New cybersecurity rules for smart heat pump manufacturers

TL;DR

• Smart heat pumps face new UK cybersecurity rules
• Must meet ETSI EN 303 645 under the Smart Secure Electricity Systems programme
• Applies to most domestic heat devices up to 45 kW
• Compliance deadline expected to be late 2026 / early 2027
• Aims to protect consumers, data, and the national grid

Introduction

Smart heat pumps will be included in new UK cybersecurity rules, to help manage electricity demand and reduce consumer bills with new smart functionality. This follows in the steps of devices like smart electric vehicle chargers and photovoltaic (PV) inverters

It means that manufacturers must start preparing now to avoid issues down the line.

What is changing for smart heat pumps?

The UK government has confirmed that smart heat pumps must meet the European ETSI EN 303 645 cybersecurity standard in the form of the Smart Secure Electricity Systems (SSES) Programme. The will mean that heat pumps are in line with other smart energy devices, creating a simple and clear security baseline across the sector.

The new regulations will apply to hydronic heat pumps, storage heaters, heat batteries, standalone direct electric hot water cylinders, hot water heat pumps, and hybrid heat pumps, all up to a thermal capacity of 45 kW.

The regulation was implemented to protect consumers and the national grid. Heat pumps must now show smart ready functionality, so that they are able to respond flexibly to grid demands. Additionally, devices must also support staggered response times to avoid problems when many units react at once to changing energy tariffs.

Timeframe

Once the regulations are passed manufacturers will have a 20-month grace period to make sure their products meet the requirements. Full enforcement is expected late 2026 / early 2027.

Why cybersecurity matters for smart heat pumps

Connected home devices are targets for cyberattacks. Smart heat pumps, while offering comfort and energy savings, also brings risks if they are not properly secured.

A hacked heat pump could leak sensitive customer data, result in an uninhabitable home during winter or waste energy heating when not required.

However, a greater concern is the aggregation problem. A vulnerability found in one heat pump is likely to be present in all heat pumps from that manufacturer. This creates an issue in that all of those pumps could be commanded to heat or turn off at the same time. Power grid spikes could result, causing stability problems for power supplies and possible blackouts.

This was a problem for smart car chargers and resulted in standards being amended to mitigate the risks.

About ETSI EN 303 645

The ETSI EN 303 645 is a European cybersecurity standard created for consumer IoT devices. It’s more about what good security should look like, rather than exactly how to do it. It sets out simple security outcomes that devices are expected to meet:

• Devices should not ship with easily guessable default passwords, like “admin” or “1234.”
• Devices must be able to receive and check secure software updates to fix problems quickly.
• Important information such as user passwords must be stored safely to stop attackers from accessing it.
• Strong user checks need to be put in place to confirm who is actually using the device.
• Manufacturers must provide a simple and clear way for security researchers to report vulnerabilities they find.
• Products should only collect the minimum data needed and limit any unnecessary ways an attacker might get into the device.

How manufacturers can prepare

To get ready for the new rules manufacturers can start by reviewing their existing products against the ETSI EN 303 645 requirements to spot any gaps.

They should use Secure by Design throughout product development so security is baked in from the start.

It’s important to set up clear steps for secure software updates, properly managing vulnerabilities, and telling customers about updates in a simple, fast way.

Manufacturers should also consider working with cybersecurity experts to check their devices and get advice on how they can strengthen security.

We have worked with IoT device manufacturers across different sectors, including smart EV chargers and PV inverters, helping them meet key standards like ETSI EN 303 645 and making sure their products are ready for the future.

Conclusion

The new cybersecurity requirements for smart heat pumps marks an important move towards building a safer energy system. With only a short window before the rules are enforced, manufacturers who act quickly will be much better placed to meet the standards and avoid bigger costs later on.

Further reading:

• Smart Secure Electricity Systems Programme: Energy Smart Appliances April 2024: https://assets.publishing.service.gov.uk/media/6659f0147b792ffff71a8601/smart-secure-electricity-systems-2024-energy-smart-appliances-consultation.pdf
• Government response to the 2024 consultation on energy smart appliance, licensing and tariff data interoperability proposals to support consumer-led flexibility April 2025: https://assets.publishing.service.gov.uk/media/6808a2630324470d6a394eb2/SSES-consultation-response.pdf
• New smart appliance standards will help consumers save on bills. Press release: https://www.gov.uk/government/news/new-smart-appliance-standards-will-help-consumers-save-on-bills#:~:text=The%20government%20will%2C%20subject%20to,the%20regulations%20will%20be%20enforced