Firms could face fines of up to £17m or 4% of global turnover if they fail to protect themselves from cyber-attacks, the government has warned.
The crackdown is aimed at making sure essential services such as water, energy, transport and health firms are safeguarded against hacking attempts.
Firms will also be required to show they have a strategy to cover power failures and environmental disasters. Digital Minister Matt Hancock said any fines would be a last resort.
They would not apply to firms which had put safeguards in place but still suffered an attack, the Department for Digital, Culture, Media and Sport (DCMS) said.
‘Safest place in the world’
Mr Hancock, who is launching a consultation on the plans, said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack.”
The DCMS said firms that take cyber-security seriously should already have measures in place to prevent attacks or systems failures.
It said the consultation was aimed at determining how to implement the Network and Information Systems (NIS) directive which becomes law across the EU next May.
It is separate from the General Data Protection Regulations (GDPR), which are aimed at protecting data, rather than services.
The GDPR will replace the UK’s Data Protection Act 1998 from 25 May next year and the government has confirmed that the UK’s decision to leave the EU will not change this.
Earlier this year, NHS services across England and Scotland were hit by a large-scale cyber-attack that disrupted hospital and GP appointments.
And the threat to firms from cyber-attacks appears to have grown.
Nearly half (46%) of British businesses discovered at least one cyber-security breach or attack in the past year, a government survey earlier this year found.
That proportion rose to two-thirds among medium and large companies. Most often, these breaches involved fraudulent emails being sent to staff or security issues relating to viruses, spyware or malware.