I. Introduction
- RIIO (Revenues = Incentives + Innovation + Outputs) is a framework by the Office of Gas and Electricity Markets (Ofgem).
- Ofgem is Great Britain's independent energy regulator and is governed by the Gas and Electricity Market Authority (GEMA).
- The framework aims to ensure that the monopoly organizations operating the UK’s gas and electricity networks have sufficient revenue to run and invest in networks that efficiently deliver what customers value.
- Revenue is how much money an energy network organization can make.
- Incentives encourage energy network organizations to find new ways to improve their service.
- Innovation means energy network organizations finding new ways to provide a safe, reliable, and sustainable network while offering value for money.
- Outputs include safety, preserving the environment, customer satisfaction, social obligations, network connections, reliability, and availability.
- RIIO price controls encourage energy network organizations to support Great Britain’s move to low-carbon energy. There are price controls for gas and electricity transmission, gas distribution, and electricity distribution.
- RIIO-3 also aims to establish a regulatory framework for energy networks that will significantly accelerate Great Britain's transition to a clean power system by 2030.
- Crucially, it facilitates the provision of essential infrastructure identified through national strategic plans and ensures organizations can secure efficient financing for these investments.
- Above all, RIIO-3 is designed to safeguard consumers, both immediately and long-term, by supporting an energy system that is resilient, secure, efficient, and affordable.
- The RIIO-3 price control period runs for five years, from April 1, 2026, to March 31, 2031.
- It applies to network organizations across the Electricity Transmission (ET), Gas Distribution (GD), and Gas Transmission (GT) sectors in the United Kingdom.
- The framework contains a Digitalisation license condition which requires organisations to follow the Data Best Practice Guidance (DBP Guidance) and the Cyberassessment Framework. Additionally, organizations are also required to comply with other applicable laws in the UK, such as the UK GDPR.
- As the framework is still under consultation and a final decision on the framework is pending, the information in this article is based on the documents released by Ofgem as of 27 August 2025, which was the closing date for the consultation period.
II. Who Needs to Comply with the Law
a. Material Scope
- The material scope of RIIO-3 covers the price controls for the electricity transmission, gas transmission, and gas distribution sectors in Great Britain. These are monopoly organizations that are regulated by Ofgem to ensure they have enough revenue to run their networks and invest efficiently in services that customers value.
- The RIIO-3 price control period is set for five years.
Start Date: 1 April 2026
End Date: 31 March 2031
- Electricity Transmission (ET): The owners of the high-voltage transmission network.
- National Grid Electricity Transmission (NGET) (England and Wales)
- SP Transmission (SPT) (Central and Southern Scotland)
- Scottish Hydro Electric Transmission (SHET) (North of Scotland)
- Gas Transmission (GT): The owner of the national gas transmission system.
- National Gas Transmission (NGT)
- Gas Distribution (GD): The organizations that transport gas to homes and businesses.
- Cadent
- Northern Gas Networks (NGN)
- SGN (Scotland and Southern England)
- Wales & West Utilities (WWU)
b. Territorial Scope
Based on the Draft Determinations Overview Document, the territorial scope for RIIO-3 is Great Britain (England, Scotland, and Wales).
III. Obligations for Organisations Under the RIIO-3 Framework
Under RIIO-3, energy network organizations are obligated to operate within a strict revenue allowance while delivering specific outputs focused on network reliability, consumer value, and Net Zero. Ofgem imposes license conditions to ensure that the billions of pounds in funding allowed for RIIO-3 are spent efficiently.
This includes a mandatory Cyber Resilience requirement, where organizations must utilize the NCSC Cyber Assessment Framework (CAF) to benchmark their security posture. Furthermore, organizations must adhere to Digitalisation License Conditions, requiring the publication of strategies and adherence to Data Best Practice, ensuring data is shared openly only after a rigorous data triage process.
The aim of this legal obligation for network organizations is to modernize and share their data openly, rather than keeping it closed within their own organizations. Network organizations must also adhere to DBP Guidance - specific principles for managing data, most notably the "Presumed Open" principle. Unless there is a security or privacy reason to hide it, data must be made standardized and interoperable, so third parties (like innovators or other utilities) can use it to help balance the grid or create new services.
A. Cyber Assessment Framework
The National Cyber Security Centre's (NCSC) Cyber Assessment Framework (CAF) is a tool to help organizations assess and improve their cyber security and resilience, managing cyber risks and protecting essential services from cyber threats. It is primarily designed for organizations operating essential services in the United Kingdom, in sectors such as energy, healthcare, transport, digital infrastructure and government. It supports both internal assessments and external oversight bodies, helping organizations meet legal and regulatory requirements such as the Network and Information Systems Regulations 2018.
