Hackers have launched five cyberattacks against Britain’s drinking water suppliers since the beginning of last year, according to records filed with the drinking water watchdog and partially disclosed under freedom of information laws. This number represents a record high for any two-year period and serves to emphasize the increasing danger posed by malicious cyber actors to the nation’s crucial infrastructure, a threat British intelligence has consistently warned about. Crucially, none of these specific attacks compromised the safe, actual supply of drinking water, but they did impact the organizations and systems that support those supplies, signaling a significant security concern beyond the immediate flow of water.
The data released by the Drinking Water Inspectorate (DWI) shows that the watchdog received a total of 15 reports from suppliers spanning the period from January 1, 2024, to October 20, 2025. These reports were submitted in compliance with the NIS Regulations, which is a core component, though not the only one, of the extensive legal framework designed to govern the security of Britain’s drinking water systems. Of these 15 total reports, five were specifically related to cybersecurity incidents that affected what the DWI classified as “out-of-NIS-scope systems,” with the remaining ten reports detailing non-cyber operational issues affecting the suppliers. Further, more granular details about these 15 reports were not shared publicly.
A significant point of contention lies in the current NIS Regulations, which limit the need for formally reportable cyber incidents only to those that directly result in an actual, measurable disruption to an essential service. For example, if British infrastructure suppliers were successfully impacted by sophisticated “pre-positioning” hacks, such as those tracked under the name Volt Typhoon, they would not be legally obliged to disclose these intrusions since the water supply itself wouldn’t be immediately disrupted. However, the DWI noted that the five disclosed cyber incidents were shared voluntarily by the companies for informational purposes because they were reasonably considered to be “related to water supply resilience risks.”
British officials are planning to address this currently high threshold for mandatory reporting. They are expected to seek an amendment to the existing laws via the Cyber Security and Resilience Bill, which has been repeatedly delayed but is slated to be formally introduced to Parliament later this year. This legislative update aims to lower the bar, making more types of significant cyber incidents subject to compulsory reporting, thereby providing the watchdog with a clearer and more comprehensive picture of the threats facing the sector.
A government spokesperson commented on the necessity of this action, stating: “The cyber threats we face are sophisticated, relentless and costly.” They affirmed the government’s commitment by adding: “Our Cyber Security and Resilience Bill will be introduced to Parliament this year and is designed to strengthen our cyber defences — protecting the services the public rely on so they can go about their normal lives.” This indicates a clear government priority to bolster protections for critical national infrastructure against escalating digital threats.
Reference:
