Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Global Press Room
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

UK Cyber Security and Resilience Bill: implications for the UK electricity sector

12 May 2026 United Kingdom 21 min read

Introduction

Forming the backbone of the UK’s critical national infrastructure, the UK electricity sector sits at the sharp end of the UK’s cyber risk profile. The cyber threat has intensified in recent years, with hostile states and criminal groups targeting an increasingly digital power grid built on interconnected operational technology (OT) and IT systems. The National Cyber Security Centre (NCSC) has reported a sharp rise in nationally significant incidents and warns that geopolitical tensions could drive a further step-change in risk. Concurrently, grid modernisation, including increased distributed energy resources (e.g. electric vehicles, storage, smart appliances), greater grid flexibility, and the convergence of OT and IT, has expanded the attack surface for potential cyber threats, heightening national security concerns in the electricity ecosystem.

It is against this context that the Cyber Security and Resilience Bill (CSRB) overhauls the UK’s cross-sector cyber regime by amending the Network and Information Systems Regulations 2018 (NIS). The CSRB widens the scope of regulation, tightens incident reporting, and adds forward-looking powers for the UK government to specify additional requirements where national security is at risk. Within the electricity sector, the changes will affect entities already regulated under NIS (the existing operators of the essential services of supplying, transmitting, or distributing electricity) and will also bring previously unregulated entities into scope under the new essential service of “large load control” and impose new duties on managed service providers (MSPs).

This article first outlines the key insights and implications that matter most to in-house legal and commercial teams within the electricity sector, then explores changes in scope, requirements, and enforcement in detail. It also considers how the CSRB compares with EU NIS2, and highlights expected timelines and areas of uncertainty.

It should be noted that as at the date of publication, the Bill is at report stage in the House of Commons[1], subject to further amendment. Accordingly, some specifics may still change as it passes through Parliament (with secondary legislation to follow).

Essential takeaways

  • Recognise new exposures: who (and what systems) will be newly in scope. Entities in the sector not currently regulated should consider whether they (or their key suppliers) may fall in scope under the CSRB, particularly if they are involved in services such as load control or providing services which require access to a customer’s IT or OT systems. Newly regulated entities will need to notify the relevant regulator of their status within three months of entering scope. Entities already in scope should also consider whether the load control changes affect which of their systems are now regulated, and whether their key suppliers or other counterparties will be newly regulated under the Bill, as this may affect how cyber risk is managed within contractual relationships and across the supply chain.
     
  • Prepare for broader incident reporting: serious cyber incidents that do not necessarily affect service continuity are increasing. These include espionage-motivated intrusions, near misses, pre-positioning, and events such as the Salt Typhoon intrusion into US telecoms. In response, the CSRB significantly broadens how incidents are defined and seeks to lower the thresholds for reporting them. These changes widen the focus beyond continuity of essential services to the operation and security of systems as a whole, meaning they are likely to require changes to incident response processes and policies. (See the detailed comparative table below for specific changes to incident definitions and reporting obligations.)
     
  • Anticipate the government’s broad new power of direction: For the first time, regulated entities should familiarise themselves with the UK government’s new power to direct them to take actions where a security or operational compromise (or threatened compromise) to a system results in a risk to national security. Organisations should put in place internal governance processes to manage such extraordinary orders, including legal and board-level checks to ensure the government is acting within its powers and robust internal escalation so that directions can be handled swiftly. Entities should also assess under what conditions, if any, they might challenge a direction that significantly runs counter to their interests.
     
  • Embed strategic cyber resilience now, not later: As high-level primary legislation, the CSRB leaves substantial detail to be determined. The government’s new powers to create further regulation mean that all participants in the sector (whether currently regulated or not) must keep a close eye on and help shape regulatory developments. Affected entities should seek to participate in the Department for Science, Innovation and Technology (DSIT) consultation on CSRB implementation due in Summer/Autumn 2026, and monitor any updates to guidance such as the NCSC’s Cyber Assessment Framework (CAF) and the energy sector-specific guidance provided by the Department for Energy Security & Net Zero (DESNZ) and Ofgem. In parallel, boards and senior leadership should elevate cyber resilience in corporate strategy and risk management. Even before commencement, affected entities should be conducting gap analyses, training decision-makers, revisiting contractual provisions (to leverage the new supply-chain focus), and ensuring incident response plans account for the new reporting timelines and government intervention powers.