B. Data Best Practice Guidance
The DBP Guidance establishes a regulatory standard requiring energy network organizations to manage their data as a critical asset, comparable in value and maintenance to their physical infrastructure. Its central tenet is the principle of "Presumed Open," which mandates that all data must be made publicly available by default unless security, privacy, or commercial sensitivity requires it to be protected.
To operationalize this, organizations must actively identify "Data Users" and their specific needs, ensuring data is discoverable, interoperable, and standardized through the use of common metadata. Ofgem has recommended the use of the Dublin Core and, in particular, its 'Core Elements' metadata standard (Dublin Core) ISO 15836-1:2017.
Furthermore, the guidance enforces an "Open Data Triage" process to categorize data (Open, Public, Shared, or Closed) and mandates the use of techniques like aggregation and anonymization to maximize data availability, ultimately aiming to dismantle information silos and facilitate the energy sector’s transition to Net Zero.
1. The "Open Data Triage" Requirement (Data Best Practice)
Under the "Presumed Open" principle, organizations are obligated to make their data public. Before releasing any dataset, organizations must perform a triage assessment to determine if the data contains Personal Data (as defined by UK GDPR). If data contains personal information that cannot be anonymized, it must not be classified as Open.
It should be clear if the resource is open (available to all with no restrictions), public (available to all with some conditions, e.g., no commercial use), shared (available to a specific group, possibly with conditions, e.g, commercial data product), or closed (not available outside of the data custodian organisation).
2. Anonymization and Aggregation
RIIO-3 explicitly pushes organizations to anonymize or aggregate data so that it can be released without violating privacy rights. They are expected to apply techniques (like aggregating smart meter data to a street or postcode level rather than a household level) to strip out personal identifiers, thereby rendering the data "Open" and compliant. If an organization decides to keep data "Closed" for privacy reasons, it must be able to justify why anonymization was not feasible.
C. UK GDPR compliance
The DBP Guidance outlines Security, Privacy, and Resilience (SPaR) requirements which organizations must follow. The organization should be able to demonstrate how its products and services are developed in compliance with “the current regulations and legislation relating to cyber and physical security.” Specifically, Ofgem has provided a number of frameworks, standards, and regulations that provide organisations with implementable guidance to simplify SPaR requirements, such as the UK General Data Protection Regulation 2021(UK GDPR), and the Data Protection Act 2018 (DPA 2018).
The UK GDPR is the UK's version of the GDPR, which became part of UK law after Brexit. It sets out the core rules and principles for how organizations must handle and protect the personal data of data subjects in the UK, ensuring individuals have strong rights over their personal data. The UK GDPR, in conjunction with the DPA, forms the comprehensive data protection framework in the UK.
IV. Regulatory Authority
Ofgem stands for the Office of Gas and Electricity Markets. This is the energy regulator for Great Britain.
V. Penalties for Non-Compliance
Any breach of licence conditions can pose compliance and regulatory risk, potentially leading to investigation and penalties, including financial fines of up to 10% of annual turnover, as set out in Ofgem’s Enforcement Guidelines. These powers are derived from the Gas Act 1986, the Electricity Act 1989, and the Energy Act 2023.
Ofgem can also penalise organizations and issue enforcement notices for failures and contraventions under the Network and Information Systems Regulations 2018.
VI. How Can an Organisation Operationalize the Law
Here are the top 5 ways organisations can operationalize the Framework:
- Integrate Digitalisation & Data Governance: Establish a formal digitalisation strategy and embed a robust data governance framework to ensure data is secure throughout its lifecycle.
- Operationalize the Open Data Triage Process: Open Data Triage process to categorize data (Open, Public, Shared, or Closed) and conduct a triage assessment to determine if the data contains Personal Data.
- Implement Cyber Resilience Controls: Align security operations with the NCSC Cyber Assessment Framework (CAF), conduct regular assessments to benchmark security posture, and meet cyber-resilience licence conditions.
- Integrate UK GDPR Compliance into Data Handling: The DBP Guidance outlines Security, Privacy, and Resilience (SPaR) requirements which organizations must follow.
- Establish Internal Oversight & Assurance: Build oversight teams and assign responsibility to ensure compliance with requirements.
VII. How Securiti Can Help
Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with RIIO-3.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Request a demo to learn more.
