The Network and Information Systems (NIS) directive is due to be implemented from May 2018, and is being considered today in a consultation by the Department for Digital, Culture, Media and Sport.
Organisations the proposed legislation will affect include those involved in transport, digital infrastructure, water, energy, electricity and health.
The directive is part of the government’s five-year cyber security plan, the £1.9bn National Cyber Security Strategy.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” said Matt Hancock, minister for digital.
The fine would be imposed on operators which have failed to assess the risks adequately, not taken appropriate security measures and not engaged with a competent authority.
In the event that the appropriate steps have been taken but an attack has still occurred, the operator will not be held accountable.
The fines will be applied in the event of a loss of service from an operator, not a loss of data, which is covered by the General Data Protection Regulation (GDPR), which will be brought under UK law.
In May, the NHS suffered a catastrophic cyber attack when the WannaCry ransomare was uploaded onto the health services’ system.
Last month, Petya ransomware attacked computers in 65 countries and caught out some of the world’s most high-profile companies – reports suggested that the spread was helped by tax accounting software.
Meanwhile , minister of security Ben Wallace warned about the lack of preparedness among businesses and consumers when it comes to protecting themselves from cyber attacks.