The Energy Sector Cyber Security Strategy: What It Means and How to Comply Automatically

The Energy Sector Cyber Security Strategy, published by the Department for Energy Security & Net Zero (DESNZ) with Ofgem, the NCSC and the National Energy System Operator, sets out five pillars and a 2026-2030 timeline for protecting the UK's energy critical national infrastructure. It expands cyber oversight beyond today's NIS scope, raises the bar on supply chain security, and pushes operators from compliance-driven to risk-driven culture. The practical consequence for any organisation in or supplying the energy sector is a far heavier, continuous evidence burden. Fig was built for exactly this: from the day you are onboarded, the platform maps your controls to the frameworks behind the strategy, collects evidence automatically, and keeps you audit-ready instead of scrambling before each assessment.

On 28 May 2026 the government published the Energy Sector Cyber Security Strategy. It is a joint piece of work between four bodies - DESNZ as policy and risk owner, Ofgem as regulator for downstream gas and electricity, the NCSC as technical authority, and the National Energy System Operator (NESO) for whole-system coordination. Together they set out how the UK intends to defend its energy networks against a threat landscape that now includes state-sponsored actors, while the sector is simultaneously rebuilding itself around Clean Power 2030.

That combination - rapid digitalisation, decentralised generation, ageing operational technology, and a hostile threat environment - is why the strategy exists. This guide explains what it asks for, the timeline you are working to, and how to meet it without turning compliance into a permanent full-time project.

Three pressures are converging at once, and the strategy is the government's response to all three:

• Escalating threat to critical national infrastructure. Energy is a primary target for nation-state actors. A successful attack on generation, transmission or distribution has cascading consequences for every other sector.
• The Clean Power 2030 transition. Net zero requires a wave of new, highly digital, decentralised infrastructure - smart grids, renewables, storage, and the IT/OT convergence that comes with them. New attack surface is being created faster than legacy security models can cover it.
• Regulatory evolution. The 2018 NIS Regulations are the current foundation, but they were not written for this environment. The proposed Cyber Security and Resilience Bill (CSRB) is set to expand both the scope and the depth of what regulators can require.

The result is a clear direction of travel: more organisations in scope, higher maturity expectations, and a shift from "tick the box once a year" to demonstrating resilience continuously.

The strategy is built around five strategic objectives. These are the headings every energy operator and supplier should be planning against:

1. "Enhancing our understanding of threat, vulnerability, and risk" - comprehensive mapping of the energy system, its dependencies, critical failure points and component-level vulnerabilities, including supply chain risk assessment.

2. "Prevention through enhanced and accelerated resilience" - extending cyber oversight to more energy players proportionate to risk, setting maturity targets for the highest-impact operators, and embedding security-by-design into new infrastructure.

3. "Strengthening preparedness, response and recovery" - better threat detection, cross-cutting incident response and recovery plans, and regular testing and exercising.

4. "Effective monitoring, regulation and enforcement" - getting NIS operators to full compliance, strengthening regulator capacity, and developing deeper assurance frameworks built on established schemes.

5. "Fostering partnership, culture and skills" - moving from a compliance-driven to a risk-driven culture, growing the security-cleared workforce, and driving cyber governance to board level.

Read together, the pillars describe an operating model, not a checklist. You are expected to know your assets and dependencies, prevent issues by design, respond and recover when something happens, prove all of it to a regulator, and govern it from the top.

The strategy attaches dates to its commitments. These are the milestones that will shape what regulators ask for:

• End 2026 - understand cyber risk across the most critical parts of the system; run a cross-industry and government exercise simulating a sophisticated attack; strengthen regulatory capacity through assured providers; publish preliminary supply chain security principles.
• End 2027 - reassess NIS regulatory thresholds and revise them via secondary legislation; accelerate maturity for critical systems among downstream gas and electricity operators; engage industry on security-by-design; develop new assurance frameworks.
• End 2028 - full delivery of advanced threat detection capability; deliver a CEO-level tabletop exercise.
• End 2030 - designate critical suppliers with maturity targets; ensure baseline cyber resilience across the whole downstream gas and electricity system.

The honest read of this timeline is that the requirements ratchet upward every year. An approach that just about passes a one-off assessment in 2026 will not survive the deeper assurance frameworks and supplier designations arriving by 2030. What you need is a way of working that compounds - where the evidence you produce this year carries forward and the bar can rise without the workload exploding.

