New Articles
  August 14th, 2017 | Written by

UK Transportation Providers Could Be Fined For Cyber Failings

[shareaholic app="share_buttons" id="13106399"]


  • Proposals in UK being considered as part of consultation to protect essential services.
  • UK considering new fines for essential service operators with poor cyber security.
  • UK cyber fines could be as much as £17 million or four per cent of global turnover.

Organizations in the United Kingdom that fail to implement effective cyber security measures could be fined as much as £17 million or four per cent of global turnover.

It’s part of plans undertaken by the Department for Digital, Culture, Media and Sport to make the UK’s networks and infrastructure resilient against the risk of future cyber attacks.

Transportation providers are among the operators who would be subject to the increased fines. Electricity, water, energy, health, and digital infrastructure providers are also in the crosshairs of the new proposed regulation.

Fines would be a last resort, according to the department, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.

“We want the UK to be the safest place in the world to live and be online,” said Minister for Digital Matt Hancock, “with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.”

The consultation is part of a process to implement the Network and Information Systems (NIS) Directive which will take effect in May 2018. The NIS Directive relates to loss of service rather than loss of data and falls under the EU General Data Protection Regulations (GDPR).

The NIS Directive forms part of the government’s five-year £1.9 billion National Cyber Security Strategy. It will compel essential service operators to make sure they are taking the necessary action to protect their IT systems.

Operators will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.

The government will be holding workshops with operators so they can provide feedback on the proposals.