The Department for Digital, Culture, Media and Sport recently published the UK Cyber Security Framework proposals entitled “Security of Network and Information System”.

The consultation paper confirms that the UK intends to implement the EU Network Information Security Directive and following Brexit to continue to cooperate with the EU in respect of cyber security initiatives.

The consultation paper proposes that Operators of Essential Services will be subject to the new law and suggests that these critical infrastructure operators will include water, energy, transport, digital services and healthcare but surprisingly does not include civil nuclear operators nor over the top services nor major trading platforms such as the stock exchange and the London insurance market.

If the purpose of the new law is to increase the information security and other cyber risk protocols for critical infrastructure then it seems surprising that the current proposals narrowly define “Operators of Essential Services”.