The strategy does not invent a brand-new standard. It leans on established schemes and tightens how they are used:

• NIS Regulations (2018) - the primary regulatory lever, applying to Operators of Essential Services. Thresholds are due to be reassessed and likely widened.
• The Cyber Security and Resilience Bill (CSRB) - proposed legislation to expand regulatory powers, including over suppliers.
• Cyber Essentials - proposed as a baseline hygiene measure for Ofgem licensees. This is the floor, not the ceiling.
• The NCSC's assurance approach - deeper assurance frameworks built on established schemes, with the NCSC Cyber Assessment Framework (CAF) the recognised basis for assessing essential-service operators.
• Cyber Resilience Audit (CRA) and Cyber Adversary Simulation (CyAS) - industry assurance and advanced capability testing schemes referenced for assured providers and testing.
• The Cyber Governance Code of Practice - supporting board-level risk ownership.

If you already hold Cyber Essentials, you have the baseline. The strategy is explicit that the baseline is just the start. The real work is demonstrating, continuously and to a deeper standard, that the controls behind these frameworks are operating and that risk is being actively managed.

Strip away the policy language and the strategy creates four concrete obligations:

1. Know your estate and your dependencies - including operational technology and the suppliers your essential services rely on.

2. Run controls to a measurable maturity - and be able to show the maturity, not just claim it.

3. Be ready to detect, respond and recover - with tested plans and defensible records.

4. Prove all of the above to a regulator - repeatedly, to a standard that rises each year.

And it is not just the large operators. The supply chain commitments mean that if you sell into the energy sector - software, hardware, OT services, managed services - you should expect your customers to push these expectations down to you through procurement and contracts. Critical suppliers face formal designation and maturity targets by 2030. Getting your house in order now is a commercial advantage, not just a regulatory chore.

For most organisations the hard part is not understanding the requirement. It is the sheer, ongoing weight of evidencing it across assets, vulnerabilities, suppliers, incidents, policies, training and audits - without a dedicated team buried in spreadsheets.

The Fig platform was designed for exactly this kind of layered, evidence-heavy, continuously-assessed environment. Its five capability groups - Discover, Protect, Respond, Prove and Transfer - line up almost one-to-one with the strategy's five pillars. Here is how each pillar maps to the platform.

Pillar 1 - Understanding threat, vulnerability and risk

The strategy wants comprehensive mapping of assets, dependencies and component-level vulnerabilities. Fig's asset discovery builds a live, governed register across hardware, software, cloud and service dependencies, with owners and evidence attached. Data discovery and classification finds where sensitive and regulated data lives. Vulnerability scanning consolidates scanner output and prioritises by exploitability and asset importance, and exposure modelling shows how small weaknesses combine into business risk - exactly the dependency-and-failure-point picture the strategy asks operators to build.

Pillar 2 - Prevention through accelerated resilience

Maturity targets and resilience are the heart of pillar 2. Fig's supply chain risk monitoring maps suppliers to the services and data they touch and tracks assurance evidence continuously, rather than relying on an annual questionnaire - directly relevant to the strategy's supplier-designation agenda. Business continuity connects recovery plans, critical services and test evidence so resilience is measurable, and people lifecycle governs access and accountability from joiner to leaver.

Pillar 3 - Preparedness, response and recovery

The strategy mandates incident response and recovery plans, with regular testing. Fig's incident management runs incidents from one structured record - actions, owners, decisions, notifications and reporting - so timelines stay defensible and reporting (including for incidents below NIS thresholds) is straightforward. Agentic remediation turns findings into assigned, evidenced fixes while keeping human approval and ownership intact.

Pillar 4 - Monitoring, regulation and enforcement

This is where most of the workload lives, and where automation pays off most. Fig's compliance automation maps your controls to the frameworks behind the strategy - NIS, Cyber Essentials, the CAF assurance approach and more - and collects evidence continuously, flagging stale or missing evidence before an assessor would. Policy management turns policies into operational control with approvals and attestations, and audit management builds audit packs from work that already happened, so you are not constructing a parallel process every time a regulator asks. Because evidence is reused across frameworks, raising the bar each year does not mean rebuilding from scratch.

Pillar 5 - Partnership, culture and skills

Risk-driven culture and board-level governance are evidenced too. Fig's training and policy acknowledgement tracks role-based training and acknowledgements with completion evidence and overdue actions, and its embedded insurance view turns live posture and risk data into a clearer underwriting story - useful for the board-level risk conversations the Cyber Governance Code of Practice expects.

