Nuclear Security Regulations (SOR/2025-219)

Licence Application

Marginal note:Required information

4 An application for a licence in respect of Category I nuclear material, Category II nuclear material or Category III nuclear material or a nuclear facility, other than a transport licence, must contain, in addition to the information required by section 3 of the Nuclear Substances and Radiation Devices Regulations or sections 3 to 8 of the Class I Nuclear Facilities Regulations, as applicable,

• (a) a nuclear security plan that contains

  • (i) a description of the proposed nuclear security system, including each nuclear security measure and any characteristics of the design of the nuclear facility that improve its security,

  • (ii) a list that identifies each nuclear security measure that is a critical security measure and that sets out the compensatory measures that will be implemented in the event that it becomes degraded, inoperative or compromised,

  • (iii) a description of the areas where Category I nuclear material, Category II nuclear material or Category III nuclear material or other nuclear substances are to be produced, used, processed, stored or transported and the location of those areas,

  • (iv) the written arrangements made between the applicant and any off-site response force,

  • (v) the plan and procedures to assess and respond to nuclear security events at the nuclear facility,

  • (vi) the process for controlling access to the nuclear facility and verifying the identity of each person who accesses it,

  • (vii) the processes for determining who, on entering or exiting the nuclear facility, will be searched or screened, and

  • (viii) the cyber security program consisting of the plans, policies and procedures for the protection of the computer systems and electronic components of the nuclear facility against cyber security threats identified in the threat and risk assessment; and

• (b) the threat and risk assessment.

Security Requirements

Nuclear Security Plan

Marginal note:Review and update

• 5 (1) A licensee must review the nuclear security plan at least once per year and update it to reflect any changes to the information that it is required to contain.

• Marginal note:Copy to be provided before implementation

  (2) The licensee must provide a copy of the updated nuclear security plan to the Commission before it is implemented.

Threat and Risk Assessment

Marginal note:Minimum frequency

• 6 (1) A licensee must conduct, at least once every five years, a threat and risk assessment specific to each nuclear facility at which they carry on licensed activities.

• Marginal note:Review and update

  (2) The licensee must

  • (a) review the threat and risk assessment at least once per year and after any nuclear security event at the nuclear facility or after the licensee becomes aware of a change in any threat that is identified in the assessment or of a new vulnerability or threat;

  • (b) update the threat and risk assessment to implement any changes that were identified in the review as being necessary; and

  • (c) update the nuclear security plan if the changes referred to in paragraph (b) necessitate changes to the information that the plan is required to contain.

• Marginal note:Modifications to nuclear security system

  (3) After providing the copy of the updated nuclear security plan under subsection 5(2), the licensee must make the modifications to its nuclear security system that are necessary to counter any vulnerabilities or threats identified in the threat and risk assessment.

• Marginal note:Record to be kept

  (4) For each threat and risk assessment that is conducted, the licensee must keep a record that sets out the results of that threat and risk assessment and each update under paragraph (2)(b).

• Marginal note:Records to be provided

  (5) A licensee must provide to the Commission

  • (a) any record referred to in subsection (4) on request of the Commission; and

  • (b) the record of the results of the threat and risk assessment or an update under paragraph (2)(b), as the case may be, within 60 days after the day on which the threat and risk assessment or the update is completed.

Marginal note:Effective intervention

7 A licensee must implement nuclear security measures that ensure that an effective intervention can be made, taking into account the threats identified in the threat and risk assessment.

Security Program

Marginal note:Training program — behaviour of personnel

8 A licensee must develop and implement a training program to ensure that its supervisors are trained to recognize and report behaviour of personnel, including contractors, that could pose a threat to security at a nuclear facility at which it carries on licensed activities.

Marginal note:Security culture

• 9 (1) A licensee must implement measures to promote and support security culture.

• Marginal note:Record to be kept

  (2) The licensee must keep a record of the security culture measures that it implements.

Marginal note:Interfaces of safety, security and safeguards

• 10 (1) A licensee must, to the extent possible, ensure that

  • (a) nuclear security measures and, if any, nuclear material accountancy activities are designed and implemented so as to avoid and resolve conflicts between them and to detect, prevent and deter the unauthorized removal of any Category I nuclear material, Category II nuclear material or Category III nuclear material from a nuclear facility at which it carries on licensed activities;

  • (b) nuclear security measures do not compromise the environment or the health or safety of persons; and

  • (c) measures taken to protect the environment or the health or safety of persons do not compromise the security of a nuclear facility at which it carries on licensed activities.

• Marginal note:Process to coordinate measures

  (2) The licensee must establish, implement and maintain a process to

  • (a) avoid and resolve conflicts between nuclear security measures and, if any, nuclear material accountancy activities; and

  • (b) coordinate nuclear security measures, environmental protection measures and health and safety protection measures.

• Marginal note:Record to be kept

  (3) The licensee must keep a record that sets out the process referred to in subsection (2).

Marginal note:Compensatory measures

• 11 (1) If a critical security measure for a nuclear facility at which a licensee carries on licensed activities becomes degraded, inoperative or compromised, the licensee must immediately implement compensatory measures that are as effective as that measure was before it became degraded, inoperative or compromised.

• Marginal note:Records to be kept

  (2) A licensee must keep a record that sets out the process for implementing the compensatory measures and a record that sets out each instance in which a compensatory measure is implemented.

Marginal note:Compromise of critical security measure

12 When a licensee becomes aware that a device that is part of a critical security measure is degraded, inoperative or compromised in any way, including by loss, theft or unauthorized transfer, the licensee must

• (a) replace the device or restore it to its proper functioning as soon as feasible; and

• (b) determine, on the basis of an investigation, how it became degraded, inoperative or compromised.

