Compliance

Cybersecurity Compliance Standards for the UK Nuclear Energy Sector

Yu Ling Lok

The UK’s civil nuclear energy sector is part of the nation’s critical infrastructure, making robust cybersecurity and regulatory compliance essential. Organisations in this sector face strict legal and best-practice standards designed to protect nuclear facilities, sensitive information, and related systems from cyber threats.

This blog examines three key cybersecurity compliance standards for the UK nuclear industry – Nuclear Industries Security Regulations 2003 (NISR 2003), the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), and ISO/IEC 27001 – and explains what they entail and how they apply to nuclear energy.

In this blog, we'll cover:

The Nuclear Industries Security Regulations 2003 (NISR 2003)

What is NISR 2003

The Nuclear Industries Security Regulations 2003 (NISR 2003) is a set of UK regulations (Statutory Instrument 2003 No. 403) that govern security in the civil nuclear industry. Established under the Anti-Terrorism, Crime and Security Act 2001, these regulations cover physical security, personnel security, and information/cybersecurity for nuclear sites and materials.

In essence, NISR 2003 “requires persons to appropriately protect ‘sensitive nuclear information’”– meaning any nuclear-related information that could impact national security if compromised. This includes technical information about nuclear plant systems, material inventories, security arrangements, etc., especially if it is protectively marked as Official-Sensitive or above. 

Who Enforces NISR 2003? 

NISR 2003 is enforced by the Office for Nuclear Regulation (ONR), specifically its Civil Nuclear Security (CNS) division, on behalf of the UK government. ONR (CNS) acts under the direction of the Secretary of State (formerly the Department of Energy and Climate Change) to ensure compliance. The ONR has legal powers to inspect nuclear sites and take enforcement action (including prosecution) if the required security standards are not met.

  • For example, in October 2024 ONR prosecuted Sellafield Ltd (a major nuclear site operator) for breaching NISR 2003: an investigation found the company “failed to meet the standards, procedures and arrangements set out in its own approved plan for cyber security and for protecting sensitive nuclear information”, leading to a fine of £332,500. This case underscored that ONR will hold nuclear companies accountable even if no cyber-attack occurred – simply having inadequate controls or not following the approved security plan is an offence.

Key Cybersecurity Requirements under NISR 2003

Key Cybersecurity Requirements under NISR 2003
NISR 2003 imposes a range of security obligations on “responsible persons” (typically the nuclear site licensee or dutyholder) to safeguard nuclear material and information. Key cybersecurity-related requirements include:

  • Protection of Sensitive Nuclear Information (SNI): ONR's Enforcement Policy Statement (page 4) clearly states that Dutyholders must implement and maintain “security standards, procedures and arrangements as are necessary” to protect SNI against loss, theft, espionage or cyber compromise. This covers both digital and physical forms of information. All IT systems handling SNI should have appropriate access controls, encryption, network security, and monitoring to prevent unauthorized access or data leakage.
  • Approved Security Plans: Nuclear Industries Security Regulations 2003 (page 3) states that each civil nuclear site is required to have a Nuclear Site Security Plan (NSSP) approved by ONR (CNS). This plan outlines all security measures (physical, personnel, IT/cyber) in place to meet regulatory requirements. Cybersecurity controls and policies must be part of the NSSP. The dutyholder is legally bound to implement the plan’s measures; failing to do so (as in the Sellafield case) is a breach of NISR. For nuclear material in transit, Transport Security Statements are similarly required.
  • Personnel Security and Access Control: Mentioned in Nuclear Industries Security Regulations 2003 (page 3), NISR mandates that individuals with access to nuclear sites or SNI undergo government security vetting (clearances) commensurate with the sensitivity of information/assets they handle. This ensures trustworthy personnel manage critical systems and information. Also, technical measures like identity and access management (IAM) must enforce the principle of least privilege on networks containing SNI.
  • Cyber Risk Management and Audits: Technical Assessment Guide - Maintenance of a Robust Security Culture (page 13) states that dutyholders should identify cyber risks to nuclear operations and information, implement controls, and audit or self-assess these controls regularly. ONR’s approach is increasingly outcome-focused; licensees are expected to continuously improve cybersecurity (guided by ONR’s Security Assessment Principles and the NCSC CAF) rather than just follow a checklist. Significant changes to security arrangements usually require ONR review and approval.
  • Incident Reporting: Any security incident involving SNI – for example, a detected cyber intrusion, malware outbreak, or loss of sensitive data – must be promptly reported to ONR (CNS) as per regulatory guidelines. NISR 2003 includes regulations on notifying ONR of events or issues that affect security. This allows the regulator to investigate serious incidents and ensure appropriate remedial actions are taken.