The difference between Fig and a folder of spreadsheets is timing. With Fig, compliance is not a project you start months before an audit - it begins working for you immediately:

• Day one mapping. When an organisation is onboarded, its controls are mapped against the relevant frameworks straight away, so you can see your position against NIS, Cyber Essentials and the CAF assurance approach from the outset - not after weeks of manual setup.
• Evidence collected as work happens. Asset changes, vulnerability findings, supplier updates, incidents, policy approvals and training completions all feed the evidence model continuously. Your audit pack is a by-product of doing the work, not a separate exercise.
• Gaps surfaced while there is time to act. The platform flags stale or missing evidence and control gaps before an assessor would, so issues are fixed proactively rather than discovered in an audit.
• One source of truth across frameworks. Because the same evidence is reused across schemes, meeting the strategy's rising bar - and proving it to a regulator - does not multiply the workload each year.

That is what "automate compliance immediately" means in practice. The strategy's whole direction is toward continuous, deeper, supply-chain-wide assurance. A platform that keeps your evidence live and your frameworks mapped is the only realistic way to keep up without a standing army of analysts.

You do not need to wait for every piece of secondary legislation to land. The smart moves are the ones that hold up no matter how the detail settles:

1. Get the baseline in place. If you do not already hold Cyber Essentials, start there - it is the floor the strategy assumes.

2. Build a live asset and dependency picture, including OT and the suppliers your essential services depend on.

3. Move evidence off spreadsheets. Adopt a platform that maps controls to frameworks and collects evidence continuously, so rising requirements do not mean rising headcount.

4. Push expectations down your supply chain early - and, if you are a supplier, get ahead of the designation and maturity targets coming by 2030.

Who published the Energy Sector Cyber Security Strategy?

It was published on 28 May 2026 by the Department for Energy Security & Net Zero (DESNZ), working with Ofgem, the National Cyber Security Centre (NCSC) and the National Energy System Operator (NESO). The four bodies share responsibility: DESNZ owns policy and risk, Ofgem regulates downstream gas and electricity, the NCSC is the technical authority, and NESO coordinates the whole system.

Does the strategy only apply to large energy operators?

No. While the most stringent maturity targets fall on the highest-impact operators, the strategy expands oversight proportionate to risk and places heavy emphasis on the supply chain. Critical suppliers face formal designation with maturity targets by 2030, and operators are expected to push requirements down through procurement. If you supply software, hardware, OT or managed services to the energy sector, you should expect these expectations to reach you.

What frameworks does the strategy rely on?

It builds on established schemes rather than inventing a new standard: the NIS Regulations (2018) as the primary lever, Cyber Essentials as a baseline, the NCSC's assurance approach including the Cyber Assessment Framework, and industry schemes such as Cyber Resilience Audit and Cyber Adversary Simulation. The proposed Cyber Security and Resilience Bill is set to expand regulatory powers, and the Cyber Governance Code of Practice supports board-level ownership.

How does Fig help energy organisations comply?

Fig maps your controls to the frameworks behind the strategy and collects evidence continuously across assets, vulnerabilities, suppliers, incidents, policies and training. From the day an organisation is onboarded, you can see your position against NIS, Cyber Essentials and the CAF assurance approach, with gaps surfaced before an assessor would find them. Because evidence is reused across frameworks, the strategy's rising annual bar does not translate into a rising annual workload.

Is Cyber Essentials enough to meet the strategy?

No. Cyber Essentials is positioned as a baseline hygiene measure - the floor, not the ceiling. The strategy's direction is toward deeper, continuous assurance built on frameworks like the CAF, plus tested incident response, supply chain security and board-level governance. Cyber Essentials is the right starting point, but you should plan for the higher maturity and continuous evidencing the strategy expects.

The Energy Sector Cyber Security Strategy raises the bar for everyone in and around UK energy: wider scope, deeper assurance, supply-chain-wide expectations, and a culture shift toward continuous, risk-driven resilience through 2030. The requirements ratchet up every year, which makes a continuous, evidence-led way of working the only sustainable response. Fig was built for precisely this - mapping your controls to the relevant frameworks, collecting evidence as work happens, and keeping you audit-ready from the day you are onboarded.

See the Fig platform | Talk to our team about energy sector compliance