Galvanising Cyber Security across UK's Essential Services: How the NIS Directive will drive security and safety enhancements

01 February 2018


Operators of Essential Services (OES) are experiencing disruption from a range of digitalisation and automation technologies. While some sectors like transport and utilities are transforming more rapidly than others to tackle disruption, OESs as a whole face two imperatives; be confident in the digital transformation of their enterprise and ensure their operational IT environment remains resilient and safe.

Increased interconnectivity within and between operational and corporate environments not only enables remote management and more agile development, it also increases the opportunities for cyber incidents to occur, which may potentially impact on, say, passenger or patient safety. Despite this, 54% of the 9,500 executives around the world that were surveyed by PwC in the 2018 Global State of Information Security Survey said they do not have an incident response plan in place.

Safety critical organisations need to be able to link cyber security risk with safety risk assessment processes in order to quantify the safety consequences of a cyber threat or vulnerability. Only through being secure and private by design and assuring for safety will these organisations obtain and sustain the public’s confidence. Also, without establishing a common cybersecurity framework, substantiating the safety and security of future systems will remain extremely difficult, and potentially dangerous. To address this, the UK government is acting to protect essential services from cyber attack. They will be transposing the EU Network and Information Systems (NIS) Directive into UK Law in May 2018, requiring Operators of Essential Services to demonstrate that they have proportionate and appropriate cyber security and safety activities, as well as effective incident management capabilities.

In the same way that GDPR comes with a stick, organisations who fail to implement effective cyber security measures could be fined as much as £17 million or 4% of global turnover, as part of plans to make Britain’s essential networks and infrastructure safe, secure and resilient against the risk of future cyber attacks.

The government wants to encourage a collaborative and proactive approach between the OESs and the competent authorities (e.g. Ofcom, CAA, DfT, and Ofgem), so that competent authorities can be assured that the OESs are effectively managing their cyber security risks.

Ahead of the law being implemented, the government’s timelines are as follows:

  •      Apr 2018: NCSC to publish the generic cross-sector security guidance and a Cyber Assurance Framework (CAF).
  •      Spring 2018: Competent authorities to indicate how OES should interpret the generic guidance and CAF for their own risk management procedures once the legislation goes live in May.
  •        Nov 2018: Competent authorities to produce further detailed sector specific guidance, intended to reflect the unique circumstances of each sector, and which will be prepared in consultation with designated OES and with the support of the NCSC.

OESs will only be required to have implemented guidance that exists and is published today. Where new guidance is produced moving forwards, OESs should be given enough time to incorporate the new guidance into their risk management and security measures.

The NIS Directive is an important part of the Government’s five-year £1.9 billion National Cyber Security Strategy to protect the nation from cyber threats and make the UK the safest place to live and work online. It will ensure essential service operators are taking the necessary action to protect their IT systems.

PwC is doing its part to build a secure digital society, find out more at