Changes in scope

Large load controllers

Whether or not an entity in the electricity sector comes within the scope of NIS as an operator of an essential service (OES) depends on a detailed analysis of that entity’s activities against the categories and thresholds set out in the electricity subsector (Schedule 2 of NIS). This process remains broadly the same once the CSRB comes into effect, albeit with “large load controllers” added as a new category of electricity OES in Schedule 2.

For context, the current categories of OES in the electricity subsector (and their thresholds) are:

  • Electricity supply: entities responsible for the commercial, technical, or maintenance tasks related to supplying electricity to more than 250,000 final customers (i.e. customers purchasing electricity for their own use) or generating/supplying >=2GW (across the entity and its affiliates’ generation) into a transmission system.
     
  • Electricity transmission: entities operating, maintaining, and (if necessary) developing a high-voltage transmission system delivering electricity to distributors or final customers, with the potential to disrupt >250,000 final customers; also holders of offshore transmission licences with systems connecting >2GW of generation capacity; and interconnector licence holders where the interconnector capacity >=1GW.
     
  • Electricity distribution: entities operating and maintaining a distribution system (at any voltage) delivering electricity to wholesale or final customers, with potential to disrupt >250,000 final customers.

The CSRB adds the new OES category of “large load controllers alongside these existing electricity categories, with a DSIT policy paper issued on 12 November 2025 explaining the rationale for their inclusion[2] (i.e. to address new grid management models like flexible demand response and widespread distributed energy resources). An entity will be regulated under this new category (in both Great Britain and Northern Ireland) if it is a load controller whose potential electrical control in relation to relevant energy smart appliances (ESAs) managed by the controller is >= 300MW. To unpack this:

  • Relevant ESAs can be: (i) an electric vehicle; (ii) a charge point (for EVs); (iii) an electrical heating appliance; (iv) a battery energy storage system; or (v) a virtual power plant.
     
  • Load control means sending electronic signals to an ESA for the purpose of adjusting the immediate or future flow of electricity into or out of that ESA (including via software or other systems).
     
  • Potential electrical control is the aggregate of (a) the maximum flow of electricity into all the relevant ESAs together, and (b) the maximum flow out of all those ESAs, achievable in response to the load controller’s signals.
     
  • A relevant ESA is “managed” by an entity if the entity controls its electricity flow via load control signals. If an intermediary sends load control signals under a load controller’s direction, the ESA is treated as managed by the load controller (and not the intermediary) unless the intermediary has discretion to adjust those signals (in which case the intermediary is also a load controller, and the ESA is treated as managed by both parties).

The impact of these changes will need to be assessed individually for each entity, and confirmation can be sought from DESNZ (per its NIS policy guidance) on whether a given entity is in scope. However, some broad observations can be drawn about adding large load controllers to NIS. This category clearly aims to capture the widening market for distributed and localised energy resources, such as battery storage aggregators and virtual power plant operators. It also reflects the increasing use of flexible energy technologies and demand-side management to adapt to grid demands. In practice, there is likely material overlap between companies providing load control services and those providing supply services. For example, an optimiser controlling the load from a battery energy storage system is often also selling the electricity generated from the stored energy to customers.

Despite this overlap, two important implications stand out:

  • The threshold for load control (300MW) is significantly lower than that for electricity supply (2GW), bringing smaller aggregators/optimisers who are not caught by the supply thresholds into scope.
     
  • While an entity performing load control may already be regulated by virtue of supplying electricity, the new category expands which of that entity’s systems must meet NIS security standards, to include systems on which it relies to perform load control.

Operators in the electricity sector should accordingly consider how the new category of load control affects them and determine whether they are newly within scope or (if already regulated) whether additional systems and processes supporting load control activities are now subject to NIS security duties.

