The UK is tightening its grip on cybersecurity, and the energy industry is feeling the squeeze. But is this a necessary safeguard or an overreach of regulatory power?
New legislation in the UK is set to increase cybersecurity requirements for major electricity infrastructure, classified as ‘operators of essential services’ (OES). The Cyber Security and Resilience Bill, unveiled this week, aims to enhance the existing Network and Information Systems Regulations 2018 (NIS) by imposing larger penalties for cybersecurity breaches by companies tied to critical infrastructure.
Here’s where it gets interesting: the bill proposes to expand its scope significantly. It introduces a new category of OES for providers of energy smart appliances (ESAs), such as electric vehicles, charging points, battery storage systems, and virtual power plants. These ESA providers will now be required to demonstrate robust cybersecurity plans and adapt to stricter reporting processes, notifying regulators and customers of significant incidents.
And this is the part most people miss: the bill proposes a major shift in notification requirements. Regulators and the National Cyber Security Centre must be notified of incidents within 24 hours, with a full report following within 72 hours. But it’s not just about speed; the triggers for notification have also expanded, now including near-miss incidents and those with potential adverse effects. Customers impacted by cyber incidents will also be promptly informed.
The inclusion of ‘large load controllers’ in the bill’s scope has surprised industry experts. Stuart Davey, a cyber readiness expert, highlights that these providers will now have specific obligations to meet the new security standards, showcasing the government’s emphasis on clean tech and electronic charging infrastructure.
But the bill doesn’t stop there. It introduces another twist with a new category of OESs called ‘critical suppliers’. These are organizations providing goods or services to OESs, relying on network and information systems. The bill proposes that competent authorities can designate these critical suppliers, emphasizing the importance of supply chain management.
Chris Martin, a technology and cyber readiness expert, points out that this will prompt essential service operators and their suppliers to reevaluate how cybersecurity is addressed in supply chain contracts. He suggests that contracts should go beyond generic security clauses and include practical measures like adopting NCSC-aligned cybersecurity standards, setting incident reporting timelines, and allocating liability for fines.
The bill also strengthens the powers of competent authorities, allowing them to gather more information and potentially penalize non-cooperative parties. Regulators may use these powers to enhance enforcement actions under NIS. Additionally, the government aims to simplify penalty structures, consider new factors for proportional penalties, and introduce higher maximum penalties, up to £17 million or 4% of a company’s worldwide turnover.
While the bill’s focus is on OESs, it also grants the government increased power to instruct regulators and organizations to take preventative measures when national security is threatened, which could significantly impact energy operators facing cyber attack risks.
This legislation follows recent warnings from the National Cyber Security Centre about the rise in significant attacks and the need for companies to bolster their defenses. But is this increased scrutiny a necessary evil or a step too far? The debate is sure to spark differing opinions. What do you think? Is the energy industry being unfairly targeted, or is this a much-needed upgrade to our cybersecurity defenses?