Security for digital infrastructure and cloud services in the spotlight thanks to new cybersecurity regulations.
Cloud computing, search engines, and the services that underpin the internet are to be considered to be part of the UK’s vital infrastructure, alongside clean water and power, under new rules aimed at boosting cybersecurity.
Under the European Union’s Network and Information Systems (NIS) directive, businesses that provide essential services will have to make sure their security is good enough to protect their network and information systems from attack, as well as having to notify the relevant authorities of serious incidents.
The regulations apply to critical national infrastructure — those basic services without which society will gradually grind to a halt.
These include healthcare, airlines, airports and air traffic control, ports, local and national rail networks, and road transport authorities. It also covers the supply and distribution of drinking water; electricity sale, distribution and transmission; oil production, refining and treatment; and gas supply, storage, sales, and distribution.
The most eye-catching feature of the guidance published by the UK government is the threat of fines — up to £17m — for companies that suffer a breach and are shown to have failed to have put effective cybersecurity measures in place. But perhaps more interesting is the recognition that cloud computing and other digital services are now considered essentials too.
That’s because directive also covers a number of digital services, and requires top level domain (TLD) name registries, domain name services (DNS) and internet exchange point (IXP) operators to comply.
Cloud computing services providers, online marketplaces, and search engines will be covered by the NIS directive, although regulation is lighter, as regulation and enforcement can only be applied after an incident, and companies with fewer than 50 staff or an annual turnover of less than €10m are excluded.