Securing open data in energy: triage in data best practice guidance

What this is about

Ofgem is consulting on whether to abandon the "presumed open" default for Energy System Data (ESD) that sits at the heart of its Data Best Practice (DBP) Guidance. Since the DBP regime was made a licence requirement for several network and system licensees, the working assumption has been that ESD should be published openly unless there is a specific reason not to. The regulator now wants to flip the burden: under the proposals, datasets would be triaged before publication, with security taken as a first-order constraint alongside the economic case for openness.

The trigger is a stated shift in the threat environment. Ofgem cites hostile state actors, terrorism aimed at energy infrastructure, and the way AI tools change what an attacker can do with published network data. The consultation puts three governance models on the table for how triage would work in practice: a centralised model, a hybrid model, and an educational model. The closing date is 14 July 2026. The substance of how each model would operate is in a 646KB PDF that is not extracted here, so the descriptions below take Ofgem's framing in the landing page at face value and infer the mechanics; respondents should read the PDF before settling a position.

Two things are worth naming up front. First, this is a reversal of a default that the DBP regime was explicitly designed around. "Presumed open" was the point. It was meant to do work: to push licensees who would otherwise prefer to hold data tight to publish it, and to give innovators, developers, and new entrants something to build on without negotiating bilateral access. Moving to disclosure-by-permission, under any of the three models, changes the direction of the friction. It now costs something to publish rather than to withhold, and that asymmetry favours the parties that already hold the data.

Second, the security case is real but generic. Ofgem has not, in the landing-page framing, identified which categories of currently-published ESD are alleged to create which specific risks. Without that, the consultation is structurally tilted toward whichever model concentrates discretion in the hands of the body the respondent trusts most, rather than toward a clause-by-clause assessment of what should actually move from open to restricted. Respondents who want a workable regime should press for the specific risk taxonomy before endorsing any of the three governance shells.

Options on the table

Centralised model

Under the centralised model, a single body, presumably Ofgem itself or a designated authority sitting under it, would triage datasets before publication. Licensees would submit ESD for review, and the centre would decide what is published openly, what is shared on restricted terms, and what is withheld. This produces the most consistency across licensees and the clearest accountability for disclosure decisions: one body, one set of criteria, one appeal route.

The cost is throughput and concentration of power. Centralised triage adds a regulator-paced step to every publication decision and creates a queue. Anyone who has watched the grid connections queue, the modification panels, or the licence modification timetable knows what happens when scarce administrative capacity sits in front of a decision that participants want made: it gets allocated by whoever can wait, lobby, or pay to wait. The centralised model also creates a single discretionary lever over what the GB energy market gets to see. That lever will be lobbied. Incumbents with the staff to engage Ofgem on classification questions will get better outcomes than new entrants who do not know the regime exists. The winners are licensees who prefer slower disclosure and well-resourced data users who can navigate the gate; the losers are smaller innovators and the diffuse consumer interest in competitive analytics built on network data.

Hybrid model

The hybrid model splits triage between the centre and licensees. The likely shape, though not confirmed in the landing-page text, is a tiered classification: licensees self-assess routine datasets against published criteria and publish them directly, while datasets above some sensitivity threshold are escalated to Ofgem (or whichever body holds the central role) for decision. This trades some consistency for throughput. Routine data flows without waiting for central review; sensitive data still gets the second pair of eyes.

The contested parameter under a hybrid model is where the boundary sits. Every dataset that licensees can self-classify as "routine" is a dataset Ofgem does not see before publication; every dataset that has to be escalated is a dataset that joins the central queue. The boundary will be drafted in the guidance, redrafted at every consultation, and lobbied at every review point. Licensees with commercial reasons to withhold will press for a low escalation threshold (so more decisions land at the centre, where they can be argued); data users will press for the opposite. The hybrid model also creates a structural ambiguity about responsibility: if a self-classified routine dataset turns out to enable an attack, was that a licensee failure or a guidance failure? The honest answer depends on how prescriptive the guidance is, and consultation respondents should ask Ofgem to be specific. Winners: licensees, who get a defensible self-assessment route for most data, and Ofgem, which gets to focus its capacity on the harder cases. Losers: data users who lose visibility into self-classified withholdings, since "we assessed this as restricted under the guidance" is a much harder decision to challenge than a centralised refusal.

Educational model

The educational model leaves the decision entirely with licensees. Ofgem publishes guidance, training, and case studies; licensees self-assess every dataset against that guidance and decide what to publish. No central gate, no escalation route, no second pair of eyes before publication. Throughput is highest because there is no queue. Consistency is lowest because every licensee makes its own judgment.

This is the model most exposed to the incentive problem the DBP regime was originally built to solve. Licensees do not have a neutral interest in disclosure. They have a commercial interest in withholding data that helps competitors, a reputational interest in withholding data that exposes operational performance, and now a regulator-endorsed security label they can attach to either of those motives. "We assessed this as security-sensitive under the guidance" becomes a defensible reason to suppress a dataset that a competitor or an innovator would have used to build a tool, run a comparison, or surface a problem. Once that pattern is established, it is very hard to reverse: the data not published cannot easily be missed by people who never knew it existed.

The educational model also makes enforcement much harder. Under "presumed open," a licensee who held back a dataset had to defend the withholding; under a self-assessment regime, the default has flipped, and the burden falls on whoever can prove the licensee classified wrongly. That asymmetry favours the holder of the data. Winners: licensees, decisively. Losers: data users, innovators, third-party developers, and the slice of the consumer interest that depends on competitive analytics and benchmarking built on network data.

A point that cuts across all three models: none of them addresses what happens to data already published under the "presumed open" default. The triage decision is forward-looking; the back catalogue is, presumably, already in the wild. If the security case justifies the new regime, it presumably also justifies some treatment of existing publications, and the consultation should be pressed on this.

Questions being asked

Note: these themes follow the structure of Ofgem's framing on the landing page. The consultation PDF will contain the specific numbered questions, and respondents should refer to it before submitting.

Model selection

- Which of the three proposed models, centralised, hybrid, or educational, best balances security and the benefits of open data? [In substance: which body should hold the discretionary power to decide what the GB energy market sees? Respondents should not answer this without also asking who that body is accountable to and how its decisions are challenged.] - What are the costs and benefits of each model for licensees, data users, and innovators? [The honest answer requires Ofgem to publish a specific risk taxonomy first. Without it, this is an invitation to assert priors.]

Risk assessment

- How should the evolving threat environment, including hostile state actors and AI misuse, be weighed against the benefits of open Energy System Data? [The question assumes the threat environment has changed enough to justify reversing the default. Respondents who do not accept that premise should say so, and ask for the evidence base.] - What datasets currently published under DBP guidance present the greatest security risk? [This is the single most important question in the consultation. Without a specific list, the three-model debate is unmoored. Respondents who care about the regime should push hard for Ofgem to name the datasets it is worried about.]

Implementation

- How should triage decisions be made operational, governed, and reviewed? [Process design: who decides, on what timetable, with what appeal route, with what transparency over refusals.] - What transitional arrangements are needed for data already published under the 'presumed open' default? [The back-catalogue question. If the security case is real, it has implications for what is already public; the consultation should be made to address this explicitly.]

How to respond

- Deadline: 14 July 2026 - Method: Email submission - Address: digitalisation@ofgem.gov.uk - Consultation document: Securing open data in energy: triage in data best practice guidance (PDF, 646KB), available from the Ofgem consultation page - Who Ofgem wants to hear from: Licensees obligated to follow DBP guidance, stakeholders who follow it voluntarily, data users, and innovators