The Gaming Boardroom

NCSC handing over the baton of smart meter security: a decade of progress

Steve Tyler Leave a comment

NCSC handing over the baton of smart meter security: a decade of progress

Summary

The National Cyber Security Centre (NCSC) has formally handed the Commercial Product Assurance (CPA) scheme for smart metres to the Smart Energy Code (SEC) Security Sub-Committee, with ongoing operation contracted to CyTAL under the Department for Energy Security and Net Zero (DESNZ). This marks the end of NCSC ownership after more than ten years of developing and operating the assurance framework that underpinned secure roll-out of SMETS2 smart metres in the UK.

The NCSC led the development of smart metering-specific security characteristics, supported evaluations from 2015 onwards, and worked with DESNZ, the SEC Security Sub‑Committee and evaluation partners (CyTAL, KPMG, NCC Group) to certify devices and raise engineering standards. Achievements include around 150 CPA evaluations, certification of devices from 14 manufacturers, and deployment of more than 32 million CPA-certified devices across UK homes. The scheme also supported sustainability through secure refurbishment and introduced a Risk Review process to manage older devices.

As the NCSC steps back, it has worked with the new operators to ensure a smooth transition and believes industry is now equipped to take ownership of assurance and risk management for the smart metering estate.

Key Points

  • Handover: CPA scheme moved from NCSC to the SEC Security Sub-Committee, operated by CyTAL under DESNZ stewardship.
  • Legacy: NCSC led the assurance work since 2012, with evaluations from 2015 that shaped device security standards.
  • Scale: ~150 CPA evaluations completed; devices from 14 manufacturers certified; over 32 million CPA-certified devices deployed.
  • Partners: Evaluation partners included CyTAL, KPMG and NCC Group, improving testing and reporting capability.
  • Sustainability & risk management: Scheme enabled secure refurbishment and introduced a Risk Review process for older devices.
  • Future: Transition empowers industry to manage risk and scale assurance activity while NCSC focuses on other strategic cyber challenges.

Why should I read this?

Quick and dirty: this is about who now looks after the security of the millions of smart metres in UK homes. If you care about energy resilience, consumer privacy, or the security of critical infrastructure, it matters. The NCSC has built the foundations — now industry has the baton. Read it if you want a concise update on where responsibility sits and how the assurance regime has matured.

Source

Source: https://www.ncsc.gov.uk/blog-post/ncsc/handing-over-baton-smart-meter-security

Author

Anne W, Head of Industry Assurance, NCSC

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.