In summary, NISR 2003 creates a comprehensive legal framework that requires nuclear operators to safeguard nuclear facilities and information with high-security standards. Compliance is not optional – it’s mandatory, with ONR inspectors regularly evaluating whether nuclear sites are upholding their approved security plans and maintaining appropriate cybersecurity measures

National Cyber Security Centre (NCSC)
Cyber Assessment Framework (CAF)

What is the NCSC CAF?

The Cyber Assessment Framework (CAF) is a high-level cybersecurity framework developed by the UK National Cyber Security Centre (NCSC). Unlike NISR 2003 (which is a legal regulation), the CAF is a guidance and assessment framework – essentially a structured set of criteria and principles used to evaluate how well an organization manages cyber risks.

The NCSC created the CAF to support the implementation of the UK’s Network and Information Systems (NIS) Regulations 2018, which apply to operators of essential services (OES) in sectors like energy, transport, water, health, and digital infrastructure. Nuclear energy is classed as an essential service under NIS, so nuclear operators fall within its scope. The CAF provides a systematic way for both the organisations themselves and their regulators to assess cybersecurity posture in a consistent manner across all these critical sectors.

In practice, the CAF is used by regulators (such as ONR for the nuclear sector) as a tool to measure an organization’s cybersecurity maturity and NIS compliance. The framework is not “enforced” via fines in itself; rather, it informs the regulatory oversight process. For example, ONR inspectors might use CAF principles as a checklist or reference during inspections of a nuclear site’s cyber arrangements, or a nuclear company might perform a self-assessment against the CAF to identify gaps.

The UK government encourages essential service operators to adopt the CAF because it ensures assessing cyber resilience in a consistent and comparable way across industries. By using a common framework, government and industry can more easily pinpoint systemic weaknesses and share best practices. 

The Structure of NCSC CAF

National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF)
The NCSC CAF is organized into a set of four top-level objectives, each of which is broken down into specific principles (outcomes) that represent aspects of good cybersecurity. In total, the CAF defines 14 cybersecurity principles. The objectives and a summary of their focus are:

  • Objective A: Managing Security Risk – The organisation has effective governance, risk management, and asset management in place for security. This includes principles like A1 Governance (establishing cybersecurity roles and policies), A2 Risk Management (identifying and treating risks), A3 Asset Management (knowing what systems and data you have), and A4 Supply Chain (assuring security in third-party services).

  • Objective B: Protecting Against Cyber Attack – There are appropriate protective measures to defend essential systems and services from attack. Principles under this objective include B1 Security Policies and Processes (documented procedures for secure operations), B2 Identity and Access Control (controlling user access to systems), B3 Data Security (protecting data at rest and in transit), B4 System Security (secure configuration and patching of systems), B5 Resilient Networks and Systems (redundancy, backup, and network security controls), and B6 Staff Awareness (training staff in cybersecurity).

  • Objective C: Detecting Cyber Security Events – The organisation can detect anomalies and potential security incidents in a timely manner. The two principles here are C1 Security Monitoring (having monitoring tools and processes to detect attacks or suspicious activities) and C2 Proactive Security Event Discovery (actively hunting for threats or vulnerabilities, e.g. through threat intelligence or scanning).

  • Objective D: Minimising the Impact of Incidents – The organisation can respond to and recover from incidents to limit damage. Principles: D1 Response and Recovery Planning (established incident response plans, disaster recovery and business continuity plans) and D2 Lessons Learned (processes to analyse incidents and improve after an incident).

Each principle in the CAF is supported by more detailed “contributing outcomes” and “indicators of good practice” that NCSC provides as guidance. These help an organisation determine what meeting a principle looks like in practical terms. During an assessment, each contributing outcome can be rated (e.g. achieved, partially, or not achieved), giving a granular view of strengths and weaknesses.

The CAF’s structured approach – from high-level objectives down to specific indicators – makes it a comprehensive checklist for cybersecurity maturity. An organisation can self-assess or be independently assessed (e.g. by a regulator or an auditor) using the CAF, and identify which areas need improvement.

