Essential services companies that fail to comply with the NIS Directive could face fines of £17 million for cyber security incidents


IT Governance, the leading provider of information security and data protection expertise, is urging organisations that operate in the essential services sector to start complying with the Network and Information Security (NIS) Directive.
This comes in response to consultation plans announced by UK Digital Minister Matt Hancock, which outline requirements and obligations in line with the NIS Directive and aim to help essential services businesses and infrastructure across the EU prepare for continually evolving risks and cyber threats.
Alan Calder, founder and chief executive officer of IT Governance, said: “The consultation announced today confirms that the UK government has committed to implementing the NIS Directive and therefore organisations operating within these critical sectors will be required to adopt risk management practices and report major incidents in line with the requirements of the Directive.”
The NIS Directive provides EU member states with legal measures to increase the level of cyber security, which will be adopted in UK legislation by May 2018, despite Brexit. It requires organisations within member states to implement these measures and build a security culture across all sectors vital to society and the economy.
The Directive sets out significant security obligations for organisations that supply essential services and operate in critical sectors such as energy, transport, banking, health or digital services.
Matt Hancock said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.”
The Directive introduces penalties that will be based on member countries’ discretion, with the UK government warning of fines of up to £17 million or 4% of global annual revenue for organisations that fail to protect themselves from cyber attacks. Digital Service Providers (DSPs) and Operators of Essential Services (OESs) organisations will face additional penalties to those raised by data breaches under the General Data Protection Regulation (GDPR).
Organisations that are required to achieve compliance with the NIS Directive should urgently look into ways of reducing their cyber risks and implement incident reporting and business continuity management programmes.
IT Governance recommends that businesses start by achieving compliance with the international best-practice information security standard ISO 27001, combined with the international business continuity standard ISO 22301.
To find out how IT Governance can help organisations comply with the NIS Directive by implementing a cyber resilient management system based on ISO 27001 and ISO 22301, please visit our website, email or call +44 (0)845 070 1750.
This website uses cookies. View our cookie policy