The U.K. government has published its official response to the 2024 consultation on the Smart Secure Electricity Systems (SSES) Programme, addressing proposals on energy smart appliances, licensing, and tariff data interoperability aimed at enabling consumer-led flexibility. The document adopts consumer-led flexibility (CLF) by building the right set of technical standards and requirements, ensuring robust cybersecurity protections, and giving consumers the confidence to jump into the smart market. Furthermore, through the licence, organizations will be required to have the necessary cybersecurity, financial, and management arrangements in place, and take account of grid stability considerations.
Later this year, the government will launch consultations on several key areas, including: draft regulations for Phase 1 ESA (Energy Smart Appliances) device standards; Minimum Viable Product (MVP) tariff data standards within the Retail Energy Code (REC), along with associated changes to Supply Standard Licence Conditions (SLC); enduring governance arrangements; and draft licensing regulations with the first tranche of licence conditions.
By early 2026, the government also plans to legislate to establish Phase 1 ESA device regulations and formally introduce the tariff data standard requirement into the REC and supply licence framework.
The ESA consultation set out details on policy regarding establishing minimum requirements for cybersecurity, establishing minimum requirements for grid stability, and introducing the ‘smart mandate’ to heating technologies. The consultation also sought views on longer-term frameworks for ESA standards and associated governance.
“We therefore propose that the requirements introduced by the 1st phase ESA regulations will apply to devices placed on the market 20 months after the regulations are made (when the SI is signed and becomes law, though not coming into force at that point), or if sooner, by the end of 2027,” the consultation document detailed. “This period, which is longer than the 12-18 month range set out in the consultation. Delivering a smart and secure electricity system balances the need to allow manufacturers sufficient time to take account of new regulatory requirements with the need to ensure sufficient requirements are in place to mitigate the rising cyber security risks and proliferation of electric heating technologies, both of which are expected to increase significantly through 2027.”
It added that while the government intends to allow a longer implementation period, it considers that addressing these cybersecurity risks takes priority.
The document added that the regulations are subject to Parliamentary approval, given that Parliamentary timetables are difficult to predict with accuracy, and a 20-month implementation period would not see the first phase regulations coming into force until after 2027. An implementation period will be set to conclude by the end of 2027 at the latest, ensuring that minimum cybersecurity standards are in effect by the beginning of 2028.
Since the publication of the consultation, the government has worked with the National Cyber Security Centre (NCSC) and Ofgem, as well as with industry stakeholders through the Security Working Group (SWG) and beyond, to determine what minimum security requirements are proportionate and appropriate for the first phase of ESA regulations. This includes undertaking a Security Architecture Design (SAD) exercise, which has been reviewed by the SWG, NCSC, and Ofgem, to determine where security controls need to apply to mitigate key risks to devices, apart from organizations and systems in the scope of the SSES programme.
After the evidence gathered during this consultation, the government will apply requirements on functionality, grid stability, and cybersecurity to BESS (battery energy storage systems) sold with smart capability (regardless of whether a smart mandate, requiring BESS to have smart functionality, is ultimately put in place). These requirements are expected to be the same as those that will apply to smart electric heating appliances, except where the nature of BESS or heating appliances means that some specific provision for either is appropriate.
Additionally, applying these requirements to smart BESS will safeguard consumer interests, for example, by ensuring that BESS with smart functionality will have protection against safety risks and build consumer trust in the sector.
The document acknowledged that, as noted by respondents, there may be additional cybersecurity requirements that would be desirable for the manufacture of ESAs. “However, for phase 1, government’s view is that manufacturers must follow the most current version of ETSI EN 303 645. For any subsequent version of ETSI EN 303 645, manufacturers will have a period of 20 months before they have to comply with updates to the standard ETSI EN 303 645. This aligns with the direction of travel in EU regulations; however, as the risk of cyber threats evolves, government will keep under review the need to implement additional requirements for phase 2 of the ESA Regulations,” it added.
On cybersecurity, most respondents suggested more information was required from the government to design a new approved standard, including use cases for different risk and threat scenarios. A minority of respondents also highlighted the need for NCSC input on any cybersecurity standard design.
The government has decided it will be taking a phased approach to implementing the licence. This will mean that we will be introducing some of the consumer protections and management and financial controls, cyber security, and grid stability requirements first. “We will also be requiring licensees to be party to the enduring governance code at the point the licence comes into force. This is to align with the expected transition phase for governance.”
It added that “to give licensees additional time to adjust to the first set of licence requirements, we expect there to be a transition phase and will be working with prospective licensees and industry, through the Licensing Working Group, to test our approach to this before consulting on it in our next consultation.”
The consultation document also proposed to use a tailored Cyber Assessment Framework (CAF) profile for DSR Load Controllers controlling loads below 300MW and a separate tailored CAF profile for Large Load Controllers managing equal to or above 300MW. The CAF, developed by NCSC, is an outcome-focused framework designed to assess organizational cyber resilience. It also set out principles for the security assurance framework to ensure it is fit for purpose.
“We continue to believe there are cybersecurity risks associated with Load Controllers that manage loads of 300MW and above and a wider set of ESAs in large non-domestic settings,” the document added. “Large non-domestic consumers and the wider scope of ESAs proposed for Large Load Controllers in the 2024 consultation will continue to be used for designating OES in scope of NIS regulations. This means, for the purpose of NIS Regulations, we propose that organizations who manage domestic and small non-domestic loads of 300MW or above, as well as industrial and commercial loads of 300MW or above, will be deemed designated as OES, and this will apply to the following ESAs: EV charge points in all domestic and non-domestic settings, EVs, Heating technologies that fall within scope of the smart mandate, BESS, and ESAs that control wider loads in non-domestic settings.”
Additionally, for NIS purposes, “we also recognise the key role of aggregators that would neither be a DSRSP nor a Load Controller but engage in flexibility services or support load control activity. As such, we intend to bring aggregators controlling 300MW load and above into the scope of NIS requirements, given the key role they will play in flexibility services and the wider risk they pose to the grid.”
The U.K. government also announced that ‘Secure by Design’ mandates are set to become mandatory across all departments for protecting ‘crown data and services.’ The guidance document identified four key problems, including how to up-skill UK defence in Secure by Design; how Secure by Design can account for unevenly distributed information and knowledge; how to incorporate Secure by Design into the earliest stages of capability acquisition; and how to support Secure by Design through life.
