UK tightens energy cyber security rules after attacks

The UK government has unveiled plans to strengthen energy cyber security rules across the electricity and gas sectors, following a series of attacks on critical infrastructure in Europe. The move comes after a significant cyber incident targeting solar power plants in Poland, highlighting vulnerabilities in modern energy systems.

Rising threats to energy infrastructure

Officials warned that the evolving energy landscape has made the entire system an “attractive target” for cyber adversaries. With increasing reliance on distributed energy resources such as solar and storage, risks have expanded beyond traditional large-scale operators.

The proposed energy cyber security rules aim to address these emerging threats by broadening protections across the sector. Industry stakeholders have been invited to participate in a consultation process, signaling a collaborative approach before final regulations are introduced.

Expanding compliance across the sector

Under the new proposals, baseline cybersecurity requirements would apply to all licensed energy organizations, not just major operators. These rules are expected to align with the UK’s Cyber Essentials framework, focusing on key areas such as firewalls, secure configurations, access controls, malware protection, and patch management.

The government is also considering revisions to the Network and Information Systems Regulations 2018, commonly known as NIS regulations. Initially introduced to regulate the largest energy providers, the framework may now expand to include a wider range of participants.

Possible changes to NIS thresholds

Current NIS thresholds apply to organizations exceeding specific capacity levels, such as 2 GW for electricity generators and 250,000 customers for transmission and distribution operators. However, officials acknowledged that the energy ecosystem has evolved significantly since 2018.

If thresholds are lowered or redefined, more companies could fall under stricter compliance requirements. This would likely increase operational costs, as newly regulated firms invest in cybersecurity infrastructure and risk management systems.

The updated energy cyber security rules could therefore reshape how both large and small players approach digital resilience in the energy market.

Industry consultation underway

The consultation process will remain open until May 22, 2026, giving stakeholders time to provide feedback on the proposed changes. The initiative is being led by the Department for Energy Security and Net Zero, which emphasized the importance of proactive defense in a rapidly digitizing energy sector.

As cyber threats grow more sophisticated, the UK’s push for stricter regulations signals a broader shift toward safeguarding critical infrastructure and ensuring long-term energy security.