The UK’s Energy Sector Cyber Security Strategy was published on 28 May 2026 by the Department for Energy Security and Net Zero, Ofgem, the National Cyber Security Centre and the National Energy System Operator. It sets out a 4-year roadmap from 2026 to 2030, with supply chain security running through the whole document.
For businesses, the message is clear. Energy sector cyber risk is no longer viewed as a problem only for grid operators, major generators and network owners. The government wants a better understanding of the whole energy system, including critical suppliers, digital dependencies and third parties whose systems could affect essential energy services.
By the end of 2026, the government and its partners plan to develop preliminary supply chain security principles. By the end of 2027, they intend to build stronger capability to engage with and assess energy supply chains, while supporting existing Operators of Essential Services in managing supplier risk. By 2030, the plan is to designate critical suppliers and scope appropriate cyber maturity targets for them.
If you supply technology, IT support, monitoring, maintenance, software, connectivity or security services into the energy sector, this matters now. Formal designation may come later, but customer expectations will move earlier.
The Threat The Strategy Is Responding To
The strategy sets out a serious threat picture. It highlights a growing focus on critical national infrastructure from state actors, ransomware groups and hacktivists.
China state-sponsored activity has been linked to the targeting of energy, transport and water sectors. Russia has used wiper malware against Ukrainian government and critical national infrastructure during the war and continues to seek access to systems in NATO states. Iran-based actors are also described as aggressive in cyberspace, including activity involving industrial control systems.
The Poland example is especially relevant. The strategy refers to a cyber attack in Poland in December 2025, later attributed by CERT Polska in January 2026 to Russian actors, which affected both IT systems and physical industrial equipment connected to renewable infrastructure. That is the important point for suppliers. This is not just about stolen data. It is about the possibility of digital compromise creating operational disruption in the physical world.
The clean energy transition adds further complexity. New wind, solar, storage, smart grid, EV charging, distributed energy and market-balancing systems all create new digital connections. Each connection can improve efficiency, but each one can also create a new attack route if security is weak.
The Supply Chain Problem In Plain Terms
The Network and Information Systems Regulations 2018, known as NIS, were designed to cover the most critical operators of essential services. In the energy sector, that includes key operators in downstream gas and electricity, and oil and upstream gas.
The problem is that the energy system has changed quickly. It is now more decentralised, digitised and dependent on external suppliers than the original regulatory framework fully anticipated.
A cyber incident at a supplier can affect an energy operator even if the operator’s own network is well protected. This is why the Cyber Security and Resilience Bill matters. The Bill was introduced to Parliament on 12 November 2025 and, as of June 2026, remains subject to the parliamentary process. If passed, it would amend the NIS framework and create powers to bring relevant managed service providers, data centres and designated critical suppliers into stronger regulatory scope.
The government’s critical supplier designation proposal is particularly important. It would allow regulators to designate suppliers whose network and information systems are relied on to support essential or digital services, where disruption could have a significant impact on the economy or day-to-day functioning of society.
The Published Supply Chain Timeline
| Timeline | Government commitment | What it means for suppliers |
|---|---|---|
| By the end of 2026 | Develop preliminary supply chain security principles | Energy operators will have clearer expectations to reference when assessing suppliers |
| By the end of 2027 | Build capability to engage with and assess energy supply chains, and support OES supplier risk management | More structured questionnaires, assurance requests and supplier reviews are likely |
| 2028 to 2030 | Designate critical suppliers and scope cyber maturity targets | Some suppliers may face direct regulatory obligations once the legal framework is in force |
The key point is that you do not need to wait until 2030. If your customer is already regulated, they are likely to start asking more detailed questions well before then.
Who This Actually Affects
The obvious answer is energy companies. The more accurate answer is any supplier that forms part of the energy sector’s digital or operational dependency chain.
That could include:
- An IT managed service provider with privileged access to an energy operator’s systems
- A software vendor whose platform supports asset monitoring or maintenance planning
- A telecoms provider carrying operational traffic
- A cybersecurity company providing monitoring, testing or incident response
- An engineering consultancy with remote access to operational environments
- A cloud provider, data platform or analytics supplier used in operational planning
- A company supporting smart meters, battery storage, EV charging or distributed energy resources
Many of these organisations do not think of themselves as energy businesses. But they may still be part of the energy sector’s attack surface.
That is why larger energy customers are likely to ask suppliers for evidence of cyber controls, incident response planning, access management, backup, business continuity and testing.
The Operational Technology Angle
Energy cyber risk is different from ordinary office IT risk because operational technology is involved.
Operational technology, or OT, includes systems that monitor or control physical equipment. In energy, that can include SCADA systems, industrial control systems, remote terminal units, turbines, substations, meters and distributed energy platforms.
Historically, OT environments were built for reliability and uptime. They were not always designed for today’s level of connectivity or external threat.
The energy transition is bringing IT and OT closer together. Smart meters, battery storage, EV charging networks, solar platforms and grid-balancing systems rely on data, remote monitoring and digital control. The boundary between business systems and operational environments can become blurred.
