Secure, clean, and affordable energy underpins the UK economy. It is vital that the UK energy system is secure and resilient to those who wish to do harm. Amplified by geopolitical risks from global conflicts, the UK have seen an increasing use of cyber attacks and a growing number of actors prepared to employ them, with aspirations to disrupt western Critical National Infrastructure (CNI). Maintaining secure energy supplies is a government and sector priority, and a cyber secure and resilient energy system now, and in the future, is central to this.
The NCSC has noted a stark increase in the threat to UK CNI systems, as adversaries seek to compromise these systems to achieve a range of outcomes, from financial gain and economic advantage, to pre-positioning, espionage and disruptive and destructive attacks. In recent years the UK have seen how cyber-attacks can have far reaching impacts, including on essential services. In the increasingly unstable geopolitical landscape and considering the attractiveness of energy as a target by high capability state actors, it is now, more than ever, that robust and coordinated cross-sector action is required to enhance sector security and resilience.
Great Britain boasts a reliable, resilient energy system. However, the UK energy infrastructure was never designed with rapid digitalisation and decentralisation in mind. The UK Government need to ensure that the infrastructure remains resilient to the growing cyber threat.
The UK government’s CP2030 report sets out an ambitious plan to deliver its net zero targets, ensure a secure and affordable energy supply, foster new industries and investments, and protect the environment from climate change. As the government delivers this ambition, the energy sector will undergo transformation at a scale never experienced before. New energy resources will enter the market, renewable technologies will be rapidly deployed, infrastructure will be significantly upgraded and expanded, and digital solutions from new market participants will revolutionise how the energy sector meets consumer demand.
The transition to a clean power system, driven by the adoption of new energy technologies, will fundamentally reshape the environment in which threat actors operate. If security is not embedded throughout the transformation of the energy sector, adversaries are likely to exploit emerging vulnerabilities and gaps. This was highlighted by the cyber attack in Poland in December 2025, where threat actors attempted to disrupt energy systems by targeting distributed energy resources.
However, the UK government recognise that, in developing the cyber resilience of the energy sector, there are structural challenges that need to be overcome. The UK faces a significant shortage of professionals that have the required combination of cyber and engineering skills, with an insufficient number of security-cleared industry staff. Additionally, there is a need to continue to raise awareness at pace about the critical nature of cyber security.
Since the introduction of the Network and Information Systems (NIS) regulations in 2018 there has been a significant shift in culture. However, the NIS regulations are relatively recent, and their coverage is limited. It is imperative for them to prioritise engagement with companies, boards, and employees to shift cyber security attitudes, particularly for the most critical parts of the energy system. Furthermore, the integration of legacy infrastructure with new technologies presents a complex challenge, requiring careful management to ensure seamless and secure operations. Addressing these issues is crucial to successfully navigating the path to net zero while safeguarding the UK energy sector against evolving cyber threats.
This strategy sets out a 4-year plan from 2026 to 2030 ensuring that:
They will deliver the above by focusing on the following strategic outcomes.
Enhancing understanding of threat, vulnerability, and risk:
Prevention through enhanced and accelerated resilience:
Strengthening preparedness, response and recovery:
Effective monitoring, regulation and enforcement:
Fostering partnership, culture and skills:
The cyber threat has increasingly focused on CNI systems, as hacktivist groups and high capability state actors strive to compromise these systems for political effect and propaganda victories. Ransomware attacks continue to pose the most immediate and disruptive threat to UK CNI, with some state-linked cyber groups now targeting the industrial control systems that infrastructure relies on.
In February 2024, the NCSC and international partners co-signed an advisory on observed compromises of US CNI by a China state-sponsored threat actor. The targeting of energy, transportation and water sectors could be laying the groundwork for future disruptive and destructive cyber attacks, and is a clear warning about China’s intent to threaten essential networks. On top of a more complex picture of actors, the overall cyber threat is amplified by geopolitical risks from global conflicts. In 2024, NCSC repeatedly saw heightened use of cyber activity in areas of wider competing influence around conflict zones.
During direct conflict, Russia has routinely deployed wiper malware to delete data from inside Ukrainian government and CNI to hinder their operation. Russia is routinely seeking to compromise the systems of North Atlantic Treaty Organisation (NATO) states and aiming to shape the information space globally around Ukraine as it erroneously sees itself in conflict with NATO. In January 2026, CERT Polska (one of the Polish Cyber Security Incident Response Teams) attributed an attack on key renewable infrastructure in Poland to Russian actors. This attack affected both Information Technology (IT) systems and physical industrial equipment.
