NHS Digital has welcomed new guidance that will see suppliers of critical services fined if they fail to enforce adequate protection against cyber-attacks.

Under new government guidelines targeting Britain’s critical industries, financial penalties of up to £17 million will be handed down to healthcare, transport and utility companies that do not implement “the most robust” cybersecurity measures.

The new measures are being enforced following a consultation by the National Cyber Security Centre (NCSC) into the UK’s essential services and infrastructure. They are based on 14 key principles centred on the European Commission’s Network and Information Systems (NIS) Directive, which becomes UK law in May.

The NIS Directive will apply to settings within Britain’s national healthcare sector, which includes NHS Trusts and Foundation Trusts.

In a statement sent to Digital Health News, NHS Digital said: “We welcome the introduction of the Directive for operators of essential services in the health sector.

“The Directive will help the sector continue to improve in the area of data security, maximising the benefits of the Data Security & Protection Toolkit and on site data security assessments.”

Under the guidance, sector-specific regulators will be set for health, energy, water, transport and digital infrastructure firms – such as internet service and telecommunications providers – to make it easier to report and act on IT failures and cyber-attacks.

In the event of a security breach, the regulator will assess whether the affected organisation had adequate cybersecurity measures in place. Regulators will have the power to hand organisations legally-binding instructions on how to improve their security and – in the most serious cases – impose fines.

NHS Digital said that it “holds itself to high standards in relation to securing both our infrastructure and the information of the millions of patients we are entrusted to hold.”

NCSC noted that financial penalties will only be issued as “last resort” and would not be imposed on organisations that had suffered an attack despite working with regulators to improve cyber resilience.

While software and other service providers are not in scope of the directive, operators of essential services will be expected to hold their IT suppliers to account for the services they provide.

Ciaran Martin, CEO of NCSC, said: “Our new guidance will give clear advice on what organisations need to do to implement essential cybersecurity measures.

“Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.”

The new guidance for British industries come after a consultation by the Department for Digital, Culture, Media and Sport in 2017 that explored how to implement the NIS Directive in the UK, held following the WannaCry attack that affected swathes of Britain’s healthcare services.

The Directive, which comes into force on 10 May, requires all member states have a national framework in place to deal with cybersecurity incidents. This includes having a national cybersecurity strategy, a computer security incident response team (CSIRT), and a national NIS competent authority.

NHS Digital said it was working with the Department of Health and Social Care (DHSC), as the competent authority, to “identify standards and areas where we can…help the operators of essential services within health comply with the directive.”

Margot James, Minister for Digital and the Creative Industries, said: “We are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online.

“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services.

“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

The UK Government’s Public Accounts Committee is due to examine evidence from the Department of Health, NHS England, NHS Improvement and NHS Digital on 5 February about their response to last year’s WannaCry incident.

Speaking during Digital Health’s Public Cybersecurity Conference in December, NHS England’s head of architecture, Inderjit Singh, said moving cybersecurity to the top of board-level agendas should be the focus of the NHS’s efforts in preventing future attacks.