Critical infrastructureCritical infrastructure firms face crackdown over poor cybersecurity
An EU-wide cybersecurity law is due to come into force in May to ensure that organizations providing critical national infrastructure services have robust systems in place to withstand cyberattacks. The legislation will insist on a set of cybersecurity standards that adequately address events such as last year’s WannaCry ransomware attack, which crippled some ill-prepared NHS services across England. But, after a consultation process in the U.K. ended last autumn, the government had been silent until now on its implementation plans for the forthcoming law. A set of 14 guiding principles were drawn up, with the NCSC providing detailed advice including helpful links to existing cybersecurity standards. However, the cyber assessment framework, originally promised for release in January this year, won’t be published by the NCSC until late April – a matter of days before the NIS comes into force. Nonetheless, the NIS directive presents a good drive to improve standards for cybersecurity in essential services, and it is supported by sensible advice from the NCSC with more to come. It would be a shame if the positive aspects of this ended up obscured by hype and panic over fines.
An EU-wide cybersecurity law is due to come into force in May to ensure that organizations providing critical national infrastructure services have robust systems in place to withstand cyberattacks.
The legislation will insist on a set of cybersecurity standards that adequately address events such as last year’s WannaCry ransomware attack, which crippled some ill-prepared NHS services across England.
But, after a consultation process in the U.K. ended last autumn, the government had been silent until now on its implementation plans for the forthcoming law.
The NIS Directive (Security of Network and Information Systems) was adopted by the European parliament in July 2016. Member states, which for now includes the U.K., were given “21 months to transpose the directive into their national laws and six months more to identify operators of essential services.”
The Department for Digital, Culture, Media and Sport (DCMS) finally slipped out its plans on a Sunday, but – given its spin on fines – it doesn’t seem as though the government was attempting to bury the story.
Interesting spin
The DCMS warned – in rather alarmist language – that “organizations risk fines of up to £17m if they do not have effective cybersecurity measures” in place. There are echoes of the EU’s General Data Protection Regulation (GDPR), by matching its €20m (£17m) maximum penalty level – though the option to charge 4% of turnover for NIS as well was dropped after consultation.
However, exorbitant penalties have been used as a scare tactic by GDPR snake oil salesmen, despite clear statements from the Information Commissioner’s Office (ICO) indicating a cautious regime. Did the DCMS mean to invite overblown headlines about the NIS directive, too?