Iran-based threat actors remain aggressive in cyberspace and continue to achieve their objectives through less sophisticated cyber techniques and have been seen targeting industrial control systems. Following conflict in the Middle East, in March 2026 the NCSC released a cyber alert which highlighted heightened risk of indirect cyber threat for organisations and entities who have a presence, or supply chains, in the Middle East.
Immediate action must be taken to address this escalating threat.
The main regulatory lever related to cyber resilience in the energy sector is the NIS regulations. The NIS regulations were introduced in 2018 to enhance the security and resilience of network and information systems that are critical for essential services. They are intended to only apply to the most critical operators and therefore do not provide holistic coverage of the energy system. For Great Britain, Downstream Gas and Electricity (DGE), DESNZ and Ofgem are a joint regulator under NIS, while DESNZ is also the NIS regulator for Oil and Upstream Gas (OUG).
The NIS regulations have driven significant improvements in cyber security and resilience. However, they need to evolve to keep pace with the threat, technology and digital transformation landscape. In November 2025, the government introduced to parliament the Cyber Security and Resilience (Network and Information Systems) Bill (CSRB), to increase UK defences against cyber-attacks. The CSRB will protect more essential and digital services from cyber attacks, enable cyber regulators to be more effective, and provide the government with the flexibility to respond to new threats in the cyber landscape.
The UK Government has proposed new powers in the bill that, subject to Royal Assent, could be leveraged to drive resilience in the energy sector, where it is necessary to safeguard public services, the economy or national security. However, legislation is not the only tool available and to ensure that the transformation of the whole sector is secure they must also look at improving resilience through license conditions, international standards, collaboration and sharing of best practice and actionable, relevant guidance for companies from government and regulators on cyber security.
CP2030 will tackle 3 major challenges:
Clean power will require doing things differently. It will only be achieved with bold action and sustained momentum, across every area and every step of the way between now and 2030. A huge uplift in wind, solar, and storage technologies and supporting infrastructure are driving the CP2030 goals. The UK must contract as much offshore wind capacity in the coming 1 to 2 years as in the last 6 years combined, with Great Britain’s offshore wind capacity expected to rise by 30GW by 2030. The UK Government must deliver first-of-a-kind clean dispatchable technologies, such as carbon capture and storage and hydrogen to power. The UK must also build twice as much transmission network in the next 5 years as was built in total over the last decade. And that is only a small subset of the elements that must deliver at the limit of what is feasible to achieve their ambitions.
In addition to new technologies and growing subsectors such as wind generation, the energy sector is evolving through increased digitalisation and seeing the phase out of longstanding fossil fuel generation with coal-burning generation plants decommissioned.
A key challenge will be making sure all elements deliver simultaneously, in full, and at maximum pace, without compromising security to achieve speed. The diversity and transformation of Great Britain’s energy system will bring with it new risks. These risks will not always rest on the largest of infrastructure operators, therefore the government needs to look at all parts of the energy system to drive security and resilience.
It is vital that the UK Government increase the cyber resilience of the UK’s energy sector and act with urgency and coordination. As the scale and capability of cyber actors proliferates, the relationship between state and non-state actors becomes more obfuscated, and the potential security debt of new clean infrastructure compounds the security gap. Therefore, private organisations and government need to work even more effectively together to secure the energy sector and will need to make the most of all the resources at disposal to protect national security and way of life. Cyber security should be a board level priority, recognising that cyber security is a critical enabler of public trust, resilience and competitive advantage. Collective cyber capabilities can deliver a secure net zero transition and enable the UK to keep pace with the evolving risks.
DESNZ, Ofgem, NESO, and the NCSC, the ‘Quad partners’, each play a crucial role working with energy organisations to improve the cyber security and resilience of the sector. Recognising the scale of the challenge, the government and these organisations need to work together to drive cyber security and resilience across the energy system.
In response to the escalating cyber threat, sector transformation, and evolving regulatory landscape, the Quad partners believe a coordinated approach is essential to enhance cybersecurity and resilience across the energy sector. Consequently, the Quad partners have decided to advance this together through a joint cyber strategy and activities to be delivered working hand in hand with industry.
The Quad partners will remain as independent organisations with clear roles and responsibilities but will leverage collective resources to focus on the most impactful initiatives and work together to deliver these strategic outcomes to deliver significant improvements in cyber security and resilience across the energy sector.
