The Cyber Security and Resilience Bill: What It Means for Every Energy Operator, Large and Small
Most energy operators will have been watching the Cyber Security and Resilience Bill (CSRB) and come to one of two conclusions. Large, established operators – those already designated as Operators of Essential Services under the NIS Regulations – will broadly understand that new obligations are coming and will be asking how much more is being demanded of them. Smaller producers, particularly those in the renewable sector who have never sat within the NIS threshold, may not understand if the Bill applies to them at all.
There is a meaningful risk of misreading the Bill from either direction.
What is the Cyber Security and Resilience Bill?
Introduced at the end of 2025, the Bill has passed through committee stage and is currently at Report stage in the House of Commons. The legislative direction is now clear enough to act on – waiting for Royal Assent before preparing is not a position I would recommend to any organisation in this sector.
The CSRB is not replacing the NIS Regulations – it is amending and substantially expanding them. The existing framework established baseline security duties for Operators of Essential Services, relying heavily on the NCSC’s Cyber Assessment Framework (CAF) as the practical benchmark for compliance. That architecture remains, but the Bill changes who it applies to, what is required of them, and what happens if they fall short.
New categories are being brought into scope, including data centres, managed service providers, and large load controllers. Supply chain security – previously in the guidance column of the CAF – is being made a regulated duty. Incident reporting timelines are tightening, with a two-stage notification process replacing the single 72-hour window, and ransomware demands being treated as notifiable events in their own right. Regulators are also being given new enforcement tools – cost recovery powers, intervention mechanisms, and enhanced sanctions – that will make non-compliance carry more tangible consequences.
What does this mean for large operators?
For organisations already designated as OES, the Bill raises the bar and narrows the tolerances.
The move to a 24-hour initial notification window is perhaps the most immediate challenge. That requires organisations to detect, triage, and escalate a potential incident within a single working day – a genuine capability requirement, not a form-filling exercise. For those managing geographically distributed infrastructure with remote and partially unmanned sites, if your detection and alerting infrastructure cannot surface a significant event within that window, you are exposed.
Supply chain obligations are also more demanding at scale. Large OES operators will not only need to meet their own obligations but will increasingly need to understand and assure the cyber posture of the suppliers they rely on – a significant piece of work with commercial and contractual dimensions as well as technical ones.
The other area of increasing complexity is the convergence of standards. The CAF has been the primary compliance framework for most UK energy OES, but large generation and transmission sites are also increasingly expected to demonstrate alignment with IEC 62443 – the international standard for industrial automation and control system security. Where the CAF addresses the broader organisational and governance dimensions of cyber resilience, IEC 62443 goes deeper into OT-specific requirements: network segmentation between control system zones, secure remote access, device-level security, and the management of software and firmware in industrial systems. For large operators running SCADA systems across substations, generation assets, and transmission infrastructure, managing compliance across both frameworks whilst absorbing new CSRB obligations requires a structured and well-resourced approach.
But this doesn’t affect smaller operators, does it?
Under the current NIS Regulations, the thresholds for OES designation are high. For electricity generators the key threshold is a generating capacity of 2GW or more; for distribution and transmission operators, it is the potential to disrupt supply to 250,000 or more consumers. The result is that most renewable energy producers – solar farms, battery storage sites, onshore wind operators – have sat below the threshold with no direct regulatory obligation under NIS.
The Bill changes that in two ways.
The first is expected alignment with NIS2, which is anticipated to extend OES designation to more energy sector organisations, including some renewable producers previously below the threshold. The precise scope is still emerging, but operators should not assume their current status will remain unchanged.
The second is the Designated Critical Supplier (DCS) framework – the part of the Bill I spend most time discussing with smaller energy operators, and where I think understanding is still lagging.
A DCS is an organisation that provides goods or services to an OES, engages with important network and information systems in doing so, and whose disruption would cause a material operational impact to the OES it serves. The specific obligations – what controls you will need, what you will need to report and to whom, how compliance will be assessed – are still being set in secondary legislation that has not yet been published. But the framework is established and the types of organisations it is intended to capture are clear enough. If you are providing OT network management, SCADA integration, remote monitoring, managed security services, or critical communications infrastructure to a large energy operator, you need to be actively considering whether you could be designated as a critical supplier. The designation is not self-selecting – it will be made by the relevant regulator, most likely Ofgem or DESNZ – but the criteria are clear enough to make a reasonable assessment of your exposure now.
The argument I hear most often from smaller operators is to wait and see what the secondary legislation says. I understand the logic, but it underestimates the lead times involved. Achieving a sound cyber security posture in OT environments requires asset inventory work, network segmentation, governance documentation, supplier assurance, staff training, and often investment in monitoring capability. None of that can be compressed into the window between secondary legislation being published and coming into force.
What questions should you be asking now?
For large OES operators: can your current infrastructure genuinely support a 24-hour initial notification? How do your sites stack up against both the CAF and IEC 62443? If there are gaps, the time to close them is now.
For smaller operators and potential DCSs: what is the honest picture of your relationship with larger operators and the criticality of the services you provide? That assessment is your starting point, and working towards the NCSC CAF and Cyber Essentials provides a solid foundation whatever the secondary legislation ultimately requires.
For both: supply chain expectations flowing through the energy sector are going to rise considerably over the next two to three years. The Bill increases accountability for the cyber posture of critical suppliers and increases the obligations on those suppliers directly.
At Bedroq, Luke Fuller and I work with energy operators across the size spectrum on exactly these challenges – from readiness assessments aligned to the CAF or IEC 62443-3-3, to OT security gap analysis, incident detection and response capability, and practical preparation for the DCS framework. Our starting point is always the same: understand your specific context, identify where the real gaps are, and build a proportionate and achievable roadmap.
If you would like to discuss where your organisation stands, I’d be glad to have that conversation.
Get in touch
Michael Crabtree,
Senior Technical Architect