NCSC CAF's Relevance to the UK Nuclear Energy Sector

The nuclear energy sector, as a critical part of national infrastructure, uses the NCSC CAF as a benchmark to ensure robust cyber defense of its essential functions. While NISR 2003 is a nuclear-specific regulation, the NIS Regulations 2018 impose additional obligations on nuclear operators (since nuclear power generation is an “essential service”). The CAF was explicitly designed to support NIS regulation compliance. In the nuclear context, ONR serves as the NIS competent authority and has integrated the CAF (alongside its own Security Assessment Principles) into its oversight process.

  • What this means: a nuclear power station operator, for instance, is expected to meet NISR requirements and ensure it has “appropriate and proportionate security measures” per NIS. The CAF’s 14 principles essentially elaborate what “appropriate measures” entail in a concrete way. ONR can assess a nuclear licensee against each CAF principle – e.g., checking if there is a risk register and governance structure (Objective A), if networks are properly segmented and hardened (Objective B), if continuous monitoring is in place (Objective C), and if incident response plans are tested (Objective D). A shortfall in any area would indicate the operator’s cyber risk management isn’t up to the expected standard.

The UK nuclear industry has actively embraced the CAF as part of its cybersecurity strategy. In fact, the Civil Nuclear Cyber Security Strategy 2022, published by the government, explicitly builds on the CAF. It describes a sector-wide model of outcomes aligned to NCSC’s CAF principles to measure nuclear cyber security maturity. By aligning with the CAF, nuclear organisations can benchmark themselves not only against regulatory expectations but also against other industries.

In summary, the NCSC CAF applies to the nuclear sector as a key framework for evaluating and improving cybersecurity. It complements the legal requirements (NISR and NIS Regs) by breaking down the broad goal of “good cyber security” into actionable principles and outcomes. Nuclear companies regularly conduct CAF assessments (or have ONR conduct them) to gauge their resilience. Over time, widespread use of the CAF in nuclear is leading to greater central visibility of cyber risks and more targeted improvements where needed

ISO/IEC 27001 Information Security Management Standard (ISO 27001)

What is ISO 27001?

ISO/IEC 27001, commonly known as ISO 27001 is the internationally recognized standard for Information Security Management Systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27001 defines how an organisation should manage and protect information assets through a systematic risk management process. It is a voluntary standard (not a law) that organizations can choose to comply with; compliance can be formally certified by accredited certification bodies. 

At its core, ISO 27001 outlines a management framework for continually identifying security risks and treating them with appropriate controls. The standard requires top management commitment, a risk assessment methodology, treatment plans, and a cycle of continuous improvement (often illustrated as the Plan-Do-Check-Act cycle).

Organisations implementing ISO 27001 must develop security policies and objectives, assign roles and responsibilities, and document processes related to information security. They then choose and implement a set of security controls (technical, physical, and procedural) to mitigate identified risks to acceptable levels. The standard is accompanied by ISO/IEC 27002, which provides a detailed reference of best-practice controls.

Why is ISO 27001 globally recognised?

Importantly, ISO 27001 is often used as a benchmark for good cybersecurity practice across all industries. The standard’s broad applicability and rigorous approach have made it “the world’s best-known standard for information security management systems”, specifying requirements that an ISMS must meet. The UK’s NCSC itself acknowledges that “ISO 27001 is one of many standards you can use to implement an ISMS”. Many organisations pursue ISO 27001 certification to demonstrate to clients, partners, and regulators that they have a structured and audited approach to information security. 

Organizations can voluntarily adopt ISO 27001, and enforcement comes in the form of market and contractual requirements. For example, a government agency or a large enterprise might require its suppliers to be ISO 27001 certified.

In critical sectors, regulators often encourage ISO 27001 as a way to structure compliance with broader requirements. Companies that choose certification are audited regularly (usually annually) by certification bodies to ensure they continue to meet the standard’s requirements. If they fail, they can lose their certification. 

Key Requirements and Principles of ISO 27001

Key Requirements and Principles of ISO 27001
ISO 27001 is built on a model of continuous improvement for information security management. Some of the key requirements and principles of the standard include:

  • Establishing an ISMS Scope and Policy: The organisation must define the scope of its Information Security Management System – what parts of the business and what information assets are covered. A high-level information security policy, endorsed by leadership, sets the direction and commitment to the ISMS. This ensures everyone knows that protecting information is a strategic priority.

