New cyber obligations proposed for British energy businesses

Currently, only some energy businesses in Britain are subject to cyber regulation. In this respect, the Network and Information Systems (NIS) Regulations 2018 apply to operators of ‘essential services’, which must keep their networks and information secure and notify security incidents to Ofgem when they occur. 

However, at a time when Britain’s energy system is becoming more decentralised owing to the increase in renewable energy generation, the government and Ofgem said the current requirements need to be expanded upon to ensure the entire system is resilient against cyber risks.

In a consultation open until 22 May, they set out two ways they intend to achieve that.

On the one hand, all energy businesses licensed by Ofgem – which number more than 1,400 currently – will need to meet certain baseline cybersecurity requirements. The government and Ofgem propose to require licensees to adhere to the existing Cyber Essentials scheme, which sets standards around things like firewalls, access controls, malware protection and security patching. Additional measures, including around systems separation, training, supply chain security, and incident response and recovery, could also be included in the baseline requirements, according to the consultation.

On the other hand, the government and Ofgem believe it is necessary to review how the NIS regime applies amidst their concern that the current framework “may not accurately reflect the range of essential services and operators that are critical for the downstream gas and electricity system of the future”. They have commissioned the National Energy System Operator (NESO) to advise on whether the type of operators that can be classed as operators of ‘essential services’ in the downstream gas and electricity market, under NIS, should be expanded – and/or whether the thresholds should be adjusted to bring a greater number of operators within scope.

The government’s powers to amend the NIS framework through secondary legislation are provided for in a bill that is currently subject to the UK parliamentary process. The Cyber Security and Resilience Bill would impact across sectors but contains proposals that would, if implemented, strengthen, and expand the scope of, NIS requirements in the energy sector.

“This consultation shows the importance regulators put on cybersecurity, recognising that cyber risks affect all businesses in the sector, and not just those existing operators of essential services,” said cyber expert Stuart Davey of Pinsent Masons. “As we progress through this year, we expect to see further consultations about the future of the regulatory landscape following the implementation of the Cyber Security and Resilience Bill.”

A set of “intermediate cyber requirements” – that would sit in the “significant gap” between the baseline requirements and the enhanced NIS regime that are proposed – could be introduced in future, according to the government and Ofgem.

A cyber attack on Poland’s energy system late last year – where wind and solar farms were among around 30 renewable energy assets targeted – was cited in the consultation paper as an example of the cyber threat facing Britain’s energy system and as “clear evidence of adversaries’ shifting focus”.

“Whilst it was ultimately unsuccessful in disrupting energy supplies, it could have impacted over 500,000 customers,” the government and Ofgem said. “The attack demonstrates a clear move towards coordinated disruption to the energy sector through distributed renewable assets and both IT and [operational technology] environments. This was not deemed to be a sophisticated attack; the actor was able to use a variety of vulnerabilities and circumnavigate weak defences to infiltrate systems, most of which could have been prevented by cyber hygiene.”

The UK’s National Cyber Security Centre (NCSC) has said four “nationally significant” cyber attacks are carried out every week. It handled a record number of such incidents last year – 204 compared to 89 in 2024.