Reshaping Cyber Regulation in Downstream Gas and Electricity

What this is about

DESNZ and Ofgem want to impose cyber security requirements on every energy licensee as the sector fragments under net zero transition. The current approach relies on voluntary measures for most players and the Network and Information System (NIS) Regulations for the largest operators. This creates gaps as new entrants - from battery storage operators to heat pump installers - join the system without equivalent cyber oversight.

The timing reflects Clean Power 2030 pressures and mounting cyber threats. More distributed generation, storage, and demand response assets create new attack vectors. Meanwhile, legacy regulation captures perhaps 50-100 entities under NIS thresholds while hundreds more hold licences with minimal cyber obligations. The regulators want consistent baseline protection across all licensees, plus expanded NIS coverage to catch mid-tier operators currently outside the net.

Options on the table

Baseline cyber requirements for all licensees

Every Ofgem licensee would face mandatory minimum cyber security standards regardless of size or current obligations. This means electricity generation, supply, distribution, interconnector, and transmission operators, plus gas shippers, suppliers, transporters, and storage operators - potentially 800+ entities.

The baseline would likely cover basic hygiene: regular patching, access controls, incident response procedures, staff training. Smaller players win regulatory clarity but lose flexibility. They face new compliance costs without necessarily reducing systemic risk - a 1MW battery storage operator poses different threats than a major supplier. The approach treats cyber security as a checklist exercise rather than risk-based protection.

Larger operators already meeting higher standards see limited impact beyond administrative burden. The real cost falls on smaller licensees who must build cyber capabilities from scratch. For a small supply company or generator, this could mean hiring specialist staff or expensive consultants for minimal security improvement.

Expanded NIS Regulations scope

The current NIS framework applies to electricity operators serving 250,000+ customers and gas operators with 20+ TWh annual throughput. Expanding scope means lowering these thresholds to capture mid-tier players, or widening the definition of "essential services" to include previously exempt activities.

Mid-sized suppliers, distributed generation operators, and storage providers would face the full NIS regime: mandatory risk assessments, incident reporting to NCSC, regulatory inspections, potential enforcement action. This creates genuine cyber oversight with teeth - NIS can impose significant penalties and operational requirements.

But it also means regulatory overkill for entities whose failure affects thousands rather than millions of customers. A 100MW solar farm faces the same regime as a major network operator. The expansion assumes that cyber threats scale with company size rather than system criticality - a questionable premise when attacks often target easier, smaller victims to access larger systems.

Companies currently just below NIS thresholds face the steepest cost increases. They must implement formal cyber governance, regular third-party assessments, and detailed incident procedures. For operators with thin margins, this could force consolidation or exit.

Questions being asked

The consultation document provided doesn't include specific consultation questions. Respondents are invited to provide "feedback and evidence from a range of stakeholders" to inform development of the proposals, but no structured question framework is presented.

The regulators seek input on whether baseline cyber requirements are needed for all licensees, and whether NIS scope should expand through threshold changes or broader essential service definitions. They want evidence on proportionality, effectiveness, and implementation approaches.

How to respond

The consultation document doesn't specify response deadline, submission methods, or contact details. Stakeholders should check the original DESNZ publication for response instructions, or contact DESNZ directly for guidance on how to submit views.

The regulators welcome input from Ofgem licensees, developers, industry bodies, think tanks, and academia. They emphasize that stakeholder input will be "vital in shaping requirements that are appropriate and proportionate."

---

Assessment: This consultation represents regulatory mission creep disguised as risk management. Rather than pricing cyber risk through market mechanisms or insurance requirements, it mandates spending across hundreds of entities regardless of their threat profile or system importance.

The baseline approach treats a 1MW battery operator the same as a major supplier for cyber purposes - bureaucratic tidiness that ignores risk reality. Most cyber incidents stem from poor incentives, not inadequate rules. A small supplier facing bankruptcy has little incentive for cyber investment, whatever the regulations require.

Expanding NIS coverage compounds this by applying heavy-duty regulatory machinery to mid-tier players whose failure poses limited systemic risk. The result will be compliance theater: box-ticking exercises that increase costs without meaningfully improving security.

The regulators should focus on fixing incentives rather than mandating behaviours. Cyber insurance requirements, liability frameworks, or risk-based capital charges would drive appropriate investment without regulatory micromanagement. Instead, they propose to regulate their way to cyber security - an approach that typically produces the appearance of protection without the substance.