Home Governance UK issues cybersecurity directive for operators of essential services

UK issues cybersecurity directive for operators of essential services

Banks in United Kingdom

Following EU’s Network and Information Security Directive (NIS), the United Kingdom government will now penalize operators of essential services, if they fail to meet the conventional cybersecurity standards. The directive includes 14 principles centered around the prevailing global standards and guidance. This fine which can be up to £17 million will be the last recourse to be adjudged on the level of cooperation shown by the companies with their regulators, termed as Competent Authorities. However, critics argue that the glitch is visible in the reference ‘Operators of Essential Services’. Although, the memorandum defines that these essential services are meant to safeguard health, energy, transport and digital infrastructure, it leaves out government, chemicals, food, and agriculture.

The directive handed out by the Department for Digital, Culture, Media and Sport is based on the UK government’s proposals published in August last year conferring to the NIS Directive. Although on the verge of Brexit, the UK government had agreed on the implementation of EU’s NIS Directive for securing its technology, data and networks. A list of Competent Authorities is being prepared who will act as regulators, and overview incident reporting. There will be separation of powers between these Competent Authorities and National Cyber Security Centre. The NCSC will have more of an advisory role on the Computer Security Incident Response Team (CSIRT), limiting it from enforcing any actions on the digital service providers..

The level of penalty will vary for different sectors and the Competent Authorities will consider qualifying factors when penalizing the companies. The procedure of incident reporting has also been elaborated in the directive, whereby the regulators will determine the level of impact caused by the laxation on the basis of the number of users affected, period of the incident, and its geographical range. The foundation of the directive is laid on the grounds of national security, potential threat to public safety, and the likelihood of a substantial hostile social or economic impact resulting in huge losses.