New laws surrounding cybersecurity in the UK came into effect earlier this year – and businesses that fail to comply with the regulations could be fined up to £17m.
In May 2018, the UK government rolled out the EU’s latest Network and Information Security (NIS) Directives in an attempt to protect the nation’s economy, public safety and adverse social impacts that can come under threat by the risk of cyber attacks.
The revised directives are aimed at improving resilience across five critical sectors that provide services to Britain’s infrastructure; water, energy, health, transport and digital service providers.
It’s crucial that UK firms understand their obligation in relation to NIS Directives and take the appropriate measures to mitigate the growing threat of cyber attacks.
What does the NIS mean for UK businesses?
For organisations to remain compliant with the new cyber security regulations, UK businesses are obliged to conduct thorough risk assessment tests, install advanced threat detection systems, prioritise security analysis, and understand the dependencies between systems.
The government has said that UK companies should examine their services immediately and register with the competent authority’s Information Commissioner’s Office (ICO) to identify yourself by 1 November 2018.
The companies that are obligated to register are those considered to provide ‘essential services’ under the new regulations. It should also be noted that the NIS Directives may not apply to all operations within an organisation.
It is important for companies to understand which critical services could have a widespread impact, either internally or externally. However, it is not clear how many businesses will actually be responsible for implementing regulations in accordance with NIS.
Firms that fail to comply with the terms of the NIS directives will be liable to pay fines of up to £17million. Penalties are calculated at 4% of the company annual turnover.
Mike Hulett, Head of Operations at Britain’s National Cybercrime Unit report that around half of all recorded crime in the UK involves some form of cyber activity.
There has been numerous examples of cyber attacks against firms that are responsible for national infrastructure in mainland Europe, and 68% of critical UK businesses have been the subject of cyber security attacks or breaches in the last 18 months.
Experts predict that attacks on critical infrastructure are to set to increase – by as much as 100% in the next two years. An increase in connected devices and a shortage of digital skills in critical sectors has raised growing concerns among policy makers.
The NIS Directives came into effect on 10 May 2018, but UK firms have been given a 12-month bedding in period to implement appropriate systems – estimated to cost a total of £4.1m.
Early estimates say at least 432 UK businesses will be affected by the NIS Directive. However, other companies may be affected. If your organisation has a contract with a public authority or is directly covered by NIS Regulations, you should seek legal, commercial and operational advice immediately.
ICLG is committed to providing legal advice and assistance to UK businesses. Our experienced partners can help ensure you meet compliance with NIS Directives. For expert advice, call us now on 207 367 0720.