Policy paper

Large load controllers

Published 12 November 2025

What are we going to do?

Load control will be brought into scope of the Network and Information Systems (NIS) Regulations 2018 as an essential service, with a threshold requirement of 300 megawatts (MW) or more of electrical load to and from relevant electrical smart appliance for large load controllers to be deemed designated, reducing the risk of grid disruption through enhanced cyber security requirements. Load controllers are organisations managing electrical load for energy smart appliances, e.g., to support electric vehicle charging during off-peak times.

Why are we going to do it?

Load controllers are organisations that control electrical load to and from energy smart appliances, such as battery energy storage systems^{[footnote 1]}, to support consumer led flexibility (CLF). They are an important tool for the National Energy System Operator (NESO) to manage and optimise the electricity system, especially during the transition to Clean Power 2030 and Net Zero. This is by reducing Britain’s aggregate electricity use at peak demand periods, thereby minimising the amount of generation and associated network that needs to be built to meet peak demand. Despite their growing importance, there are currently no legislative cyber security requirements on load controllers.

Case study

As our energy system becomes increasingly digitalised and interconnected, the integration of diverse technologies and service providers introduces new vulnerabilities that could have far-reaching, system-wide consequences.

In particular, large load controllers play a critical role in managing a more dynamic and responsive energy system. However, the increase in digitalisation and remote energy management also heightens exposure to cyber security threats, posing a risk to the stability and resilience of the electricity sector, if not mitigated.

Previous high-profile cyber incidents, such as the SolarWinds supply chain compromise in December 2020, the ransomware attack on the United States Colonial Pipeline in May 2021, and the July 2021 attack on the managed service provider Kaseya, underscore how malicious actors can disrupt national infrastructure by exploiting companies and products providing essential services. These attacks as well as the substation fire that resulted in the closure of Heathrow Airport on 20 March 2025, demonstrate the potential for cascading impacts across the economy and society from disturbances to the energy system. They highlight the urgent need for cyber regulation to evolve in step with emerging technologies as the energy sector undergoes rapid transformation.

How are we going to do it?

The Cyber Security and Resilience (Network and Information Systems) Bill amends the NIS Regulations by introducing load control as an essential service and a threshold requirement for bringing large load controllers in scope of the NIS Regulations. That is if they have the potential to control 300MW or more of electrical load to and from relevant electrical smart appliances. The Department for Energy Security and Net Zero (DESNZ) and Ofgem will be joint competent authorities, (regulators).

Threshold

Large load controllers will be deemed designated and subject to these requirements if they are involved in load control and have the control of relevant energy smart appliances (ESAs) with a combined potential electrical capacity of 300 (MW) or more.

The potential electrical control should be assessed based on the rated electrical capacity of the appliances under the organisation’s control, as specified by the appliance manufacturer.

In addition, organisations acting as intermediaries, on behalf of or under the direction of a load controller, will also be subject to these requirements if they:

1. Have the capability to modify or process load control signals sent to relevant ESAs; and
2. Are authorised by the load controller to carry out such actions.

Security duties

By introducing Load Control as an essential service, this will require large load controllers who meet the threshold and are deemed designated as operators of essential services (OES) to:

• Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.
• Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of their essential service, with a view to ensuring the continuity of those services.
• Notify the regulator in writing about any incident which has a significant impact on the continuity of the essential service they provide.

Hypothetical example

A UK-based large load controller manages approximately 500 MW of flexible electrical demand across the country.

On a day when the National Energy System Operator (NESO) are already managing challenging conditions impacting the grid, the load controller is targeted by a moderately advanced cyber actor. The malware attack disables its control systems, causing a sudden and uncoordinated drop in demand across the network. This triggers High Frequency Demand Disconnection (HFDD), an automatic emergency tool designed to protect the national transmission system from failure.

This would result in the automatic disconnection of some electricity to customers for a short period of time. These disconnections would be geographically spread ensuring no regions were entirely without power but the cascading impacts to other critical sectors would be significant.

Had the load controller been designated as an OES:

• It would have been required to identify and manage cyber risks proactively.
• Stronger defences and response protocols could have prevented or contained the attack.
• Early notification to regulators and grid operators could have enabled faster intervention, potentially avoiding widespread disconnections.

Implementation

This measure will be brought into force through secondary legislation following Royal Assent.

This allows regulators and industry stakeholders sufficient time to prepare for the new regime. Load controllers that meet or exceed the 300 MW threshold will be required to formally notify the relevant regulator within 3 months of falling within scope of the essential service threshold.

To support organisations in understanding and meeting their new obligations, regulators will issue tailored guidance. The guidance will be designed to help load controllers navigate the regulatory framework and implement appropriate measures to ensure continuity and security of essential services.

A transitional period is being considered to allow in scope load controllers time to assess their systems, implement appropriate technical and organisational measure, and establish incident respond protocols. This period is intended to facilitate a smooth transition and ensure that organisations are adequately prepared to meet their obligations. DESNZ will be conducting a consultation in the coming months which will enable industry stakeholders to provide views on the length of this transitional period. 

Regulators will be monitoring adherence to the NIS Regulations. This will include audits, incident reviews and where necessary, enforcement actions. The aim is to ensure that essential services remain secure and resilient against cyber threats and other risks. Enforcement mechanisms may include information notices, inspection powers, enforcement notices and penalty notices. 

The regulators will maintain regular engagement with industry stakeholders to ensure the regulatory framework remains proportionate, effective and responsive to emerging threats. This collaborative approach will help ensure that the NIS Regulations continue to support the resilience of essential services across the UK.

1. Changing electricity demand to help meet the needs of the energy system, typically to benefit the transmission network, distribution network, or another third party. Often referred to in industry as demand side response or ‘DSR’ ↩