Relevant Managed Service Providers (RMSPs) 

One of the most significant expansions in scope under the CSRB is the addition of “Relevant Managed Service Providers” (RMSPs), reflecting the importance of IT management service providers to the UK’s cyber resilience. For electricity industry operators, this change can actually be beneficial: bringing certain IT suppliers into scope will facilitate negotiation of strong contractual clauses for improved supply chain resilience and should aid coordination during incidents (given RMSPs are obliged to notify any customers adversely affected by an incident at the RMSP).

However, “managed service” is defined broadly. As currently drafted, the RMSP concept applies more widely than one might expect as it potentially covers many arrangements where one party has access to another’s IT or OT systems, even beyond traditional third-party IT outsourcing. For example, a battery manufacturer providing ongoing support and maintenance for its own equipment might be classed as an RMSP if that support involves accessing and managing the customer’s operational technology (e.g. battery control systems) that the owner relies on for their business operations.

Once classified as an RMSP, an entity will be subject to a similar (but distinct) suite of obligations to OESs and relevant digital service providers (RDSPs) under NIS. These include a security duty covering the systems it uses to provide the managed service, an obligation to have regard to Information Commissioner’s Office (ICO) guidance, and incident notification obligations. Suppliers into the electricity sector should assess whether they might be considered RMSPs under this wide definition and, if so, put in place the necessary measures, policies and processes to ensure compliance with CSRB’s requirements.

Critical suppliers

The final new category of regulated entity under the CSRB relevant to the electricity sector is “critical suppliers.” These are suppliers to OESs, RDSPs or RMSPs not otherwise regulated by NIS, but which a competent regulator may designate as critical if an incident affecting the supplier’s networks could disrupt an essential service, digital service, or managed service, and such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the UK (or a region of the UK).

The duties applicable to designated critical suppliers (including security duties and incident reporting) are still to be determined under future regulations. However, the impact of this new category is expected to be similar to the RMSP inclusion: it provides operators with further supply chain assurance (and leverage) and brings additional key suppliers into scope. Designated suppliers will likely face obligations similar to those on OESs and RMSPs, bridging a previous gap in the ecosystem and reinforcing the need for rigorous supply chain cyber risk management at industry level.

Changes in requirements

Security duty

The core security duties on OESs set out in Regulation 10 of NIS are largely unamended, although two small but important changes are made by the CSRB which are not immediately obvious from the face of the Bill. The first originates from the amendment to the definition of “incident” at section 15(2) of the CSRB, which is broadened (i) to cover events capable of having (rather than only those that actually have) an adverse effect on systems, and (ii) to cover the operation as well as the security of systems. The second change, via a minor amendment in Schedule 2 of the CSRB, adjusts the Regulation 10(2) security duty (to prevent and minimise the impact of incidents) so that it is no longer focused solely on ensuring the continuity of essential services.

These changes reflect a broader shift in the CSRB: incident prevention and mitigation is no longer just about service continuity; it must guard against system compromise and latent risks even in the absence of immediate service disruption. OESs should ensure their cyber security measures (technical, procedural, and governance) implemented to comply with this duty account for the broader risk focus under the CSRB (for instance, emphasising breach containment and recovery as much as continuity).

Incident reporting

One of the key changes under the CSRB is a new incident reporting regime to replace the existing NIS approach. In short, it mandates faster and more frequent reporting of incidents, and covers a wider range of incident types. We summarise the changes to the regime for OESs in the table below (the new regimes for RDSPs and RMSPs are largely equivalent). Regulated entities should ensure that their incident response processes and policies are aligned to the new regime.

Reporting requirementNISCSRB
Definition of incidentAny event having an actual adverse effect on the security of network and information systems.Any event having, or capable of having, an adverse effect on the operation or security of network and information systems.
Threshold for notificationAny incident which has a significant impact on the continuity of the relevant essential service. Factors: number of users affected; duration; geographical area of impact.Any incident: (i) which has affected or is affecting the operation or security of the systems relied on to provide the essential service; and (ii) whose impact in the UK (or part of it) has been or is likely to be significant. Factors: same as NIS plus extent of disruption to the service, and whether any user data has been or is likely to be compromised.
Notification timingWithin 72 hours of awareness that an incident has occurred.Two-tier: initial notification within 24 hours of awareness, and full notification within 72 hours.
Information to be provided in notificationSingle notification: OES’s name and essential services, time and duration of incident, information on nature and impact, cross-border impact, any other helpful info.Initial notification: OES’s name and essential services; brief details of incident. Full notification: similar to NIS content plus if caused by another regulated entity’s incident, details of that incident and entity.
Notification recipientsOES must notify Ofgem. Ofgem shares info with NCSC.OES must notify Ofgem and send a copy directly to NCSC.

