Utilities & Energy

Utilities & Energy CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for Electricity, Gas, Water, and Energy Providers. Understand OES obligations and load controller requirements under Bill 329.

Sector Overview

Utilities and energy infrastructure are fundamental to modern society - powering homes, businesses, and critical services. Electricity, gas, and water networks are essential services that keep the country running. Under the Cyber Security and Resilience Bill (Bill 329), utilities and energy providers are regulated as Operators of Essential Services (OES) under the NIS Regulations. Additionally, the Bill introduces new regulation for large load controllers.

Critical National Infrastructure: Utilities and energy infrastructure are recognised as critical national infrastructure, making them high-value targets for cyber attacks. CSRB strengthens requirements for protecting these systems.

Utility & Energy Sectors in Scope

Under the NIS Regulations (as amended by Bill 329), the following utility and energy sectors are regulated as essential services:

Electricity

Electricity generation, transmission, distribution, and supply operators

Gas

Gas transmission, distribution, and supply operators

Water

Water supply, treatment, and distribution operators

You're likely in scope if you operate:

Electricity generation, transmission, distribution, or supply services
Gas transmission, distribution, or supply services
Water supply, treatment, or distribution services
Services that meet threshold requirements in Schedule 2 of the NIS Regulations
Services that are essential to the economy or day-to-day functioning of society
Network and information systems that support critical utility operations

Load Controllers - New Regulation Under Bill 329

Under Part 2, Section 6 of Bill 329, large load controllers are now regulated as Operators of Essential Services:

300 Megawatt Threshold

For the essential service of load control, the threshold requirement in the United Kingdom is a load controller whose potential electrical control, in relation to relevant energy smart appliances (ESAs) managed by the controller, is equal to or greater than 300 megawatts.

— Bill 329, Part 2, Section 6, Schedule 2, paragraph 1(5A)

What is Potential Electrical Control?

A load controller's potential electrical control is the aggregate of:

The maximum flow of electricity into all relevant ESAs managed by the controller (taken together), and
The maximum flow of electricity out of all relevant ESAs managed by the controller (taken together)
Which is capable of being achieved in response to load control signals sent by the load controller

— Bill 329, Part 2, Section 6, Schedule 2, paragraph 1(5B)

What are Relevant Energy Smart Appliances (ESAs)?

Relevant ESAs include:

Electric vehicles
Charge points (for electric vehicles)
Electrical heating appliances (hydronic heat pumps, hot water heat pumps, hybrid heat pumps, direct electric hot water cylinders, electric storage heaters, heat batteries)
Battery energy storage systems
Virtual power plants

— Bill 329, Part 2, Section 6, Schedule 2, paragraph 1(5C)(a)

Intermediary Load Controllers:

Where load control signals are sent by an intermediary acting under the direction of or on behalf of a load controller, the relevant ESA is treated as managed by the load controller (not the intermediary) unless the intermediary is capable of adjusting or processing the signals and is authorised to do so - in which case both are treated as load controllers.

— Bill 329, Part 2, Section 6, Schedule 2, paragraph 1(5D), (5E)

Operator of Essential Services (OES) Identification

Under Part 2, Section 3 of Bill 329, Regulation 8 of the NIS Regulations identifies Operators of Essential Services:

Regulation 8(1) applies to a person whether or not the person is established in the United Kingdom. A person may be designated under Regulation 8(3) whether or not the person is established in the United Kingdom.

— Bill 329, Part 2, Section 3, Regulation 8(1ZA), (3A)

Key Points:

You can be an OES whether or not you're established in the UK, as long as you provide essential services in the UK
You may be automatically deemed to be an OES if you meet the threshold requirements in Schedule 2
You may be designated as an OES by your designated competent authority if you don't meet automatic thresholds but are considered essential
Public electronic communications networks and services are explicitly excluded from OES designation

Security Duties - Regulation 10

As an Operator of Essential Services (OES) in the utilities and energy sector, you must comply with security duties under Regulation 10 of the NIS Regulations:

Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems on which you rely for the provision of the essential service
Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of those network and information systems
Have regard to any relevant guidance issued by the designated competent authority
Ensure a level of security appropriate to the level of risk you face
Manage supply chain risks - you may be designated as a critical supplier if you supply to other regulated organisations

Incident Reporting Requirements - Regulation 11

Under Part 2, Section 15 of Bill 329, Regulation 11 sets out strict incident reporting requirements for Operators of Essential Services:

⚠️ Critical Timeline:

24 Hours: Initial notification must be given before the end of 24 hours beginning with the time you first become aware that an OES incident has occurred or is occurring

72 Hours: Full detailed notification must be given before the end of 72 hours beginning with that time

What is an OES Incident?

