Energy Transition & Infrastructure and Technology 

The UK government is looking to strengthen cybersecurity in the energy sector in Great Britain with proposals to extend cyber resilience requirements across downstream gas and electricity. The two key proposals are to introduce baseline cyber resilience requirements for all downstream gas and electricity Ofgem licensees and to implement the highest resilience standards for the most critical downstream gas and electricity entities. 

The joint DESNZ and Ofgem consultation: Reshaping cyber regulation in downstream gas and electricity closes for comments on 22 May 2026. 

Extending the scope of the NIS framework

The Network and Information System Regulations 2018 (NIS framework) contain the UK's core cybersecurity requirements for essential service operators, including in the energy sector. At present, the NIS framework applies to organisations who either meet the relevant threshold for the service they provide or have been designated by regulators due to their significance. The consultation proposes to update the list of essential services and thresholds, so downstream gas and electricity participants that can materially impact energy system stability are brought within scope. This includes entities  playing a critical role in downstream gas and electricity activities  who are not licensed by Ofgem, although it excludes the energy supply chain which is being considered in a separate workstream. NESO will also provide advice to Ofgem and DESNZ on which services are critical and appropriate thresholds. 

Amendments to the NIS framework will be made using powers to be introduced by the Cyber Security and Resilience (Network and Information Systems) Bill, when enacted.

Baseline cyber resilience requirements for all Ofgem licensees

The introduction of baseline requirements would apply to all downstream gas and electricity Ofgem licensees and be implemented through licence condition updates. These standards are intended to ensure a baseline of resilience against the most common types of  cyberattacks, a case of “doing the basics right”.  

The requirements would need to be independently assured. The consultation proposes the government's Cyber Essentials scheme as a basis for shaping the requirements, but seeks views on whether there needs to be a bespoke scheme adjusted for the needs of Ofgem licensees. The existing Cyber Essentials scheme has two levels of certification (CE/CE+) which both focus on five technical control families: firewalls and internet gateways; secure configuration; user access controls; malware protection; and patch management. Viewing the baseline requirements as a starting point, the expectation is that licensees will build upon them, based on their business-specific context and individual risk assessment. 

Future potential intermediate standards

The consultation seeks early stakeholder feedback on potential intermediate cyber requirements between the baseline and NIS framework standards. This would only be considered after implementation of the baseline requirements and NIS framework review. 

Impacts of the proposals on downstream gas and electricity (DGE) operators

• All existing DGE Ofgem licensees:
  • Existing Ofgem licensees should consider responding to the consultation and prepare to review, and if necessary improve, their cybersecurity practices to meet baseline requirements. More certainty on the specifics of those requirements will hopefully follow when the response to the consultation is published.
• DGE operators already subject to the NIS framework:
  • For operators already subject to NIS, the baseline requirements would apply to systems outside the NIS "essential service" scope — meaning ancillary, supporting and back-end systems that currently fall outside NIS requirements would need protection.
• DGE operators not subject to the NIS framework:
  • Potentially a larger number of generators, gas suppliers and transmission/distribution operators will be brought under the NIS framework for the first time, if their services are designated as critical. More certainty on who will be subject to the revised framework will follow. 

For those organisations brought into scope by either proposal, there will be additional compliance costs and the need for additional  cybersecurity expertise. The consultation explores the impact of potential costs and seeks feedback on this from stakeholders. By way of example, it includes the following indications:

• Implementing baseline requirements: Taking Cyber Essentials as a basis for expected costs, the government’s 2023 process evaluation found that the average costs for organisations to become Cyber Essentials (CE/CE+) certified were estimated as follows (by business size band): micro (£1,894), small (£4,741), medium (£6,267), and large (£31,459).
• NIS framework expansion: the Cyber Security and Resilience Impact Assessment estimated the impact on large load controllers, with total one-off costs per controller estimated to range between approximately £110,000 to £130,000, with ongoing annual costs ranging from £180,000 to £210,000 (2025 prices).

This is a reminder that cybersecurity needs to be front of mind at all times and embedded into operations and the design stages of all new infrastructure, and project budgets. 

Cyber resilience for a changing energy system

The NIS framework was introduced when the UK's energy resilience strategy was focused on the largest gas and electricity service operators. However, the energy transition and the government's Clean Power 2030 ambitions are changing the UK's energy system, as it moves away from a centralized system of large power plants to one that integrates distributed and decentralised energy sources, including solar, wind and storage. Major developments in digitalisation, AI and new technologies in the sector, further increase the vulnerability of the changing energy system to cyber threats. The consultation cites the December 2025 cyberattacks on Polish renewable energy plants and other infrastructure as an example of the attractiveness of energy infrastructure as a target. 

The government acknowledges that cybersecurity requirements in the energy infrastructure sector need to evolve to provide system-wide protection. The cyber resilience of a broader range of operators is now critical to the UK's energy security and “Energy security is national security” (Keir Starmer, 2025). 

To read more on the topic of the changing threats to energy security, including cyber threats, see our recent briefing: Energy Security — Its evolving role in the energy transition.

Suggested actions and next steps

In light of these proposals, downstream gas and electricity operators should consider the following:

• Review your current cyber resilience posture: Conduct a gap analysis against the five Cyber Essentials technical control families (firewalls and internet gateways, secure configuration, user access controls, malware protection, and patch management). Identify areas requiring improvement before any new requirements come into force.
• Assess NIS applicability: Consider whether your operations may bring you within the expanded scope of the NIS framework under the revised thresholds. Operators whose services are designated as critical will face more extensive compliance obligations.
• Respond to the consultation: The deadline for responses is 22 May 2026. This is an opportunity to shape the final requirements and raise any sector-specific concerns, particularly regarding costs, practicality of implementation, and whether a bespoke scheme should be developed.
• Plan for compliance costs: Budget for potential certification and implementation costs. 

For further support in responding to the consultation, assessing your compliance obligations, or reviewing your cyber resilience arrangements, please contact one of our specialists.