  • Risk Assessment and Risk Treatment: ISO 27001 is fundamentally risk-driven. The organisation needs to systematically identify information security risks (e.g. unauthorized access, data loss, disruption of IT services), analyze their likelihood and impact, and then determine how to treat each risk. Treatment could mean applying a control, accepting the risk, transferring it, or avoiding it. The outcomes are documented in a Risk Assessment Report and a Risk Treatment Plan. Management must approve the risk treatment plan, ensuring that residual risks are acceptable.

  • Statement of Applicability (SoA): Based on the risk assessment, the organisation produces a Statement of Applicability which lists which security controls from the ISO 27001 Annex A are selected to address the risks, and which are excluded (with justifications). Annex A of ISO 27001 is essentially a catalogue of security control objectives and controls. In the 2022 edition, there are in total 93 controls grouped into 4 themes (people, physical, technological, and organisational controls). The SoA is a key document that tailors the generic list of controls to the organisation’s needs.

  • Implementation of Controls: The organisation must implement the chosen controls and make sure they are effective. Examples of controls include: deploying firewalls and intrusion detection systems, enforcing password policies and multi-factor authentication, encrypting sensitive data, keeping backups and performing recovery tests, securing the physical premises (locks, alarms, visitor logs), training employees on security awareness, establishing incident response procedures, and ensuring suppliers also meet security requirements. The standard does not prescribe specific technologies – it focuses on the existence and management of controls appropriate to the risk.

  • Documentation and Records: ISO 27001 requires quite a bit of documentation. Key documents include the ISMS policy, risk assessment reports, the SoA, security procedures, incident logs, audit plans, etc. Maintaining up-to-date records (like evidence of users’ access reviews, or drill results of business continuity plans) is important, as auditors will sample these to verify that the ISMS is active and not just “shelfware”.

  • Awareness and Training: A principle in ISO 27001 is that people are often the weakest link, so the standard calls for security awareness programs. Staff and relevant parties should receive training commensurate with their role. For instance, IT administrators might get specialized training on secure configurations, whereas all employees get general training on phishing and data handling.

  • Monitoring, Internal Audit, and Management Review: To ensure the ISMS is functioning, organisations must monitor and measure the performance of security controls (e.g. tracking how many malware infections occurred, or how quickly incidents are resolved). Regular internal audits are conducted to check compliance with ISO 27001 procedures and policies. Additionally, at planned intervals (typically annually), top management must do a Management Review of the ISMS – essentially a high-level evaluation of whether the ISMS is meeting objectives, what the status of risks and incidents is, results of audits, and what improvements are needed. This keeps leadership in the loop and accountable for security.

  • Corrective Actions and Continual Improvement: When audits or incidents identify non-conformities or weaknesses, the organisation must take corrective actions. ISO 27001 emphasizes continual improvement – the ISMS should get better over time. This might involve updating risk assessments for new threats, refining controls, or addressing new regulatory requirements. The cycle of Plan-Do-Check-Act repeats: plan (update risk treatment, policies), do (implement changes), check (monitor and audit), act (resolve issues, improve). This dynamic nature ensures the ISMS adapts as the organisation and threat landscape evolve.

In essence, the key principle of ISO 27001 is that security is a managed process, not a one-time project. By following the standard, an organisation embeds security into its everyday operations and governance. The outcome is not just a set of controls, but an organizational culture and system that can respond to new risks in a methodical way. That is why many consider ISO 27001 a “gold standard” for information security management. 

Specific Ways ISO 27001 Applies in the Nuclear Sector

  • Bridging Corporate and Operational Security: Nuclear facilities have operational technology (OT) environments (e.g. reactor control systems) which are subject to very specialized controls (often guided by standards like IEC 62443 for industrial control security). However, those OT systems are supported by IT networks and corporate systems (for data analysis, maintenance management, etc.). ISO 27001 tends to cover the enterprise IT and information management side of the house. By certifying or aligning their corporate IT and information processes to ISO 27001, nuclear organisations ensure that sensitive information (designs, personnel data, SNI documents, etc.) is well protected. This can prevent cyber incidents that, while not directly sabotaging a reactor, could expose sensitive plans or enable espionage. It also supports compliance with the protective marking rules and Official Secrets Acts for SNI by formalizing handling procedures.