New regulations and codes of practice

The CSRB provides the government with numerous powerful tools to expand and continuously update cross-sector cyber regulation. These include the ability to specify any activity as an “essential activity” (if it is essential to the UK economy or daily life) and to make regulations relating to the security and resilience of network/information systems used in essential activities. Regulating via secondary legislation allows the government to update requirements more quickly than using primary legislation. Notably, “essential activities” include existing essential services and managed services, meaning this power can be used to expand requirements on OESs and RMSPs over time. The explanatory notes to the Bill indicate this could include, for example, mandatory steps to strengthen system resilience against particular risks from emerging technologies.

The CSRB also empowers the government to issue codes of practice (following consultation and Parliamentary procedure). Failure to comply with such a code will not itself be a regulatory breach, but regulators and courts must take codes into account where relevant. Thus, these codes will effectively become quasi-binding standards in practice. For OESs in the electricity sector, it will be important to monitor changes to DESNZ and Ofgem policy and guidance[3], and the NCSC’s CAF[4], to ensure ongoing compliance as expectations evolve. (DESNZ and Ofgem recently released a consultation[5] on the future of cyber regulation in downstream gas and electricity (closing on 22 May 2026), proposing baseline requirements for all Ofgem licensees and additional obligations for the most significant operators, providing industry with an opportunity to shape the direction of travel.)

Power of direction

The CSRB introduces a new last-resort power for the government to direct regulated entities to take (or refrain from) specific actions where the government considers that: (i) the occurrence or threat of a serious security or operational compromise in a relevant network/information system gives rise to a risk to national security; and (ii) issuing the direction is necessary and proportionate in the interests of national security.

This is a potentially sweeping power (particularly given the inherent breadth of the concept of “national security”). While it will generally arise in the context of an actual incident (e.g. a major cyber attack or a crisis affecting critical services), the inclusion of “the threat” of a compromise means it could also be invoked in situations such as known but unremediated zero-day vulnerabilities or systemic security deficiencies. The required actions under such a direction could even override other regulatory requirements (for example, a direction might require delaying compliance with certain data protection notification obligations). In addition, the CSRB allows the government to impose confidentiality requirements, potentially gagging the regulated entity from disclosing the existence or content of the direction (even to the market or possibly to counterparties).

While the threshold for issuing a direction is expected to be very high and the power used by the government only as a last resort, regulated entities should establish internal governance processes to ensure any direction can be assessed and acted upon rapidly. This should include clear chains of command and a legal review of the lawfulness and proportionality of the direction, to assess whether grounds exist for challenge if compliance would seriously conflict with the entity’s interests (e.g. unjustified commercial harm). From a strategic perspective, boards should plan scenario exercises where such a government direction is received, ensuring they can balance national security demands with their duties to shareholders and customers under extreme time pressure.

Changes to enforcement 

The primary change of note the CSRB makes to the NIS enforcement regime is an increase to the maximum penalties for non-compliance. Under NIS, there were three maximum penalty bands: (i) £1m for non-material contraventions; (ii) £8.5m for material contraventions not creating significant risk or impact; and (iii) £17m for material contraventions creating significant risk or impact.

The CSRB replaces this with a simplified two-tier structure: (i) a “standard maximum” of the greater of £10m or 2% of worldwide turnover; and (ii) a “higher maximum” of the greater of £17m or 4% of worldwide turnover. (These broadly align with EU NIS2’s maximum penalties, and are calibrated similarly to GDPR fines in signaling the seriousness of complying with security obligations.) The higher maximum generally applies for breaches of core obligations under NIS (for example failing to meet OES security duties under Regulation 10, or failing to notify an incident under Regulation 11).

The only exception is that failing to comply with a government direction (under the new power described above) can lead to penalties up to an even higher maximum: the greater of £17m or 10% of global turnover. This outlier reflects the gravity with which national security-related breaches will be treated.

