The UK government will fine companies in “critical industries” up to £17 million if they have woefully inadequate cybersecurity defences. The penalty system is a response to an EU directive, passed in August 2016, that was drawn up to ensure its member states are prepared for modern cyber attacks. Known as the NIS directive, it will be transplanted into UK law to protect health, energy, transport and digital infrastructure. The fines will be a “last resort,” however, and take into account how co-operative the company has been with their relevant regulator, the actions taken to remedy the situation, and any other law that might have been breached.
Source: UK to fine companies up to £17 million for cybersecurity lapses