The UK government is advising on changes to cyber security regulations affecting the energy sector.
Image: pv magazine/AI generated
The UK government is looking to tighten cyber security rules for its electricity and gas sectors, following recent attacks on energy infrastructure in Europe.
The proposals follow a recent successful attack on Poland’s energy infrastructure, which the British government cited as evidence that the entire energy system is now an “attractive target” for adversaries. Industry stakeholders are being asked to share their views on cyber security, ahead of potential changes that would impact downstream electricity and gas organisations.
The plans to expand the scope of cybersecurity regulations would apply baseline requirements to all licensed energy organizations. The new rules have not yet been finalized but are likely to be based on the government’s Cyber Essentials programme, with a focus on firewalls and internet gateways, secure configuration, user access controls, malware protection and patch management, an industry consultation has found.
In addition to the new basic rules, the thresholds for compliance with the stricter British Network and Information System (NIS) regulations can also be adjusted. The regulations, introduced in 2018, target the largest operators who provided the majority of gas and electricity services.
The UK government has recognized that the energy system has changed since the NIS regulations were introduced, with a wider range of organizations playing an increasingly important role in delivering energy services and balancing systems
Under current rules, organizations must comply with NIS regulations if they exceed a set capacity threshold or if they have been specially designated by the industry regulator. These have been set at a cumulative capacity of 2 GW for electricity producers, 250,000 end customers for transmission and distribution companies and 1 GW for interconnectors. These thresholds may be adjusted after a planned revision.
If the thresholds are changed, covered organizations may need to fund a range of activities related to compliance and are likely to require additional security spending, the UK government said.
Industry stakeholders are invited to submit their views to the UK Government by 22 May 2026. The full report Ministry of Energy Security and Net Zero (2026) Cyber regulatory reform in downstream gas and electricity is available on the UK government website.
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
Popular content
