It has been announced that the government will be incorporating an EU law of larger punishments for ‘essential services’ which are not prepared for cyber-attacks. These essential services include energy, health, transport and water, and indicate a new direction for cyber security laws.
Although the UK voted to leave the EU earlier this year, the government has decided to incorporate the National Cyber Security Strategy from EU’s Network and Information Systems (NIS) Directive, which they hope will be in effect by May 2018. The countries in the EU must incorporate this law into their national laws by May 2018. The UK government’s enthusiasm for an EU law illustrates the prominence of cyber security in today’s government.
The larger punishments largely refer to higher fines of up to £17 million or 4% of the organisation’s turnover – whichever is higher. The fines come in two bands, in order for them to be fair and proportionate. Digital Minister Matt Hancock describes the need for ‘our essential services and infrastructure’ to be ‘more resilient’. It is part of the government’s five-year £1.9 billion National Cyber Security Strategy. It ensures organisations incorporate staff training amongst other adaptations into their policies.
This new direction for the legal management of cyber security indicates how the law adapts and changes to different challenges to our cyber system.