Marginal note:Security guards

• 13 (1) A licensee must ensure that each security guard at a nuclear facility at which it carries on licensed activities is trained and qualified to carry out their assigned duties.

• Marginal note:Record to be kept

  (2) The licensee must keep a record of the training that it provides to each security guard and proof that they are qualified to carry out their assigned duties.

Marginal note:Arrangements with off-site response force

• 14 (1) A licensee must make written arrangements with an off-site response force that, alone or in conjunction with the on-site nuclear response force, if any, is capable of making, at a nuclear facility at which the licensee carries on licensed activities, an effective intervention against any physical threat identified in the threat and risk assessment.

• Marginal note:Provisions in arrangements

  (2) The written arrangements must provide for

  • (a) a process for determining when and how the off-site response force is to be notified when a nuclear security event occurs at the facility;

  • (b) annual visits to the nuclear facility by members of the off-site response force to familiarize them with the facility;

  • (c) the joint development by the licensee and the off-site response force of a contingency plan to facilitate effective interventions by that force;

  • (d) the roles and responsibilities of the licensee and the off-site response force in responding to nuclear security events; and

  • (e) the participation of the off-site response force in security exercises.

• Marginal note:Arrangements signed

  (3) The licensee must ensure that the written arrangements are signed by the licensee and a person who is authorized to sign on behalf of the off-site response force.

Marginal note:Alarm-monitoring

• 15 (1) A licensee must have alarm-monitoring capability or make arrangements with an alarm monitoring service.

• Marginal note:Alarm-monitoring service

  (2) If the licensee has made arrangements with an alarm-monitoring service, those arrangements must provide for the procedure by which the service will notify the licensee or the off-site response force in the event that an alarm signal is received from the nuclear facility.

Cyber Security and Protection of Information

Marginal note:Cyber security program

• 16 (1) A licensee must, for each nuclear facility at which it carries on licensed activities, implement and maintain the cyber security program referred to in subparagraph 4(a)(viii).

• Marginal note:Protection against cyber security threats

  (2) The licensee must protect the computer systems and electronic components of the nuclear facility against the cyber security threats that are identified in the threat and risk assessment.

Marginal note:Protection of sensitive information

• 17 (1) A licensee must protect the sensitive information that is identified in the threat and risk assessment against the threats that are identified in that assessment.

• Marginal note:Nuclear security measures

  (2) The licensee must implement nuclear security measures that protect the confidentiality, integrity and availability of the sensitive information referred to in subsection (1) against the threats that are identified in the threat and risk assessment.

• Marginal note:Access to sensitive information

  (3) The licensee must not permit a person to access sensitive information unless the person requires that access to carry out their duties.

Marginal note:Identity verification, clearance or authorization

18 A licensee must implement measures to protect the following information from loss or theft and unauthorized access, use, disclosure, duplication, alteration or destruction:

• (a) information that is collected, used, retained or disclosed for the purposes of identity verification; and

• (b) information that is collected, used, retained or disclosed in relation to a clearance or authorization.

Security Obligations Relating to Nuclear Substances

Marginal note:Category I nuclear material

19 A licensee must only produce, process, use or store Category I nuclear material in an inner area.

Marginal note:Category II nuclear material

20 A licensee must only produce, process, use or store Category II nuclear material in a protected area.

Marginal note:Category III nuclear material

21 A licensee must only produce, process, use or store Category III nuclear material in

• (a) a protected area; or

• (b) any other area that is equipped with detection, delay and response measures and that is designed and constructed to prevent unauthorized access to the material.

Marginal note:Other nuclear substances

• 22 (1) A licensee may only produce, process, use or store a nuclear substance, other than Category I nuclear material, Category II nuclear material or Category III nuclear material, that has an activity that is greater than or equal to 10 times the D-value for that substance in an area within a nuclear facility that is designed and constructed to prevent unauthorized access to the nuclear substance.

• Marginal note:Security measures

  (2) In respect of the area referred to in subsection (1), the licensee must

  • (a) maintain a list of the persons who are authorized to access the area;

  • (b) permit only authorized persons to access the area; and

  • (c) implement measures to detect, and assess the necessary response to,

    • (i) any unauthorized access to a nuclear substance in the area, and

    • (ii) any tampering or attempted tampering that could compromise or degrade a nuclear security measure or render it inoperative or ineffective.

Marginal note:Removal of nuclear substances

23 A licensee must ensure that nuclear substances are not removed from a nuclear facility at which it carries on licensed activities except in accordance with a licence.

Marginal note:Detection of unauthorized removal

• 24 (1) If a licensee detects the unauthorized removal of nuclear substances from a nuclear facility at which it carries on licensed activities, it must

  • (a) determine the reason for the unauthorized removal; and

  • (b) assess and immediately respond to the unauthorized removal.

• Marginal note:Record to be kept

  (2) The licensee must keep a record that sets out the process by which it will ensure that any unauthorized removal of nuclear substances from the facility is dealt with in accordance with subsection (1).

PART 2High-Security Sites

Definition

Marginal note:Definition of licensee

25 In this Part, licensee means a person who, in relation to a high-security site, is licensed under the Act to carry out any of the following activities:

• (a) carry out an activity described in any of paragraphs 26(a), (e) or (f) of the Act; or

• (b) produce, refine, convert, enrich, process, reprocess, manage, store or dispose of Category I nuclear material or Category II nuclear material.