If you supply technology or services into that environment, your security posture affects your customer’s operational resilience. That is a higher standard than many suppliers are used to.
What To Do Now
The practical response starts with the basics, but those basics need to be properly implemented and evidenced.
Start with identity and access. Strong password best practices, multi-factor authentication and controlled privileged access should be standard. Device management through Microsoft Intune can help enforce policies across laptops, mobiles and remote users.
Endpoint controls also matter. Understanding why EDR matters is important because energy sector customers will increasingly expect detection and response capability, not just antivirus. Practical endpoint hardening steps and endpoint security for remote teams reduce common entry points.
Good IT service management keeps those controls current. Without clear ownership, patching, change control and asset management, security quickly becomes inconsistent.
Certification is another useful signal. Why your business should become Cyber Essentials accredited explains the baseline value. Cyber Essentials Plus, with independent verification, may become increasingly attractive for suppliers to regulated customers. Why IT compliance matters explains the wider direction of travel.
Testing And Evidence
Energy sector customers will not only want to know that controls exist. They will want evidence that those controls work.
Regular network penetration testing helps identify weaknesses before an attacker does. Network penetration testing explained and the importance of penetration testing in cybersecurity set out the practical case.
The right testing schedule depends on your risk profile, customer requirements and system changes. The guidance on how often to run it and the comparison between internal and external penetration testing can help scope this properly. The fixes then need to be tracked through common network vulnerabilities and their solutions.
Phishing remains one of the most common initial access routes into business networks. As an anti phishing company london businesses use across sectors, we see this pattern repeatedly. The foundations in anti-phishing basics, the controls in anti-phishing controls, knowing how to spot a phishing email and understanding business email compromise should all be part of supplier readiness.
Credentials, Backup And Recovery
Credential compromise is especially serious where a supplier has access into customer systems. Dark web monitoring explained, what to do if your company credentials appear on the dark web and dark web monitoring versus breach monitoring explain how early warning works. Our dark web monitoring company london service gives businesses visibility of exposed credentials before they are used against them.
Recovery planning is just as important as prevention. Microsoft 365 backup, cloud to cloud backup and common cloud backup mistakes are all relevant. As a cloud backup company london businesses rely on, we treat backup as core resilience infrastructure, not an afterthought. The small business guide to ransomware and why your business needs a business continuity plan cover the response side.
Cross-Border And Multi-Site Realities
The UK energy strategy is a UK document, but many energy suppliers work across borders. The EU’s NIS2 Directive is already in force at EU level and covers 18 critical sectors, including energy. Individual obligations depend on how each member state has implemented the directive, but the direction is broadly aligned: stronger governance, risk management, incident reporting and supplier oversight.
If you supply both UK and EU energy operators, you may need to manage overlapping expectations. Our european support services and global it support work helps businesses manage multi-jurisdiction requirements.
Where consolidation or migration is part of the preparation, our platform migration london projects build security into the transition rather than adding it afterwards. The full range of services and our consulting team can help you scope what preparation looks like for your position in the supply chain.
As a managed business it support services partner, we are already helping suppliers get ahead of these requirements. Our security services bring the technical and strategic picture together.
Frequently Asked Questions
Does The Energy Sector Cyber Strategy Apply If We Are Not An Energy Company?
It may affect you indirectly. If you supply technology, managed services, monitoring, maintenance, engineering support or other digital capability to energy operators, your customer may ask you to demonstrate stronger cyber controls. Some suppliers may eventually be designated as critical suppliers.
What Is The Difference Between NIS, The Cyber Security And Resilience Bill And The Energy Strategy?
NIS 2018 is the existing legal framework for operators of essential services. The Cyber Security and Resilience Bill is proposed legislation that would amend and expand that framework. The Energy Sector Cyber Security Strategy is the sector-specific roadmap for improving cyber resilience from 2026 to 2030.
What Does Critical Supplier Designation Mean?
Critical supplier designation would allow regulators to place direct cyber security duties on suppliers whose systems are important to essential or digital services. The specific duties would be set through secondary legislation after consultation.
How Do IT And Operational Technology Risks Differ?
IT systems handle data, communications and business processes. Operational technology controls or monitors physical equipment. In the energy sector, IT and OT are increasingly connected, so a compromise that starts in a business or supplier system can create operational risk.
Should Smaller Suppliers Prepare Now?
Yes. Formal designation may only apply to some suppliers, but customer expectations will move earlier. Controls such as Cyber Essentials, MFA, tested backups, EDR, penetration testing and incident response planning take time to implement properly. Preparing under pressure when a contract is at stake is harder.
The Sensible Next Step
The 2026 milestones in the energy strategy are already underway. Preliminary supply chain principles are expected by year-end, and energy operators will have a clearer basis for assessing their suppliers.
The question for businesses in or near the energy supply chain is not whether expectations are rising. They are. The question is whether you can show the evidence before a customer asks for it.
If you would like help mapping where your business sits in the supply chain, assessing your current security posture or building the controls your customers and insurers are likely to expect, speak to Northern Star. We will give you a clear view of where you stand and a practical plan for getting ahead of the requirement curve.
