Government Introduces Measures to Protect Essential Services From Cyber Attack

The Department for Digital, Culture, Media and Sport (DCMS) has released its response to the Consultation on the Security of Network and Information Systems Directive.

The full response to the consultation can be viewed here. Guidance from the National Cyber Security Centre (NCSC) can also be viewed here.

There have been a number of minor changes made to the proposed framework for implementing the Directive, including:

  • The maximum fines for breaches have been capped at £17million;
  • The role of the NCSC is highlighted more clearly, with a clear technical advisory and support role with a separate role to competent authorities;
  • Confirmation of an approach with multiple Competent Authorities overseeing relevant sectors they are familiar with. The ICO will remain the Competent Authority for the digital sector;
  • Further clarity on the definitions of Digital Service Providers (DSPs), particularly in terms of cloud services; and
  • A clearer and more realistic approach to timescales for compliance, with guidance from Government that Competent Authorities should take into account organisations transitioning in the first year.

Talal Rajab, Head of Programme, Cyber and National Security, techUK comments:

‘“It is important that the UK’s critical infrastructure remains resilient to the growing cyber threat. That is why we welcome the robust plan put forward by the Government for the implementation of the Network and Information Systems Directive (NIS Directive).

“More work still needs to be done, particularly with the 10 May deadline looming large, including the need for further details on the resources being made available to the various Competent Authorities and their respective legislative powers. However, we are particularly pleased to see that detailed guidance has already been published by the NCSC on the security measures that organisations’ need to adopt in order to comply.

“Operators of essential services must act now and take heed of this guidance, ensuring that the essential services that we rely on are cyber resilient and secure.”

techUK will be providing a more detailed analysis in the coming days and will be engaging with its members and Government in the months leading up to May.