Cyber Security and Resilience Bill: Navigating utility sector impacts

For existing Operators of Essential Services (OES), the publication of the long-awaited Cyber Security and Resilience Bill should be regarded as a logical extension to the current requirements set out in the Networks and Information Systems Regulations and supporting Cyber Assessment Framework.

The Bill’s principal objective is to establish stronger, more far-reaching obligations to increase cyber resilience in the UK and brings into scope data infrastructure (eg data centres) and Managed Service Providers where they are critical to the delivery of services to existing OES.

For existing OES, the Bill’s intent should be regarded as a major benefit, as it addresses current supply chain challenges. It reduces the complexities associated with the flowing down of security requirements to service providers that can subsequently trigger unforeseen and lengthy negotiations to existing commercial contracts, whilst attempting to increase levels of operational resilience. From a critical service provider’s perspective, multiple OES using their services with different interpretations of security best practice set out commercially in individual contracts also presents its challenges. If the competent authority for these new OES set out requirements based on a clear understanding of current operational challenges, it will be a significant outcome.

For the first time, critical service providers will be measured against a consistent national security bar, including the reporting of material cyber incidents to their customers and regulator. For existing OES, organisations will be able to establish a clearer understanding of the effectiveness of the security controls that their critical supply chain have implemented, directly informing their third-party risk management. Extending the scope of network and information systems regulations could also be regarded as an incentive in the competitive service provider marketplace and unique selling point if full compliance can be demonstrated. A clearly developed operational context, clarity of rollout and proportionate timescales will be crucial to realise the supply chain benefits that can be achieved.

In the smart energy market, the drive to net zero has seen the rapid development of new technologies with a streamlining of routes to market driven by a competitive market and UK government climate targets. Large load controllers (controlling energy smart appliances above 300MW) is potentially less clear and requires additional definition, which is anticipated to be set out in the technical implementation of the Bill. It will be imperative that the scope is clearly defined so that organisations that fall into scope are aware and able to demonstrate relevant security requirements in relatively short timescales, upholding the primary objective of the Bill and the raising of operational resilience across the UK. The smart energy market is, by its nature, potentially more diverse and therefore organisations could come from different starting points and cyber maturity – detailed requirements will need to be proportionate to avoid protracted rollout and effectiveness in sector/market context.

The Bill also sets out the need for additional transparency in terms of cyber incident reporting, aligned to existing Information Commissioner’s Office timescales for identified data breaches. However, the definition of a ‘material’ breach will require further clarity.

Financial penalties set out in the Bill are not immaterial at £17 million or 4% of global turnover and should be a trigger for CISOs to activate initial impact assessments to inform their senior stakeholders and boards. As OES continue to mature using NIS CAF as a reference point for expected operational resilience good practice, the extension in scope, in terms of critical service providers and organisations becoming OES, should come as no surprise. This should help identify those areas that require additional clarification, and an understanding of the roles and responsibilities to respond when the Bill receives Royal Ascent. In parallel, conversations between OES and their supply chain to understand current interpretations should be regarded as beneficial – increasing collaboration in raising the national operational resilience is both effective and crucial to reducing rollout timescales.

Recent events at JLR, Marks and Spencer and the Co-op are prime examples of the significant scale of operational impact, and the importance of cyber resilience in the supply chain, as it cannot always be expected that central bodies and Government will come to the rescue.

Whilst the Bill sets a strong foundation and intent, its success will depend on timely and effective implementation, clearly translating regulatory requirements into practical action that at an operational level is proportionate. Without clear implementation plans, organisations risk introducing vulnerabilities during transition. Assigning ownership, defining responsibilities, and establishing realistic timelines, will be critical to success.

It is anticipated that the Bill will pass through Parliament quickly and that the technical aspects of implementation and rollout will be developed early in 2026. It will be the responsibility of the relevant competent authorities to ensure implementation is clear and complexity is minimised, including wider considerations such as the adoption of NIS CAF 4.0 and a potential NIS CAF Advanced Profile. On-going collaboration with industry will be necessary to ensure operational considerations are clearly understood. Early impact assessment by OES will help ensure that operational implementation can be clearly articulated to competent authorities and regulators. This will ensure benefits associated with the Bill can be maximised and timescales, in terms of rollout and demonstration of effectiveness, minimised.

This article was first published in Utility Week.