Cybersecurity

UK to fine companies up to £17 million for cybersecurity lapses

The UK government will fine companies in "critical industries" up to £17 million if they have woefully inadequate cybersecurity defences. The penalty system is a response to an EU directive, passed in August 2016, that was drawn up to ensure its member states are prepared for modern cyber attacks. Known as the NIS directive, it will be transplanted into UK law to protect health, energy, transport and digital infrastructure. The fines will be a "last resort," however, and take into account how co-operative the company has been with their relevant regulator, the actions taken to remedy the situation, and any other law that might have been breached.

The UK government consulted on its plans to introduce the fee system in August and September last year. It will apply to "operators of essential services," a term that varies depending on the industry. In the transport sector, for instance, it includes airport operators and harbour authorities with more than 10 million annual passengers.