  • Supply Chain Expectations: Nuclear operating companies often encourage or require their vendors (like MSPs, engineering contractors, etc.) to hold ISO 27001 certification as a demonstration of good practice. Since ONR regulates the security of the supply chain (List N) and expects adherence to HMG Security Policy Framework, an ISO 27001 certification gives confidence that a supplier has been independently audited against high security standards. It’s not a guarantee, but it’s a strong indicator the supplier takes security seriously. As a result, being ISO 27001 certified can be a competitive advantage for businesses aiming to work in the nuclear sector. Likewise, a nuclear company itself having ISO 27001 certification can assure its partners and stakeholders (including international ones) that it manages information security to a recognized benchmark.

  • Comprehensive Coverage: ISO 27001 covers areas that may not be explicitly detailed in NISR or CAF but are nonetheless important. For instance, ISO 27001 has controls around data privacy, which helps nuclear organisations also comply with data protection laws (useful because nuclear sites handle personal data of employees and local residents). It has controls on HR security (screening, termination processes) which complement NISR’s personnel vetting requirements. It includes business continuity planning for information systems, which pairs with nuclear emergency planning but ensures even IT disruptions are managed. By using ISO 27001, a nuclear organisation can consolidate various requirements (safety, security, quality, privacy) into one coherent management system.

  • Certification and Assurance: While ONR inspections are one assurance mechanism, ISO 27001 certification adds another layer. A nuclear site or a nuclear engineering firm with ISO 27001 can show auditors a valid certificate and audit reports, which might streamline some aspects of regulatory oversight (demonstrating that, at least for corporate IT, controls are in place). The international recognition of ISO 27001 is also useful for nuclear organisations that collaborate internationally or are part of global companies, since it provides a common language and standard for security across borders.  

ISO 27001's Relevance to the UK Nuclear Energy Sector 

For organisations in the UK nuclear energy sector, compliance with NISR 2003 is mandatory and compliance with NCSC CAF is expected – so where does ISO/IEC 27001 fit in? In practice, ISO 27001 is used in the nuclear sector as a complementary standard that helps meet and exceed those regulatory requirements. While not specifically mandated by nuclear security regulations, implementing ISO 27001 can greatly benefit nuclear companies and their partners by providing a structured framework for all aspects of information security.

Many entities in the nuclear industry have embraced ISO 27001 as part of their security strategy. For example, the UK’s National Nuclear Laboratory (UKNNL) explicitly states in its security policy that it will “develop a robust cyber security and information assurance plan to mitigate risks to systems and information in accordance with ISO27001 standards”, alongside Cabinet Office requirements for protectively marked information and ONR’s SNI requirements. This illustrates how nuclear organisations use ISO 27001 to underpin their cyber programs while also meeting government and ONR-specific rules.

Essentially, ISO 27001 provides the management system backbone: ensuring there’s a risk-based approach, defined controls, and continuous improvement, which in turn makes complying with NISR and CAF more systematic. 

  • It’s worth noting that ISO 27001 is not a substitute for NISR or CAF – rather, it’s a supportive framework. NISR has certain very specific requirements (like working with ONR on approvals, SNI classifications) that ISO 27001 doesn’t cover. Similarly, the CAF has some focus on outcomes tailored to critical systems (like threat hunting in C2, or specific guidance for essential functions). However, an organisation with a strong ISO 27001 ISMS will find it much easier to meet those requirements. The ISMS will ensure there’s a process to handle government classified information (tying into SNI rules), a process to onboard suppliers securely (List N requirements), a process to continually evaluate threats (aligning to CAF Objective A), etc. 

In sum, ISO 27001 provides the nuclear sector with a globally recognized blueprint for security management that reinforces regulatory compliance and overall cyber resilience.

From Regulation to Resilience: Cybersecurity Compliance in Critical Infrastructure

Cybersecurity compliance in the UK nuclear energy sector is multi-faceted, with legal regulations, government frameworks, and international standards all playing a role. The key is to proactively integrate compliance into the services: know the rules (NISR), follow the framework (CAF), and adopt the standard (ISO 27001). In an industry where the stakes are so high, the investment in compliance and strong security practices is well worth the effort. 

Fancy more knowledge about relevant laws, standards, and frameworks for the nuclear industry? Get in touch with us today to enjoy your 14-day free trial or access a library of on-demand demos to experience the modern way to manage human risk, drive compliance, and build a security-aware culture tailored to even the most regulated sectors. Let us help you stay compliant, confident, and ahead of threats.

CTA - Security Awareness Training