Figure 1: Quad partner roles and responsibilities
DESNZ:
The lead government department for energy, responsibilities include:
Ofgem:
The energy regulator for Great Britain’s DGE, responsibilities include:
NCSC:
The national technical authority for cyber security, responsibilities include:
NESO:
The independent public corporation at the centre of the energy system, responsibilities include:
The energy sector is undertaking a rapid transformation to meet the UK's CP2030 ambition, marked by unprecedented infrastructure development, a significant increase in renewable generation, and extensive digitalisation. The sector is also supported by a highly interconnected and complex supply chain, which is becoming increasingly critical to its security and resilience.
To navigate this evolving landscape, it is essential to understand how these changes impact critical elements of the system. The UK Government must assess how the interconnected nature of the new energy network, combined with existing and emerging cyber threats, shapes the risks the UK faces. This assessment will inform the actions needed to bridge the gap between the current state and the desired future state.
It is vital that the UK Government work hand in hand with industry and its supply chain to understand relationships and interconnections across the system. The government also need to assess the risks they pose and what needs to be done to bridge the gap between where they are and where they need to be. As part of this scoping work, they will consider baseline cyber hygiene measures such as Cyber Essentials (CE) as a core factor, ensuring alignment with wider government expectations while maintaining a high-level principle-based approach. If they do not fully understand the complexities of the increasingly diverse, complex, interconnected, and digital, energy and supply chain system, they will not be able to mitigate against the vulnerabilities these complexities introduce.
By the end of 2026, the government will have increased understanding of cyber security risks across the most critical parts of the energy system and ensured they have robust processes to identify and prioritise operators across the sector.
By the end of 2026, the UK Government will have developed preliminary supply chain security principles to support operators and suppliers meet their expectations and manage supply chain risks effectively.
By the end of 2027, the UK Government will have built capability to engage with and assess the energy supply chain, supported existing Operators of Essential Services (OES) with managing their supply chains, and influenced legislation that will enable them to directly regulate critical suppliers.
By the end of 2030, the UK Government will have designated critical suppliers and scoped appropriate maturity targets for them.
The threat landscape has evolved rapidly. The heightened risk to CNI and the increased targeting of the technologies that underpin the energy system are being repeatedly highlighted. NCSC reporting and recent global events have shown that the energy sector is a particularly attractive target for attacks of increasing sophistication – including advanced capability and state threat actors. The UK Government must work with industry to accelerate the baseline resilience of the energy sector.
Ministerial deadlines for cyber resilience targets have driven a significant uplift in the energy sector’s resilience. However, the current assessment of the threat landscape in the UK energy sector necessitates a further increase in cyber resilience pace. The Quad partners expect operators to prioritise acceleration of plans for the assets they deem most critical and deliver against them as soon as possible. Wherever possible, the UK Government encourage operators to do this ahead of ministerial deadlines.
To achieve the government’s CP2030 ambitions, the energy sector is transitioning at pace and taking vital steps to unlock necessary flexibility to deliver net zero, making the network increasingly interconnected and digitised. As new entrants join the market there is a risk that organisations and sectors crucial to the transforming energy system lack proportionate cyber resilience requirements or aren’t developed to be secure by design.
Therefore, the Quad partners aim to increase resilience across the whole energy system through evidence-based prioritisation, legislative reforms, and consideration of appropriate regulatory tools ranging from guidance and engagement to licensing or other suitable vehicles. These measures will ensure that services and operators, even the ones that are not under the scope of the NIS regulations, have a baseline level of cyber resilience that they can build on based on their individual risk context. Early engagement in new energy infrastructure is essential to ensure that key assets are secure by design, considering both system impacts (for example, grid stability) and consumer impacts (for example, price and consumer confidence). Leveraging new legislative powers through the proposed CSRB if necessary, the Quad partners will ensure that the scope of the NIS regulations keeps pace with the energy sector transition.
By the end of 2027, the UK Government will assess the NIS Regulatory thresholds, including whether new critical sub-sectors are captured, revising via secondary legislation if necessary (subject to CSRB Royal Assent and consultation), to keep pace with the rapidly evolving energy system.
By the end of 2027, for DGE and 2028 for OUG the UK Government will have supported NIS OES to prioritise accelerated maturity for their most critical systems and considered appropriate cyber maturity roadmaps to protect these assets from advanced threats.
By the end of 2027, the UK Government will have engaged with the industry to promote security by design in new infrastructure, they will have consulted on re-shaping cyber regulation in DGE, and have shaped proposals for introducing baseline cyber resilience requirements for all Ofgem licensees, with an initial proposal – subject to consultation – for these to use CE as the starting point.
By the end of 2030, they will also have ensured that cyber resilience is raised across the whole DGE system by introducing a baseline level of cyber resilience to all involved parts.
