The Network and Information Systems Regulations 2018 ensure that the operational technology used to maintain the production of drinking water remains robust and operational. This supports the delivery of wholesome water at all times and without disruption. In England and Wales, implementation and operational delivery of the NIS Regulations is delegated to the Inspectorate. This is achieved by regulating and overseeing compliance with the NIS Regulations through assessment of cyber resilience and operational technology security.

Operational technology refers to the hardware and software systems used to monitor and control physical devices, processes and infrastructure in industrial operations. It differs from information technology by focusing on control of the physical environment rather than data processing and management. Operational technology controls the operation and automation of equipment used for abstraction, treatment and distribution of drinking water, including forwarding pumps, chemical dosing pumps, valves, water quality protection shutdown systems and automated safety systems. It is critical to the automated, safe and cost-efficient production of wholesome drinking water. To protect this essential service, these technologies must be suitable, secure and fit for purpose to ensure continuous, reliable production while defending against evolving threats to critical national infrastructure.

Examples of OT include industrial control systems (ICS) such as Supervisory Control and Data Acquisition (SCADA) systems for drinking water treatment and distribution. SCADA is a system of software and hardware components that allow the automated operation of industrial processes locally or at remote locations. It is used to monitor, gather, and process real-time data; directly interact with devices such as sensors, valves, pumps, and motors. Other examples of OT include Human Machine Interfaces (HMI) which are screens, or interfaces that connect humans to a machine, system, or device.  Access to such technology by threat of actors with disruptive intent would have potentially serious consequences.

Water companies serving a population of 200,000 people or more must implement a risk assessment to improve the resilience of OT. The sector uses the NCSC Cyber Assessment Framework (CAF) at the request of the Inspectorate. Since 2018, the Inspectorate has received a CAF return annually from each company falling within the NIS regulations.

The companies map their resilience to threat actor capability against contributing outcomes of good cyber practice. This risk assessment informs investments plans and areas requiring additional controls.

Between 2023-2024, every water company was subject to an Inspectorate cyber resilience audit to verify each company’s self-assessed CAF assessment. Two companies were issued legal notices to improve their risk assessments in response to the audits. Every company in England (and Wales) has a regulation 18 notice to address residual cyber risk and their PR24 cyber improvement plans. Ofwat Price Control Deliverables are tied to these notices being met in full. Failure to meet the notice requirements may attract Ofwat penalties in addition to any Inspectorate enforcement.

During 2025, the final cyber resilience audit was completed. The Inspectorate also met with companies 62 times with nine in-person meetings. Desktop audits were conducted looking into progress made in 2025 against the 2024 audit. Companies were asked for evidence on Contributing Outcomes (COs) where they stated they had made a progress in 2025.