Government consults on implementation of cyber security directive

The government is seeking views on implementation of the EU Network and Information Systems (NIS) Directive. The government says it supports the aims of the Directive and sets out in this consultation the proposed implementation approach in the UK.

The consultation covers:

• The essential services the Directive needs to cover (drinking water, energy, health sector etc.)
• The penalties
• The competent authorities to regulate and audit specific sectors
• The security measures proposed
• Timelines for incident reporting (72 hour limit)
• How this affects Digital Service Providers.

The government is proposing a multiple competent authority model. In the digital service providers sector (cloud services, online marketplaces, and search engines), the competent authority would be the Information Commissioner’s Office, and in other sectors different regulators.

The government proposes that the penalty regime would be similar to that of the EU General Data Protection Regulation (GDPR).

The consultation is open until 30 September. See