The UK government wants to strengthen cyber security rules for its electricity and gas sectors, following recent attacks on energy infrastructure in Europe.
The proposals follow a recent, successful attack on energy infrastructure in Poland that the UK government cited as evidence that that the entire energy system is now an “attractive target” for adversaries. Industry stakeholders are being asked to share their views on cyber security ahead of potential changes that would affect downstream electricity and gas organizations.
The plans to expand the scope of cyber security regulations would apply baseline requirements to all licensed energy organizations. New rules have not been finalized but they will likely be based on the government’s Cyber Essentials scheme with a focus on firewalls and internet gateways, secure configuration, user access controls, malware protection and patch management, according to an industry consultation.
Join us on Apr. 29 for pv magazine Webinar+ | Decoding the first massive cyberattack on Europe’s solar energy infrastructure – The Poland case and lessons learned Industry experts will explore real-world cyberattack scenarios, highlight potential vulnerabilities in solar and storage systems, and share practical, actionable strategies to protect your energy assets. Attendees will gain valuable knowledge on how to anticipate, prevent, and respond to cyber threats in the rapidly evolving solar energy sector. In addition to new baseline rules, thresholds for compliance with the more stringent UK Network and Information System (NIS) Regulations may also be adjusted. Introduced in 2018, the regulations focus on the largest operators who provided the majority of gas and electricity services. The UK government has acknowledged that the energy system has changed since NIS regulations were introduced, with a broader range of organizations playing an increasingly important role in delivering energy services and system balancing Under current rules, organizations must comply with NIS Regulations if they exceed a set capacity threshold or they are specially designated by the industry regulator. These are set at 2 GW cumulative capacity for electricity generators, 250,000 end customers for transmission and distribution operators, and 1 GW for interconnectors, among others. These thresholds could be adjusted following a planned review. If the thresholds are changed, organizations brought into scope may need to fund a range of activities related to compliance and are likely to require additional security spending, according to the UK government. Industry stakeholders are invited to submit their views to the UK government by May 22, 2026. The full Department for Energy Security and Net Zero (2026) Reshaping Cyber Regulation in Downstream Gas and Electricity is available from the UK government’s website. This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.