The Department for Digital Culture Media & Sport has issued the Government's response to the public consultation on the Security of Network and Information Systems.

The headlines are as follows:

  • The sanctions regime has been clarified with a single maximum financial penalty of £17m to cover all contraventions. There will be encouragement in the legislation to Competent Authorities to work with other relevant regulators to seek to address the potential for "double jeopardy" that might otherwise occur through the doubling up of fines.
  • The definition and identification thresholds of who is within the scope of the requirements of the Directive have been clarified.
  • The list of Competent Authorities has been issued, subject to final confirmation, and the distinction between their role and the role of the National Cyber Security Centre has been clarified.
  • 14 proposed high level security principles of general application have been issued to assist organisations to take appropriate decisions when implementing security measures.
  • The definition of "Digital Service Provider" has been refined.
  • Clarification has been provided as to the obligations on reporting incidents by operators of essential services