Maida Oringher LernerMaarten StassenMichael G. Gruden, CIPP/G

The United Kingdom’s National Cyber Security Centre (“NCSC”) recently announced guidance whereby industries could be fined up to $24 million (£17 million) for not having effective cybersecurity measures in place.  The penalties apply to critical infrastructure sectors including energy, transportation, water and healthcare.  While the U.K. government stated that these penalties will be “a last resort,” the government will employ “sector-specific regulators” to monitor cybersecurity compliance across these critical infrastructure disciplines. 

Concurrently, the NCSC released Network and Information Systems (“NIS”) Guidance, which dovetails with the European Union’s NIS Directive for an EU bloc-wide cybersecurity deadline by May 9, 2018.  The NCSC’s guidance is based on “14 key principles” and align with current cybersecurity standards.  NCSC is due to provide a Cyber Assessment Framework by late April 2018, which should provide a systematic methodology that critical industry can use to meet compliance with the 14 requisite cybersecurity principles.

Created in 2017, the NCSC functions as the cybersecurity technical expert and advisor to the U.K. government and industry.  They are serving as the point of contact for the United Kingdom’s NIS implementation efforts. The NCSC is also the notification point of contact for all cyber-related incident reporting.