Organisations that breach new UK cybersecurity laws could be fined more than once by different regulators in relation to the same security breach, the UK government has admitted.
The Department for Digital, Culture, Media and Sport (DCMS) made the admission in a paper setting out its plans to implement the EU's Network and Information Security (NIS) Directive into UK law (35-page / 286KB PDF).
DCMS' paper constituted the government's response to industry feedback to a consultation it ran last year on proposed implementation of the Directive. In it, the department confirmed the criteria which will define whether organisations across the sectors covered by the rules will be considered 'operators of essential services' and subject to the requirements of the new laws. The criteria for determining which organisations qualify as 'digital service providers' is set out in the NIS Directive itself.
keeping in mind that the focus of the new directive is mainly the industrial control side for UK companies that fall under the scope of the critical network infrastructure of the UK i.e. what's the impact to the UK if some/all energy sectors are hit by a major cyberattack to the energy flow to UK citizens.