Futureproofing cyber regulation

The UK’s energy system is changing fast. Clean power ambitions are creating rapid growth in wind, solar, battery storage and more. Flexible resources are now essential to manage this complexity, providing even more opportunities for development.

Transformation brings great opportunity, but it also changes the risk landscape. Recent cyber incidents demonstrate this, with organisations facing a spectrum of adversaries, from opportunistic attackers looking to leverage any vulnerability they find, to highly organised groups with strategic motives. Given this, every organisation, regardless of their size, needs to be prepared. Cyber resilience can protect your business finances, stability, and reputation.

Energy systems in transition

As our energy system evolves and more operators join the grid, we need to ensure that every operator contributes to system resilience and that all new and evolving infrastructure is built in a way that is Secure by Design.

This transition from a traditional, centralised energy system to a highly integrated, distributed, and flexible system where rapid dispatch of a diverse range of assets is paramount, changes the technology landscape and how we need to protect it.

If you are a new or expanding operator within downstream gas and electricity you have a great opportunity to get ahead of potential risk, safeguarding your operations now for the future and strengthening the resilience of our energy system.

The evolving threat landscape

The cyber threat to the UK is intensifying, with our adversaries seeking outcomes from financial gain to pre-positioning (a tactic that involves attackers infiltrating systems in advance to enable future attacks), espionage and disruptive and destructive attacks. The National Cyber Security Centre handled over 200 nationally significant cyber attacks in the past year, with the potential to substantially impact the UK’s national security and economy, including threats to essential services and sensitive data. If we look at the overall business landscape, in the past year, 50% of small businesses, 67% of medium sized businesses and 74% of large businesses reported experiencing a cyber attack or breach. If we look into utilities specifically, the average cost of a significant cyber incident to utilities has been estimated to exceed £210,000, with cyber ranking amongst the top risks across utilities.

Ransomware attacks continue to pose the most immediate and disruptive threat, with some state-linked cyber groups now targeting the industrial control systems that infrastructure relies on. Commercial and sensitive data continues to be attractive to threat actors. Recent incidents across the globe show how real these risks are.

As the sector decarbonises and digitalises, comprehensive cyber resilience is more important than ever. Unless transformation is delivered securely, the future energy system’s high interconnectivity can see a single vulnerability rippling across the whole system if successfully exploited by an attacker. Furthermore, attacks against an organisation in the energy sector have potentially far-reaching consequences.

The current cyber regulatory regime is strengthening the cyber resilience of the most critical energy operators, but there is more to be done to protect the highly distributed, digitalised and interconnected system of the future.

Regulation: progress and gaps

The Network and Information Systems (NIS) Regulations, introduced in 2018, set a framework for improving cyber resilience in critical sectors like downstream gas and electricity. NIS applies to the most critical operators delivering essential services above certain thresholds. These services and thresholds were set nearly a decade ago, before today’s distributed, digitised energy system. As a result, many organisations who will play a crucial role in the future energy system are not in scope of formal regulatory requirements.

With the changes needed in the energy system to achieve net zero, our approach to supporting energy organisations with their cyber resilience also needs to change. We need to go further, setting appropriate and proportionate standards for cyber resilience across the whole energy sector.

Why collaboration matters: the Quad Partnership

No single organisation can tackle this challenge alone. That’s why Ofgem as an independent regulator, DESNZ (Department for Energy Security and Net Zero) as the lead government department for energy security, NESO (the National Energy System Operator) with its expanded role on energy security and resilience, and NCSC (the National Cyber Security Centre) as the centre for expertise on cyber have joined forces through the Energy Cyber Quad to strengthen cyber resilience across the energy system.

One of the targets under the cross-government energy cyber strategy is to set clear expectations for the cyber resilience of all operators, not just the largest, improving the security of the whole system.

A different approach to cyber resilience

Ofgem and DESNZ are doing some early policy thinking on potential models for the future of cyber oversight in downstream gas and electricity. Our starting point, which we will test and refine via a consultation, is based on:

• baseline cyber resilience requirements for all Ofgem licensees, which should be low burden to implement and aim to protect operators from the most common cyber attacks
• targeted cyber resilience requirements for the most significant operators, which should be proportionate to the system impact of different operators

Working together to safeguard resilience

Over the coming months, we will be engaging with the sector to: 

• support you in understanding current and evolving cyber risks and the impacts they can have on your business
• ensure you are well equipped to understand the current regulatory regime and assess whether you fall within its scope
• ensure you are engaged in early policy thinking related to the future of cyber resilience requirements in downstream gas and electricity and supported in preparing for it
• encourage you to participate in shaping policy development

If you are an energy operator or relevant stakeholder with an interest in the future of cyber resilience requirements in downstream gas and electricity, sign up for one of our planned workshops using the links below.

Share your insights, find out how you may be impacted by future changes, and let’s work together to ensure the UK’s energy system is secure, resilient, and ready for the future.

Register for our workshops:

Register for workshop 1 - Tuesday 27 Jan 2026 • 11am to 12:30pm

Register for workshop 2 - Thursday 12 Feb 2026 • 11am to 12:30pm