Adversaries are growing increasingly sophisticated in their capabilities. No matter how high they raise UK defences, a sufficiently determined and capable actor will be able to find a way through them. The UK Government need to strike the right balance of preventing adversaries from getting access to UK systems, while at the same time ensuring that if they do, detect them as soon as possible and take swift action. The government will encourage more reporting of cyber incidents below NIS thresholds and clarify reporting expectations of companies that experience cyber incidents. The UK Government must be prepared to detect, respond to and recover from sophisticated cyber-attacks or systemic incidents to avoid catastrophic impacts to the UK if such incidents were to occur.
Therefore, the Quad partners will drive improved threat detection capabilities within the sector through advanced monitoring and comprehensive testing of security measures and the exercising of cross-cutting incident response plans. Also, they will investigate how to enhance government and industry’s ability to prevent, detect, respond and recover from sophisticated cyber-attacks and safeguard the energy system.
By the end of 2026, they will have delivered a cross industry and government exercise to test collective capabilities and processes in responding to a sophisticated cyber attack on Great Britain’s energy system.
By the end of 2026, they will have scoped a capability to raise the sectors’ ability to detect adversaries so that, even when defences fail, they are aware as soon as possible and can act promptly. A pilot will be delivered in 2027 and by 2028 deliver this capability in full.
By the end of 2030, the sector will have access to a capability that allows for advanced capability testing schemes to prove their defences. The UK Government recommend that this is to be based on established schemes such as the Cyber Adversary Simulation (CyAS) Scheme.
While NIS regulations have driven considerable improvement across the energy sector, further steps are required to close regulatory gaps and ensure operators in scope of NIS are under effective oversight.
NIS operators must achieve full compliance with the NIS regulations and existing ministerial targets. The CSRB will enable cyber regulators to be more effective, with expanded and more timely incident reporting of harmful cyber attacks, a stronger mechanism for government to set priority outcomes for them to work to, and a fuller toolkit for sharing information, recovering costs and enforcement. In conjunction, the Quad partners will increase regulator capability and capacity. This will be supported through new frameworks that will recommend deeper assurance approaches, such as CyAS, and the use of recognised industry providers, such as Cyber Resilience Audit (CRA) providers.
By the end of 2026, the UK Government will have strengthened regulatory capacity through access to assured industry providers, to support stronger cyber assurance processes.
By the end of 2027, the UK Government will have ensured all relevant operators, as permitted by current regulatory levers, are designated under NIS.
By the end of 2026 for DGE and 2027 for OUG, the government will have developed new assurance frameworks to provide deeper and proportionate cyber oversight.
The Quad partners will leverage respective expertise and collective resource to accelerate the resilience of the sector. The Quad partners consider that a regulatory compliance approach only goes so far and will not drive the shift in culture required to secure the UK energy system. Therefore, they will work with industry to help them better understand moderate and advanced cyber threat capabilities, increase the pool of skilled, security-cleared cyber professionals, collaborate with academia, and drive a risk-rather than compliance-driven culture in organisations and at board level. The UK Government will work with industry to drive cyber security up their board’s agenda and engage CEOs directly on cyber risk, encouraging the adoption of the government’s Cyber Governance Code of Practice to support risk owners in managing cyber risk effectively.
The cyber threat is acute and globally pervasive. No nation can address this threat in isolation. It is addressed through robust international collaboration – sharing intelligence, harmonising standards and building mutual resilience. The Quad partners remain committed to working with international partners to understand and manage risk effectively. It will work with partners to minimise regulatory burdens on industry and develop common languages for talking about cyber security.
The UK Government will maintain a cross-industry Energy Security and Resilience Taskforce, comprised of energy sector CEOs and chaired by the Minister for Energy, to drive accountability at CEO level.
By the end of 2027, the UK Government will have fostered a cyber and security culture centred around risk, collaboration, capability (specifically related to bridging the gap between OT engineering and cyber), and intelligence to accelerate resilience.
By the end of 2028, they will also have delivered a CEO tabletop exercise to ensure practical understanding of cyber risks.
This strategy is intended as a clear statement of intent across the 4 organisations, driving the UK approach to cyber security and resilience. The delivery of its ambition will rely on continued collaboration across the organisations, with industry leaders, and international partners. The UK Government will regularly review progress against outcomes and ensure they are driving the change required to ensure the energy sector is resilient to the threats the UK face now, and in the future.
Source: UK Government: https://www.gov.uk/government/publications/energy-sector-cyber-security-strategy
The Critical Supply Group consists of companies and professionals committed to secure and resilient critical supply chains. CSG is managed by MAP UK & International. For more details, including how to get involved, or to make contact with any of the entities involved, please email info@mapukinternational.com.