NIS Regulations 2018: What UK Energy Operators of Essential Services Must Do

Who counts as an Operator of Essential Services in energy

The NIS Regulations identify OES against sector-specific thresholds set out in the legislation. In energy this captures electricity generators, transmission and distribution network operators, gas suppliers and network operators, and oil producers, refiners and distributors above defined size or criticality thresholds. If your organisation meets a threshold you are an OES whether or not you have been formally notified, and the duties apply automatically. Smaller operators below the thresholds are not directly in scope but are frequently pulled in through supply chain obligations.

• Electricity generation, transmission and distribution above capacity thresholds
• Gas supply, transmission, distribution and storage operators
• Oil production, refining, treatment, storage and pipeline transport
• Designation is threshold-based and applies automatically once met

The core security duty

Regulation 10 places a duty on every OES to take appropriate and proportionate technical and organisational measures to manage risks to the security of the network and information systems on which their essential service relies. The duty extends beyond IT to the operational technology (OT) that runs the grid, pipelines and plant. The standard is risk-led rather than prescriptive: the competent authority assesses outcomes against the NCSC Cyber Assessment Framework, not a fixed checklist. This means operators must demonstrate they understand their risk and have acted reasonably to reduce it.

Incident reporting to the competent authority

Regulation 11 requires an OES to notify its competent authority without undue delay, and in any event within 72 hours, of any incident that has a significant impact on the continuity of the essential service. For energy, the competent authorities include Ofgem for downstream gas and electricity and the relevant Secretary of State or department for upstream and oil. Reportable incidents are judged on impact thresholds such as the number of users affected, geographic spread and duration of disruption, not solely on whether an attacker succeeded. Failure to report is itself a breach.

• Notify without undue delay and within 72 hours of awareness
• Thresholds based on users affected, duration and geographic reach
• Reporting covers availability incidents, not just confirmed breaches

Penalties and enforcement

The NIS Regulations establish a tiered penalty regime. Material contraventions attract fines of up to GBP 17 million, with lower bands for lesser failures and for failure to cooperate with the competent authority. Penalties sit alongside enforcement notices that can compel specific remediation. The competent authority can also commission audits and inspections at the operator's expense. For energy operators the reputational consequences of a public enforcement action, particularly one tied to grid disruption, often outweigh the fine itself.

How Kyanite Blue helps you meet the NIS duty

Meeting Regulation 10 means evidencing controls across endpoints, identity, email and OT, and producing the audit trail your competent authority expects. Kyanite Blue helps energy operators map their estate against the Cyber Assessment Framework, close the gaps that surface in CAF assessments, and stand up the monitoring and reporting needed to meet the 72-hour notification window. Coro provides consolidated endpoint protection, email security and identity controls in a single platform that produces the documented audit trail regulators look for, giving smaller and mid-sized OES enterprise-grade coverage without an enterprise SOC.

Frequently Asked Questions