Summary
- Ofgem consulted on draft supply chain security guidance for the downstream gas and electricity sector.
- The consultation closed on 30 June 2026 and is awaiting a decision.
- The guidance is intended to support proportionate, outcome-focused management of supplier security risk.
Ofgem has closed its consultation on proposed supply chain security guidance for the downstream gas and electricity sector, leaving the UK energy regulator to decide how it will formalise expectations around supplier cyber risk.
The consultation, published on 2 June 2026 and closed on 30 June, sought views on draft guidance intended to support proportionate supply chain security risk management. Ofgem said the guidance is aimed at a consistent, outcome-focused approach across supplier relationships in downstream gas and electricity.
The regulator invited feedback on clarity, usability, and practical application, including proposed principles, outcomes, and a risk-based supplier criticality model. Responses will be used to assess whether the guidance supports effective risk management without creating unnecessary burden or unintended consequences.
Ofgem’s consultation page identifies a broad audience, including gas and electricity operators, suppliers of products and services to the energy sector, service providers, systems integrators, managed service providers, equipment and technology manufacturers, trade bodies, assurance organisations, auditors, and researchers.
That breadth reflects how energy resilience now depends on more than the security of a regulated operator’s own systems. Billing platforms, field services, telemetry, engineering support, customer systems, managed IT services, operational technology suppliers, cloud providers, and equipment manufacturers can all influence the security and reliability of services.
The downstream energy sector is also changing. Smart appliances, electric vehicle charging, distributed energy resources, heat pumps, batteries, consumer platforms, and digital grid management are increasing the number of systems and organisations connected to energy operations. The result is a more distributed environment in which suppliers and service providers can become points of operational exposure.
A risk-based supplier criticality model gives operators a way to focus assurance work where it is most needed. Not every supplier requires the same evidence or control depth, but organisations need a disciplined method for identifying which suppliers could affect safety, continuity, customer services, data protection, or recovery if compromised or unavailable.
The guidance also fits the direction of UK cyber policy. The Cyber Security and Resilience Bill is expected to expand attention around digital dependencies, managed service providers, datacentres, incident reporting, and critical suppliers. Energy operators will need to align sector expectations with national cyber resilience reforms.
Ofgem’s next decision will determine how the draft guidance changes after consultation. Operators and suppliers should expect more structured conversations about evidence, controls, incident notification, and resilience planning across the energy supply chain.





