As part of plans to improve the U.K.'s cybersecurity, operators of essential services that rely on IT systems including NHS trusts, utilities, gas and oil companies, road authorities and train operators, could be fined if they fail to assess their cyber risk and take appropriate protections.
Under the proposal these operators will also have to report any incidents that affect the security or integrity of their digital infrastructure within 72 hours.
The proposals are part of a consultation around a new Network and Information Systems (NIS) Directive to protect the U.K.’s digital economic and social infrastructure and form part of the government’s £1.9bn ($2.47bn) National Cyber Security Strategy.
The proposed regulations are also designed to bring U.K. law in line with a European NIS Directive that comes into force next year.
Major attacks, including the recent WannaCry ransomware that locked computers belonging to the NHS and FedEx among others, as well as the growing threat of state sponsored attacks, has pushed cybersecurity up the business agenda.
