Businesses in the UK could face up to £122 billion in regulatory penalties for cybersecurity breaches when new EU legislation comes into effect in 2018, says the PCI Security Standards Council (PCI SSC).

In two years new EU legislation will set regulatory fines at four per cent of global turnover, up to EUR20 million, up from the current £500,000.

Government figures show that 90% of large organisations and 74% of SMEs in the UK reported suffering a security breach last year, leading to an estimated total of £1.4 billion in regulatory fines.

If breaches continue at the same level when the new rules come in, the fines paid to the European regulator could see a near 90-fold increase, to £122 billion. For large organisations, this could mean regulatory fines for cybersecurity breaches soaring to £70 billion, equating to the average per organisation of £11 million. Regulatory fines for SMEs could see a 60-fold increase, rising to £52 billion, averaging £13,000.

Jeremy King, international director, PCI Security Standards Council, says: "The new EU legislation will be an absolute game-changer for both large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.

"Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand."