2025 was the fourth reporting year for companies since the Inspectorate has regulated the Security and Emergency Measures Direction (the Direction). Companies have demonstrated an overall improvement in self-identification of the areas that they need to improve and move towards compliance of the Direction, resulting in significant investment in AMP8 over a range of schemes consisting of security and emergency planning improvements. This recognition has led to an overall decline in the reported Red, Amber, Green (RAG) position since 2022.  

The Inspectorate undertook a program of 22 on-site technical audits as well as event assessments and company interactions which resulted in a range of enforcement activity to secure improvement and compliance as demonstrated in Figure 61:

Figure 61 – SEMD Enforcement activity

Sufficiency

In September 2024, the National Infrastructure Commission (now National Infrastructure and Service Transformation Authority – NISTA) published a guide to developing resilience standards in UK Infrastructure, identifying gaps in water industry regulation and recommending resilience standards for public water supplies. Key recommendations included: setting a peak demand standard for short-term supply capability; defining limits on consumers reliant on a single asset; and introducing forward-looking asset health metrics. 

In response to the publication, the Inspectorate undertook analysis and research. The Inspectorate then drafted a report with proposed guidance on maintaining a sufficient water supply in response to the key recommendations identified in the NISTA report and incorporating the findings of the independent research. The Inspectorate concluded that the measurement of sufficiency, serves as a practical indicator for both supply resilience and asset health.

Figure 62 – Sufficiency

There was also a wider acknowledgement that no single lens would deliver the results that are intended in the NISTA report, so whilst sufficiency was the focus of the Inspectorate’s response it touches on a number of areas as shown in Figure 62. This work then allows other standards to be developed and work in conjunction with the sufficiency work. 

The Inspectorate’s proposed guidance supports the principles of, clear definitions, risk assessment planning, collection of empirical data, measurable outcomes, exceedance conditions, event conditions, consumer validation and regulatory reporting. This is overlaid in a systems approach to identify and target areas that need investment the most. The Inspectorate will continue to work further with water companies and other relevant stakeholders including regulators to improve the development of sufficiency risk assessments and reporting pathways.  

RAG Summary (2025) 

RAG Submission – The RAG assessment is a self-assessment tool, to report compliance with the direction over 33 outcomes covering the whole of SEMD. 

Overview of RAG Movements – Since 2022, the companies red and amber self-classifications have increased, as expected in the initial years of assessment following regulator feedback from events and audits and peer to peer benchmarking.  

Figure 63 – RAG outcomes

Notable RAG outcomes in 2025 include:

Outcome 3.2: Alternative water – Most companies reported an Amber position for alternative water in 2025. Common weaknesses included insufficiently adjusted stockpiles, challenges deploying static tanks, and over‑reliance on mutual aid, which is not always available in practice. Events during the year demonstrated that alternative water provision can be constrained by location and accessibility rather than scale alone, and that supply chains are vulnerable during concurrent weather-related incidents. The Inspectorate reiterates that companies remain responsible for all customers off supply and must ensure plans are deployable under reasonable worst‑case scenarios. 

Outcome 3.3: Vulnerable customers – This remains a persistent area of companies reporting non‑compliance within the RAG. During incidents, companies frequently apply an overly narrow definition of vulnerability and do not consistently prioritise all customers who meet the emergency planning guidance (EPG) definition. While some good practice was observed, companies must ensure that all vulnerable customers, including those beyond tiered priority models, receive appropriate support within required timescales and that prioritisation arrangements are clearly defined and evidenced. 

Outcome 3.9: Communication – Although not always reflected in RAG self‑assessments, another area that has been noted by the Inspectorate as requiring improvement is communication during live incidents. The Inspectorate continues to identify significant shortcomings in incident communications. Events reviewed in 2025 show that customers often receive infrequent or vague updates, contributing to confusion and frustration. The Inspectorate reviewed an event where in the absence of updates from a company, social media rumours took over and people were queueing at bottled water stations that had not been announced, opened or even stocked. Companies are expected to provide timely, accurate updates during incidents, including minimum likely restoration times and clear information on alternative water provision, in line with EPG requirements for 24/7 accessibility and responsiveness. 

