberattacks.

There are 14 key principles that the companies will be measured against. Those principles are available in the official UK government guidance here.

According to the release, a fine would be the last resort for an out-of-compliance firm, and £17 million would be the maximum amount.

"Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible," National Cyber Security Centre CEO Ciaran Martin said in the release.

Also see

Big Ben and houses of Parliament
Image: iStockphoto/sborisov

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox