Energy, transport, water and health companies are expected to have “the most robust safeguards”.
Regulators will be able to inspect cyber-security at such companies, under a new government directive.
In August last year, former Digital Minister Matt Hancock said imposing the fines would be a “last resort”.
At the time, the penalties were part of plans subject to a consultation that has now been completed.
“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services,” said the current Minister for Digital, Margot James.
Guidance for companies working in the relevant sectors has been published by the National Cyber Security Centre.
The government said the new rules would be effective from 10 May and cover breaches including disruptive ransomware outbreaks, such as the WannaCry attack that hit many NHS facilities in May 2017.
“With so many nations, including the UK, now relying on digitalisation, hackers may look to cause mass disruption by targeting critical national infrastructure,” said Jens Monrad, at cyber-security company FireEye.
“This could be systems, which the UK government and citizens rely on, like healthcare systems, water supply and electricity.”
Mr Monrad added FireEye had recently detected new strains of malicious software designed to manipulate industrial safety systems.