User Compliance with Security Obligation G3.20

28 January 2021

In September 2020, SECAS communicated to all SEC Parties that the Security Sub-Committee (SSC), working in conjunction with SECAS, NCSC and Meter Manufacturers, had been successful in improving the ability for Suppliers to comply with SEC security obligation G3.20. This was to help address the issues regarding commercial contract negotiations which had presented difficulties and caused delays for Suppliers in being able to maintain compliance with G3.20, an obligation against which observations where consistently being raised during User Security Assessments.


As of 22 June 2020, any Manufacturer looking to gain Commercial Product Assurance (CPA) Certification for a SMETS2+ Device is required to notify the SSC directly of any material security vulnerabilities found on its Devices. To assist Supplier compliance with G3.20 for SMETS2+ Devices which were certified before 22 June 2020, and for Enrolled SMETS1 Devices, the SSC sought an agreement with all Manufacturers to notify the SSC directly of any material security vulnerabilities.


SECAS is happy to announce that all Device Manufacturers have joined the agreement, therefore the SSC will be informed of any material security vulnerabilities found on SMETS2+ and Enrolled SMETS1 Devices. Further information, including a list of Device Manufacturers, can be found on our website here.


If you have any questions, please get in touch with the SECAS Security Team at


Thank you