Summary
- The UK is consulting on a Tier 1 Cyber Assessment Framework profile for large load controllers.
- The proposed NIS scope covers organisations remotely controlling 300MW or more of electrical load.
- The policy links cyber resilience to grid stability as electrification and smart energy systems scale.
The UK government is moving to bring large electricity load controllers into cyber regulation, with a new Tier 1 Cyber Assessment Framework consultation covering organisations that remotely control 300MW or more of electrical load.
The proposal sits under the Smart Secure Electricity Systems Programme and supports planned legislative changes in the Cyber Security and Resilience Bill. The Bill is intended to bring load control into the Network and Information Systems Regulations as a new essential service, reflecting the growing role of connected devices, smart appliances, electric vehicle charging, batteries, heat pumps, and control platforms in balancing electricity demand.
The Department for Energy Security and Net Zero says load controllers provide flexibility services to the grid and consumers, supporting efficient and resilient management of the electricity system. It also notes that the sector has not previously been regulated for cyber security and resilience, and that many load controllers rely heavily on IT systems and interconnectivity.
As more electrical demand becomes remotely controllable, compromise of control platforms could create consequences beyond individual devices. Large-scale manipulation of load could affect balancing, grid stability, and consumer confidence, particularly as electric vehicle charging and battery systems become larger parts of the electricity system.
The proposed Tier 1 CAF profile would set more specific expectations for large load controllers, using the NCSC’s Cyber Assessment Framework as the assessment structure. DESNZ has developed the draft profile with Ofgem and the NCSC, and the consultation seeks views on feasibility, proportionality, cost, clarity, and implementation.
The policy also changes the practical boundary of critical infrastructure. Traditional electricity regulation centred on generation, transmission, distribution, and supply. Smart energy systems add actors that may not look like conventional energy operators but can influence system behaviour at scale. A technology platform aggregating flexible load may become operationally significant even if it does not own generation assets or wires.
Supply chains will require close attention. Load controllers may rely on cloud services, device manufacturers, communications providers, managed service providers, and software platforms. The consultation notes that load controllers will be expected to manage supply chains in line with CAF outcomes, even where manufacturers and platforms do not themselves fall directly within NIS scope.
Organisations likely to cross the 300MW threshold will need evidence across governance, asset visibility, incident response, control system security, supplier management, logging, recovery planning, and assurance. DESNZ says the government expects the Bill to receive Royal Assent in spring 2027, subject to the parliamentary process, with legislation in force around autumn 2027 and a proposed grace period before formal assurance.
Electrification is changing the shape of national cyber risk. Demand flexibility depends on digital control and trust, and the UK is now trying to regulate that cyber-physical layer before flexible load becomes too large to treat as a lightly governed market function.