Comparison with NIS2

While this article does not analyze the comparative regimes of the CSRB and Europe’s NIS2 in detail, it is clear that divergence between the regimes is increasing. Broadly, the CSRB takes an evolutionary, iterative approach, retaining many concepts of the original NIS, whereas NIS2 replaces the EU’s framework wholesale with a significantly expanded and updated regime. As a result, and due to fundamental differences in how scope is defined, some entities in scope of one regime may not be in scope of the other, even within overlapping sectors.

For organisations subject to both the UK and EU regimes, it should be feasible to implement a common security and incident response framework that satisfies both CSRB and NIS2 requirements. However, these businesses will need to track analyses of each regime and any diverging regulator expectations in parallel, and ensure their measures meet the “high water mark” across the two. (Notably, NIS2 introduces explicit board-level responsibilities; the CSRB currently does not, but UK regulators and codes of practice could indirectly move in a similar direction.)

Implementation and commencement

The provisions of the CSRB will come into effect in a staged implementation:

  • On Royal Assent (Day 1): the Government’s new powers to make additional regulations (the “future-proofing” powers) and an obligation on DSIT to lay a post-implementation review report before Parliament take effect.
     
  • Two months from Day 1: new information-sharing provisions between Government and regulators and an obligation on DSIT to issue a statement of strategic priorities will come into effect.
     
  • By further regulations : all other substantive provisions (including most of the changes discussed in this article) will come into effect on dates specified in one or more future statutory instruments.

Accordingly, no major new compliance obligations for regulated entities will come into force immediately on Day 1. The Government intends to consult on the implementation timeline and supporting measures during 2026, and affected entities should engage in that consultation to help shape a realistic commencement schedule that affords operators adequate time to attain compliance.

Conclusion

The CSRB seeks to reinforce UK cyber regulation for the electricity sector’s increasingly flexible, digital, and interconnected environment. It represents a fundamental shift in regulatory philosophy, expanding the regulatory perimeter from individual operators to broader ecosystems, and moving from a focus on continuity alone to a holistic view of compromise prevention and resilience. By drawing large load controllers, RMSPs, and critical suppliers into scope, the CSRB spreads the compliance burden more broadly across the energy supply chain, which could ultimately be beneficial for existing OESs through improved sector-wide security baselines and risk sharing.

For entities already in scope, the CSRB’s requirements clearly signal a shift from focusing purely on service continuity towards addressing a broader set of incident types (including threats to data and system integrity). The government is also equipping itself and regulators with more flexible and powerful tools (from agile secondary legislation to national security directions) to adapt to the ever-changing threat landscape.

Recognising that much of the CSRB’s detailed impact and timing remains to be determined, participants in the electricity sector should nonetheless plan their next steps now. Assess how technical and procedural measures will need to adapt in light of the CSRB, ensuring robust governance and board-level oversight of cyber resilience strategy. As the sector awaits further guidance and commencement dates, regulated entities should monitor official announcements from DESNZ and the relevant regulators. In the meantime, organisations should consider what strategic investments or policy changes may be needed to strengthen their cyber resilience ahead of the formal compliance deadlines.
 

[1] MPs’ proposed amendments to the bill can be found here: Report stage Amendments on Cyber Security and Resilience (Network and Information Systems) Bill - Parliamentary Bills - UK Parliament

[2] Large load controllers - GOV.UK

[3] DESNZ NIS Policy Guidance: DESNZ Policy Guidance for the Implementation of the Network and Information Systems Regulations. Ofgem OES Guidance: NIS Directive and NIS Regulations 2018: Ofgem guidance for Operators of Essential Services | Ofgem.

[4] NCSC CAF: Cyber Assessment Framework - NCSC.GOV.UK

[5] Ofgem Consultation: Whole energy cyber resilience requirements: reshaping cyber regulation in downstream gas and electricity - GOV.UK

More insights

Explore more

Event International

IP Insights webinar series 2026

03 Jun 2026
Publication International

On your radar | Issue 32

27 Apr 2026 2 min read
Expert Guide International

CMS Expert Guide to remote working

3 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.