An incident is an "OES incident" if:

The incident has affected or is affecting the operation or security of the network and information systems relied on to provide the essential service
The impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to factors including: extent of disruption, number of users affected, duration, geographical area, and data confidentiality/authenticity/integrity/availability compromise

Required Information in Full Notification:

Your name and the essential service to which the incident relates
The time the incident occurred, its duration and whether it is ongoing
Information concerning the nature of the incident
Where the incident was caused by a separate incident affecting another regulated person: details of that separate incident and of the regulated person
Information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have
Such other information as you consider may assist the designated competent authority in exercising its functions

Reporting Requirements:

Notifications must be in writing, provided in such form and manner as the designated competent authority determines. You must send a copy of the notification to CSIRT (Computer Security Incident Response Team) at the same time as sending it to the designated competent authority.

— Bill 329, Part 2, Section 15, Regulation 11

Information Requests & Inspections

Under Part 2, Section 20 of Bill 329, Regulation 15 gives designated competent authorities powers to:

Require you to give such information or documents as it reasonably requires for exercising its functions
Require you to obtain or generate information or documents
Require you to collect or retain information that you would not otherwise collect or retain
Send information notices whether or not you're established in the UK
Request information or documents stored within or outside the United Kingdom

⚠️ Important:

Failure to comply with an information notice is a breach that can result in penalties. You may not be required to give privileged communications (legal advice protected by legal professional privilege). Regulators can inspect your premises, examine documents, test your systems, and interview your staff.

— Bill 329, Part 2, Section 20, Regulation 15

Critical Suppliers in Utilities Supply Chain

Under Part 2, Section 12 of Bill 329, Regulation 14H allows designation of critical suppliers:

Suppliers to utilities and energy operators may be designated as critical suppliers if:

They supply goods or services directly to an OES (utilities/energy operator)
They rely on network and information systems for that supply
An incident affecting their systems has the potential to cause disruption to the provision of essential services
Any such disruption is likely to have a significant impact on the economy or day-to-day functioning of society
The OES is unlikely to be able to obtain the goods or services from an alternative source

— Bill 329, Part 2, Section 12, Regulation 14H

Penalties for Non-Compliance

Under Part 2, Section 21 of Bill 329, Regulation 18 sets out financial penalties for Operators of Essential Services:

Higher Maximum Amount (Serious Failures):

For failures including:

Failure to fulfil security duties under regulation 10(1) and (2)
Failure to notify an incident under regulation 11(2)
Failure to comply with regulation 11(6) and (7) in relation to notification requirements

Maximum: £17,000,000 or 4% of global turnover (whichever is greater)

Standard Maximum Amount (Administrative Failures):

For failures including:

Failure to comply with regulation 11(8) - sending copy to CSIRT
Administrative failures and late notifications

Maximum: £10,000,000 or 2% of global turnover (whichever is greater)

— Bill 329, Part 2, Section 21, Regulation 18

Benefits of CSRB Compliance

Operational Benefits

Improve resilience and reduce downtime
Better incident response capabilities
Enhanced security posture

Regulatory & Business Benefits

Demonstrate compliance to regulators and stakeholders
Reduce risk of financial penalties
Build public trust and confidence

Direct References from Bill 329

Part 2, Section 6 - Designation of Large Load Controllers

Adds load control as an essential service in the electricity subsector. Load controllers with 300MW+ potential electrical control in relation to relevant energy smart appliances are regulated. Defines relevant ESAs (electric vehicles, charge points, electrical heating appliances, battery energy storage systems, virtual power plants) and potential electrical control calculation.

Bill 329, Part 2, Section 6, Schedule 2, paragraph 1(5A) to (5E)

Part 2, Section 3 - Identification of Operators of Essential Services

Regulation 8 identifies OES, including utilities and energy providers. Regulation 8(1ZA) clarifies that OES identification applies whether or not the person is established in the UK. Regulation 8(3A) allows designation whether or not the person is established in the UK.

Bill 329, Part 2, Section 3, Regulation 8

Part 2, Section 15 - Incident Reporting

Regulation 11 requires OES to report incidents within 24 hours (initial notification) and 72 hours (full notification) to the designated competent authority, with a copy to CSIRT simultaneously.

Bill 329, Part 2, Section 15, Regulation 11

Part 2, Section 12 - Critical Suppliers

Regulation 14H allows designated competent authorities to designate suppliers to OES as critical suppliers if their failure could disrupt essential services and have significant impact on the economy or day-to-day functioning of society.

Bill 329, Part 2, Section 12, Regulation 14H

Part 2, Section 21 - Financial Penalties

Regulation 18 sets maximum penalties: £17 million or 4% of turnover for serious failures (security duties, incident reporting), and £10 million or 2% of turnover for standard failures (administrative requirements).

Bill 329, Part 2, Section 21, Regulation 18

Need Help with Utilities & Energy CSRB Compliance?

Our expert team helps Utilities & Energy Providers implement and prove compliance with CSRB requirements.

Talk to Our Compliance Experts Take Readiness Assessment

Join Our Mailing List