Labour: businesses should have to report serious cyber attacks threatening UK national infrastructure

Shadow defence secretary Vernon Coaker confirmed the plans during a speech at the Royal United Services Institute for Defence and Security Studies (RUSI) on Monday.

"New types of threat – such as cyber – will increasingly test the resilience of UK critical infrastructure networks." Coaker said. "In the face of increasing sophistication, serious questions need to be asked about the nature of the cyber threat facing the UK. What are the rules of engagement regarding cyber attacks? Does the concept of deterrence apply in cyber warfare as it does in conventional warfare? And is the MoD (Ministry of Defence) doing enough to recruit the skilled people it needs to enhance cyber defence capabilities? As we have seen with the recent cyber attacks on NATO websites during the crisis in Ukraine, this threat is now a reality."

"Labour has already called on the government to ensure that every company working with the MoD, regardless of its size or the scale of its work, signs up to a cyber-security charter. Building on this, we will also consult on the prospect of creating a statutory requirement for all private companies to report serious cyber-attacks threatening the UK’s national infrastructure," he said.

Proposed new EU rules designed to ensure operators of critical national infrastructure meet appropriate IT security standards, share information about threats, and report certain incidents they encounter where that security has been breached received the backing of the European Parliament earlier this month.

Banks, energy companies and telecoms providers would be among those subject to the new Network and Security (NIS) Directive under the plans backed by MEPs. However, they backed amendments to the European Commission's original proposals to remove websites and other providers of 'information society services' from the scope of the new regime.

The Commission said that organisations subject to the NIS Directive should have to report "incidents having a significant impact on the security of the core services they provide" to regulators. The Parliament-backed plans included a definition of what is meant by an 'incident having a significant impact’. The definition proposed said: "an incident affecting the security and continuity of an information network or system that leads to the major disruption of vital economic or societal functions".