Language selection


Document history of DIS-21-03, Cyber Security and the Protection of Digital Information

View DIS-21-03 [HTML] [PDF]


Consultation on DIS-21-03, Cyber Security and the Protection of Digital Information, is now closed. Thank you to everyone who submitted comments.

The CNSC is proposing amendments to the NSR, including in areas pertaining to cyber security, specifically, the protection of prescribed information and computer-based systems and components that perform or impact nuclear safety, nuclear security, emergency preparedness and management, and safeguards functions. The CNSC has issued discussion paper DIS-21-02, Proposals to Amend the Nuclear Security Regulations, which discusses the proposed NSR changes at a high level. The purpose of DIS-21-03 is to provide details regarding the proposed changes to the requirements and guidance for cyber security and the protection of digital information. This discussion paper also proposes expanding cyber security and information protection requirements to other licensees not governed by the NSR.

In addition, the CNSC is proposing to add a requirement for all licensees subject to the NSR to assess their vulnerability to cyber threats and to include cyber threats in their threat and risk assessments (TRAs). The objective of this requirement is to ensure that licensees are able to detect and respond to cyber attacks targeting prescribed information and systems performing functions important to nuclear safety, security, emergency preparedness and safeguards. Affected licensees will be required, as part of their overall security programs, to develop cyber security programs and measures to manage the risks identified in their TRAs. Affected licensees will also be required to report cyber security incidents in a similar manner to other security incidents. This activity is already being undertaken at high-security sites (HSS).

The CNSC’s expectations for cyber security at HSS are set out in CSA standard CSA N290.7, Cyber Security for Nuclear Power Plants and Small Reactor Facilities (N290.7). CSA N290.7 is currently undergoing revision and the CNSC is involved in the revision process. If required, the CNSC may also consider adding cyber security elements to its regulatory framework to supplement N290.7, within the REGDOC-2.12 series. DIS-21-03 does not propose any additional cyber security requirements for assets providing safety, security, emergency preparedness and safeguard functions for licensees that are already required to comply with N290.7.


The consultation period for DIS-21-03 has ended.

Document milestone Dates Links
Consultation July 7 to October 7, 2021

View discussion paper

[DIS-21-03, HTML]
[DIS-21-03, PDF]

Publication of What We Heard Report: DIS-21-02 and DIS-21-03 March 2022 HTML

Page details

Date modified: