Nuclear Compliance in 2026: Navigating NERC CIP, NRC, and ITAR for Nuclear Facilities

No other industry faces the regulatory density of nuclear energy. A single commercial nuclear power plant in the United States is simultaneously subject to Nuclear Regulatory Commission (NRC) licensing, NERC Critical Infrastructure Protection (CIP) standards for grid connectivity, International Traffic in Arms Regulations (ITAR) for certain nuclear technologies, Environmental Protection Agency (EPA) radiological and effluent requirements, and Occupational Safety and Health Administration (OSHA) radiation worker protections. State-level regulators add another layer entirely.

For compliance teams at nuclear operators, engineering firms, and supply chain participants, the challenge is not understanding any single regulation in isolation. The challenge is managing the overlaps, contradictions, and reporting cadences across five or more federal regulators simultaneously — each with its own inspection cycle, enforcement posture, and penalty structure.

The NRC licensing and oversight regime

The NRC is the primary federal regulator for commercial nuclear power, research reactors, fuel cycle facilities, and radioactive materials. Its authority derives from the Atomic Energy Act of 1954 and the Energy Reorganization Act of 1974.

Nuclear facility licensing operates under two primary frameworks:

• 10 CFR Part 50: The traditional two-step licensing process (construction permit followed by operating licence) used by most existing US reactors
• 10 CFR Part 52: The combined licence (COL) process that merges construction and operating authorisation into a single proceeding, used for new builds and increasingly for small modular reactors
• 10 CFR Part 53: The risk-informed, technology-inclusive framework finalised in 2024, designed to accommodate advanced reactor designs including molten salt, high-temperature gas, and fusion-fission hybrids

NRC oversight is continuous. The Reactor Oversight Process (ROP) involves resident inspectors stationed permanently at each operating plant, supplemented by regional and headquarters-based inspection teams. Performance indicators across seven cornerstones — initiating events, mitigating systems, barrier integrity, emergency preparedness, occupational radiation safety, public radiation safety, and security — determine the level of regulatory scrutiny a facility receives.

Compliance failures trigger escalating NRC responses: from supplemental inspections through Confirmatory Action Letters, Orders, and civil penalties up to $388,000 per violation per day as of 2026.

NERC CIP for grid-connected nuclear facilities

Every nuclear power plant connected to the bulk electric system falls under NERC CIP standards. This creates a second, parallel cybersecurity and operational compliance regime on top of NRC requirements.

The relevant NERC CIP standards for nuclear facilities include:

• CIP-002: BES Cyber System categorisation — nuclear generation assets are typically categorised as high-impact BES Cyber Systems
• CIP-003 through CIP-011: Security management controls, personnel and training, electronic security perimeters, physical security, systems security management, incident reporting, recovery plans, configuration change management, and information protection
• CIP-013: Supply chain risk management, requiring documented processes for assessing and mitigating cyber risks from vendors
• CIP-014: Physical security for transmission stations and substations associated with nuclear generation

The compliance burden is significant because NRC and NERC requirements overlap but do not align. The NRC regulates cybersecurity under 10 CFR 73.54 (Cyber Security Rule), which requires a site-specific cyber security plan approved by the NRC. NERC CIP applies independently through the regional entity and NERC enforcement structure. A nuclear plant’s control system environment must satisfy both frameworks, even where their requirements diverge on implementation specifics.

For example, NRC 73.54 requires a defensive architecture for digital computer and communication systems associated with safety, security, and emergency preparedness. NERC CIP-005 requires Electronic Security Perimeters around BES Cyber Systems. The asset scoping, network segmentation approaches, and access control implementations may need to satisfy both simultaneously — and the audit teams from each regulator evaluate compliance independently.

ITAR and nuclear technology export controls

Nuclear technology intersects with ITAR in ways that many operators underestimate. While the NRC and the Department of Energy (DOE) administer the primary nuclear export control regime under 10 CFR Part 810, certain nuclear-related items fall under USML jurisdiction.

Key ITAR-controlled nuclear items include:

• USML Category XVI: Nuclear weapons design and testing equipment
• USML Category XX: Submersible vessels, oceanographic and associated equipment — including nuclear propulsion systems for naval vessels
• Classified nuclear technology: Any nuclear information classified under the Restricted Data or Formerly Restricted Data provisions of the Atomic Energy Act

For companies involved in naval nuclear propulsion — particularly relevant in 2026 given the AUKUS submarine programme — ITAR compliance is not peripheral. Nuclear propulsion technology for submarines is among the most tightly controlled items in the entire US export control system. Technology Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs) require State Department approval, and the processing timelines can stretch beyond 12 months.

The intersection of NRC Part 810 (civilian nuclear technology exports), EAR (dual-use nuclear items on the Commerce Control List), and ITAR (defence-related nuclear items) creates a three-regime export control environment that requires careful jurisdictional analysis for every technical exchange, conference presentation, or foreign national access decision.

EPA and radiological environmental compliance

Nuclear facilities operate under multiple EPA frameworks:

• 40 CFR Part 190: Environmental radiation protection standards for nuclear power operations, setting dose limits for the general public from the uranium fuel cycle
• Clean Air Act: Radionuclide emissions standards under the National Emission Standards for Hazardous Air Pollutants (NESHAPs), 40 CFR Part 61 Subpart I
• Clean Water Act: NPDES permits for thermal and radiological effluent discharges
• RCRA: Hazardous waste management for mixed waste (radioactive and chemically hazardous)
• CERCLA: Liability for environmental contamination at current and former nuclear sites

The NRC and EPA have a Memorandum of Understanding governing their overlapping authorities, but compliance teams must track requirements under both agencies. The NRC’s ALARA (As Low As Reasonably Achievable) programme under 10 CFR Part 20 operates alongside EPA’s dose-based standards, and the methodologies for demonstrating compliance differ.

OSHA and radiation worker safety

OSHA’s authority at nuclear facilities is limited by the NRC’s primary jurisdiction over radiological hazards. Under a 1988 Memorandum of Understanding, the NRC regulates radiation protection for workers at NRC-licensed facilities, while OSHA retains jurisdiction over non-radiological occupational hazards.

In practice, this means nuclear facilities must maintain:

• NRC-compliant radiation protection programmes under 10 CFR Part 20, including occupational dose limits (5 rem/year TEDE), monitoring, posting, and labelling requirements
• OSHA-compliant industrial safety programmes for fall protection, confined space entry, lockout/tagout, electrical safety, and all other non-radiological workplace hazards
• Dual reporting: radiological incidents to the NRC under 10 CFR 20.2202 and occupational injuries to OSHA under 29 CFR Part 1904

During outages — when nuclear plants conduct refuelling and heavy maintenance — the workforce can swell from 500 to over 2,000 personnel, and the intersection of radiation protection and industrial safety programmes becomes operationally intense.

Why nuclear is the most complex compliance environment

Several factors make nuclear compliance uniquely challenging compared to other heavily regulated industries:

• No single lead regulator: Unlike banking (where prudential regulators take the lead) or pharmaceuticals (where the FDA is primary), nuclear facilities answer to NRC, NERC, ITAR/DDTC, EPA, OSHA, DOE, and state regulators without a clear hierarchy among them
• Overlapping but non-harmonised requirements: Cybersecurity under NRC 73.54 and NERC CIP, radiation protection under NRC Part 20 and EPA Part 190, export controls under NRC Part 810, EAR, and ITAR — each regulator requires compliance with its own framework independently
• Continuous inspection: NRC resident inspectors are on-site every working day. NERC CIP audits operate on their own cycle. OSHA can inspect at any time. There is no quiet season.
• Severe penalty structures: NRC civil penalties, NERC CIP violations (up to $1 million per violation per day), ITAR criminal penalties (up to $1 million and 20 years imprisonment), and EPA enforcement actions can compound simultaneously
• Long compliance horizons: NRC operating licences run 40 years with 20-year renewals. Compliance programmes must be sustained across decades, through technology changes, regulatory updates, and workforce turnover

Managing multi-regulator nuclear compliance

Effective nuclear compliance management requires a structured approach to cross-regulatory mapping. Compliance teams need to identify where requirements from different regulators address the same operational domain — cybersecurity, radiation protection, environmental monitoring, export control — and build integrated programmes that satisfy all applicable frameworks without duplicating effort or creating gaps.

AuditDSS provides cross-industry regulatory coverage spanning the nuclear compliance stack, including NRC requirements, NERC CIP standards, ITAR export controls, and EPA environmental frameworks. For nuclear operators and supply chain participants navigating this multi-regulator environment, having a unified view of obligations across all applicable frameworks is the difference between proactive compliance management and perpetual audit remediation.

The nuclear industry’s regulatory complexity is not decreasing. With new reactor technologies entering the licensing pipeline, AUKUS driving cross-border nuclear technology transfers, and grid modernisation creating new NERC CIP obligations, compliance teams that lack systematic regulatory mapping will fall further behind. The cost of non-compliance in nuclear — measured in enforcement actions, operational shutdowns, and reputational damage — makes this an area where getting it right is not optional.