Supply chain security: proposed guidance

What this is about

Ofgem is consulting on draft guidance setting out how downstream gas and electricity operators, suppliers, and service providers should manage supply chain security risks. The draft proposes principles, outcomes, and a risk-based supplier criticality model, with proportionality applied case by case rather than through prescriptive rules. It is not attached to any new licence obligation. Responses close 29 June 2026, a four-week window, with submissions to cyberstrategy@ofgem.gov.uk.

The framing matters. This is the cyber and supply chain integrity strand of energy security, the bit that sits underneath every smart meter rollout, every distributed energy resource aggregator, every grid management platform, every managed service contract that touches operational technology. Ofgem is not changing what regulated parties must do. It is standardising how they demonstrate they are doing it. The instrument is guidance, which means it lives below the licence and below statutory instruments but above informal expectation. Regulated parties will be assessed against it through routine engagement. Non-regulated parties (suppliers, integrators, manufacturers) will be assessed through the procurement and assurance processes of their regulated customers, which is how guidance directed at one tier propagates down the supply chain without ever touching contract law.

Options on the table

Draft guidance as consulted

The single option Ofgem puts forward is to adopt the draft principles, outcomes, and risk-based supplier criticality model as a sector-wide reference. Regulated parties self-assess which of their suppliers are critical, document their risk management against the stated outcomes, and rely on Ofgem applying proportionality case by case rather than through tiered thresholds in the guidance itself. There is no new assurance regime, no new reporting line, no new return. Ofgem retains discretion to probe application through engagement it would do anyway.

The structure of this option determines who wins and who loses, and the distribution is not subtle. Incumbents with mature procurement functions, established third-party risk management teams, and existing supplier assurance processes absorb this at near-zero marginal cost. They already do supplier criticality scoring; the guidance gives them a sector-standard label for it. The mid-tier and smaller licensed suppliers, the new entrants, the niche software vendors, the equipment manufacturers selling into the GB market from outside the UK absorb it as net new work. They need to build the documentation, design the criticality model, train the procurement staff, and stand ready for the engagement that Ofgem says will test it. Proportionality, where it is defined by the regulator rather than by a market-tested threshold, becomes a discretionary variable that small parties cannot price into a tender.

The wider consequence is that compliance cost flows up the supply chain into licensed networks and suppliers, then through allowed revenues and retail tariffs onto consumers. None of this appears in the consultation as a number. That is consistent with how cyber and supply chain regulation has developed across the sector; the costs are real but unseen because they sit inside procurement teams, contract clauses, and management overhead rather than in a line item on a network operator's RIIO submission.

There is no alternative option in the document. The consultation is binary in the sense that respondents can support the draft as it stands, suggest changes, or argue against it, but there is no second model on the table. That itself is a design choice. A consultation that offers a single instrument and asks whether it is clear and usable is asking a narrower question than one that asks whether guidance is the right tool at all.

Questions being asked

Clarity and usability

- Is the draft guidance clear and usable for the range of parties in scope? (Whether one document can credibly serve a gas distribution network operator, a domestic supplier, a managed service provider, and a metering equipment manufacturer at the same time. If the answer is yes for everyone in the abstract, it is probably yes for no one in practice.) - Are the proposed principles and outcomes expressed in a way that supports consistent application? (Whether two regulated parties reading the same outcome would reach the same conclusion about what good looks like. Outcome-focused regulation only works where the outcome is observable. If it is not, "consistent application" becomes consistent appeal to the regulator's view.)

Supplier criticality model

- Does the risk-based supplier criticality model capture the right distinctions across supplier types? (Whether the model distinguishes between a supplier whose failure would take a network down and a supplier whose failure would be inconvenient. The whole framework depends on this distinction holding under stress.) - Is the model workable for managed service providers, systems integrators, and equipment manufacturers as well as direct suppliers? (Whether the model can deal with the layered nature of modern energy supply chains, where the licensed party often contracts with an integrator who contracts with a vendor whose product depends on a foreign manufacturer. Criticality at the top of the chain says little about criticality at the bottom.)

Proportionality and burden

- Does the guidance support effective risk management without creating unnecessary burden? (Whether the documentation, self-assessment, and engagement burden produces a security uplift commensurate with the cost. The honest version of this question is whether mature operators get a write-up of what they already do, and smaller operators get a compliance project.) - Are there unintended consequences for smaller suppliers or new entrants? (The structural question. A guidance regime whose proportionality is defined by the regulator and applied case by case is a barrier to entry for any party that cannot afford to be wrong about how to self-assess. This is the moment to raise it on the record.)

Practical application

- How should the guidance interact with existing procurement, assurance, and audit practices? (Whether the guidance overlays cleanly on what mature parties already run against NIS Regulations, the NCSC Cyber Assessment Framework, ISO 27001, and sector-specific schemes, or whether it adds a parallel track. Overlay is cheap. Parallel track is expensive.) - What operational experience should inform future iterations of the guidance? (Ofgem signalling that the guidance will evolve. The practical implication is that early adopters set the precedent for how proportionality is interpreted, which makes the cost of being a first-mover non-trivial.)

How to respond

Deadline: 29 June 2026.

Submission: email to cyberstrategy@ofgem.gov.uk.

Consultation document: Supply Chain proposed guidance consultation (PDF, 320.90KB), published 2 June 2026 alongside this consultation.

Status: open. Topic recorded as electricity supply and gas supply. Stakeholders identified as gas and electricity operators, suppliers of products and services to the energy sector, service providers, systems integrators and managed service providers, equipment and technology manufacturers, trade bodies and industry associations, assurance and audit organisations, and academic and research organisations with relevant expertise. The four-week window is short for a guidance document with sector-wide reach; respondents who need internal sign-off should start the legal and procurement clearance now rather than later in June.