The U.K. government has announced punitive measures against essential-services companies that fail to secure their networks, including fines of up to £17 million ($24 million).

The measures, announced as part of the U.K.’s implementation of the European Union network and information systems directive, covers companies providing services such as energy, transportation, water and healthcare. It also includes regulations that would allow government inspectors to inspect cybersecurity at those companies to ascertain whether they are taking appropriate measures to protect their networks.

The proposals may sound somewhat harsh, but the U.K. government is pitching its big-stick approach to private enterprises as being a way to ensure the companies are “prepared to deal with the increasing numbers of cyberthreats.”

The regulations not only require essential-services operators to report to the government any cybersecurity breach, no matter how small, but hardware failures will also need to be reported. The regulator would “assess whether appropriate security measures were in place” and then “issue legally binding instructions to improve security, and – if appropriate – impose financial penalties.”

Explaining that the regulations are in response to high-profile attacks in the past, Richard Henderson, global security strategist at Absolute Software Corp., told SiliconANGLE that “it’s clear this new directive was pushed forward after the substantial impact many attacks have had in recent years on public infrastructure and essential utilities. Wannacry’s disproportionate impact on the networks of the National Health Service is clearly not forgotten by the NCSC.”

Henderson added that the NCSC understands how complex and difficult it will be to prepare for all cyber security problems, and as a result, the guidelines are intentionally vague. “In practice, this gives OES’s significant freedom and latitude to design, build, and monitor their unique infrastructures in the ways they deem best,” he said, but it’s not yet clear if that will be enough.

“The fines themselves seem to be a last resort for the U.K. after continued failure by OES’s to improve and learn from incidents,” Henderson said. “It’s great that they’re being pragmatic in understanding that breaches and incidents in some fashion are going to happen and allowing organizations the ability to learn and improve from them. But at the same time, the lack of sharp teeth ready to take a giant financial bite out of an organization may give some the false sense that punitive enforcement is just a paper tiger.”

Image: Sstrobeck23/Wikimedia Commons