Outcome 4.4: External suppliers – The majority of companies assessed this outcome as Amber, reflecting limited visibility and assurance over extended supply chains, particularly subcontractors and overseas manufacturers. While contractual provisions are commonly in place, many companies report they lack effective mechanisms to test compliance in practice. Companies reporting stronger positions demonstrate clearer contractual expectations, routine reviews, and consistent application of security requirements across all suppliers and subcontractors. 

Outcome 4.8: Personnel security – Requirements for role-based risk assessments have been in place since 1 March 2022, with guidance further reinforced following industry consultation in February 2024, and subsequently updated in protective security guidance (PSG). On 3 April 2024, the Inspectorate notified companies that audit evidence for personnel security procedures and measures would be required by 1 April 2025. Water companies have therefore received significant notice and time to advance their Personnel Security (PERSEC) measures.   

Analysis by the Inspectorate indicated a trend among companies to shift from a Green rating to Amber or Red on the outcomes associated with the audit topic. Based on the companies’ self-assessments of this audit topic, 10 companies reported a deterioration in their RAG (Red-Amber-Green) positions. This pattern suggests that most companies are overestimating their compliance with the RAG guidance. The Inspectorate therefore issued an industry-wide recommendation for companies to undertake a rigorous and candid evaluation of their risk profiles as part of the RAG self-assessment process.  

Analysis of audit evidence by the Inspectorate found that companies reporting a decline in outcome 4.8 have highlighted a range of vulnerabilities, including:  

  • A shifting risk environment and evolving threat landscape.  
  • Weak key controls, with risks linked to lost and non-returned keys.  
  • Absence of sufficient mover checks for internal transitions into sensitive roles.  
  • Limited documentation and reliance on ad hoc local procedures.  
  • No formal aftercare policy for personnel security.  
  • Backlog, incomplete or no role-based risk assessments.  
  • Inadequate personnel security checks for contractors.  

Events and Incidents

2025 saw companies reporting a variety of security events as well as some large loss of supply events.  Events reported included break-ins at works including attempted cable theft at one Critical National Infrastructure (CNI) site. Following the personnel security audit of companies as part of the RAG, this subsequently manifested in several events reported around how a water company manages its personnel security of staff as well as information handling of sensitive data. 

One company in particular, suffered from a series of loss of supply emergency planning events, with the company attributing the cause to hot weather. The Inspectorate expects companies to have plans in place to continue to supply at all times as required under paragraph 4(a) of the Direction states that plans for water supply must be prepared on the basis that the company must (a) continue to carry out (i) all of its water supply functions.

Critical National Infrastructure fuel theft 

This incident involved unauthorised access to a CNI site to steal fuel from alternative water supply tankers which in turn allowed access to parts of the treatment process, although no treatment interference took place.  

The site’s perimeter and gates suffered no damage during the theft. In the days before the theft, the main gate’s combination padlock had been replaced due to wear and tear, but the same combination was retained. It was unclear from the Inspectorate’s assessment if the combination was known to the hostiles. 

The company did not initially recognise this event as a serious incident because some operational assets were outside the inner boundary enclosure. Although internal escalation did occur, the company is updating its reporting processes. 

Following the incident, the company undertook 24/7 guarding with strict access checks and regular patrols of both the perimeters and operational assets outside the inner fence. Longer‑term measures are now in place.  

Serious organised crime 

In January 2025, a water company reported a security incident at a CNI site involving attempted metal theft. Intruders accessed the site via adjacent farmland while the control room operator was undertaking site rounds. Although alarms were triggered, no access was gained.  

Following the incident, the company implemented a range of mitigations. A perimeter fence upgrade was commissioned, and staff were briefed on intruder risks and escalation requirements. The Inspectorate determined that the seriousness of the event warranted a targeted audit of the site, which was undertaken on 19 March 2025.