Canada Gazette, Part I, Volume 156, Number 46: Nuclear Security Regulations, 2023

November 12, 2022

Statutory authority
Nuclear Safety and Control Act

Sponsoring agency
Canadian Nuclear Safety Commission

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

Issues

The existing Nuclear Security Regulations (NSR or the Regulations) were substantially amended in 2006. Since then, security threats, operational experience and technological advancements have evolved dramatically. In addition, the existing NSR need to be modernized to align with current international recommendations, guidance, and best practices. There are a number of issues and key drivers behind repealing and replacing the existing NSR.

The NSR are overly prescriptive

A number of requirements in the existing NSR require the same prescriptive level of security for all high security sites. For example, the existing NSR establish specific requirements for security barriers. This prevents licensees and proponents from using new security technologies or innovative practices that meet or exceed the regulatory objective to delay potential adversaries. In addition, the Regulations do not differentiate between large and small nuclear reactors and do not take into consideration a risk-informed approach to address potential security threats and risks or different technologies, sizes, locations, and alternative approaches to preventing theft and sabotage.

Advancements and innovations in nuclear technology, as well as in technologies and methods for physical protection and cybersecurity, are expanding the range of measures and approaches through which licensees can design and operate their nuclear facilities to meet nuclear security regulatory requirements. Furthermore, these advancements and innovations offer opportunities for licensees and proponents to design nuclear facilities and/or implement concepts of operation that could potentially effectively eliminate vulnerabilities licensees would otherwise have to consider in the design of the nuclear security systems of their respective facilities.

Evolving threat environment and cybersecurity threats

Potential threats to nuclear infrastructure have continued to evolve since the existing NSR were last substantially amended in 2006. One of the fastest-growing threats to critical infrastructure in Canada, including to nuclear facilities, is cyber attacks. The existing NSR do not include any provision for cybersecurity or for the protection of digital information. Another new threat is the use of unmanned aerial systems by potential adversaries that present new security challenges for nuclear facilities. The existing NSR do not contain provisions to monitor new and evolving threats such as these.

International recommendations, guidance, and best practices

In October 2015, the International Physical Protection Advisory Service (IPPAS) of the International Atomic Energy Agency (IAEA) conducted a mission to review the nuclear security regime and regulatory framework in Canada. The mission was performed by a team of international security experts who compared Canada’s practices to IAEA nuclear security recommendations and guidance as well as other relevant international instruments. The mission report contained 3 recommendations^{footnote 1} and 30 suggestions^{footnote 2} to enhance the nuclear security regime in Canada. Certain findings focused on improving the CNSC’s nuclear security regulatory framework and suggested better alignment with important international nuclear security fundamental principles and recommendations (e.g. nuclear security culture, interface between nuclear material accountancy and control [NMAC] and nuclear security, protection of sensitive information in physical and digital media, two-person rule in the Central Alarm Station). The NSR do not contain explicit requirements for security culture, interface of safety, security and safeguards, or the protection of sensitive information.

Changes to Government of Canada security clearance standards

The existing NSR reference the (ARCHIVED) Personnel Security Standard, published by the Treasury Board of Canada Secretariat (TBS) in 1994, as the standard for examining the trustworthiness and reliability of individuals who require access to sensitive information and assets. The Standard was superseded by the Standard on Security Screening in 2014. The consequence of not updating the new security standard in the existing NSR may pose unreasonable risk to the protection of sensitive information, assets and to nuclear facilities and nuclear substances. For example, the existing NSR do not prescribe financial inquiry (credit check) for individuals with unescorted access to vital areas. These individuals may pose a security risk because of financial pressure or their history of poor financial responsibility. While the status of an individual’s financial situation may not affect their ability to do a job, financial obligations or pressures could pose a security risk.

Use of private security guards at nuclear facilities

There is considerable variation in training and licensing requirements across the country and a lack of oversight for the use of private security personnel. Some jurisdictions have no legislation, policy or guideline on the use of private security. The inconsistency in regulatory practices raises concerns on the use of private security services at nuclear facilities. Several issues have been mentioned in the Public Safety Canada 2015 study, titled (ARCHIVED) The Use of Private Security Services for Policing, such as the potential for criminal activity, the infiltration of private security by organized crime groups, the exploitation of security officers through low wages, and corruption in security guard training schemes. The lack of interfaces with provincial private security regulations is an area for improvement in the security regulatory framework. The existing NSR do not contain any baseline requirements on the training and qualifications for private security guards or “in-house” security personnel at nuclear facilities.

Other issues

Certain definitions in the existing NSR, such as the definitions for weapons, explosive substances and firearms are not aligned with the Criminal Code definitions. Definitions such as sabotage and security monitoring room are not aligned with the IAEA Nuclear Security Glossary (PDF). In addition, the current layout of the existing NSR can make it challenging to determine which requirements apply to nuclear material and which apply to a specific facility. For example, requirements that apply to Category III nuclear material are found in both Part 1 and Part 2 of the existing NSR. Further, Schedule 2 of the existing NSR contains a list of organizations that have changed names or do not exist anymore. Schedule 2 is outdated and does not include any specific types of nuclear facilities and, as a result, it cannot be applied to new applicants or other nuclear facilities.

Background

The Nuclear Safety and Control Act (NSCA or the “Act”) establishes the CNSC authority to set regulatory requirements for all nuclear-related activities in Canada. Under the Act, the CNSC regulates the use of nuclear energy and materials to protect the health, safety and security of Canadians and the environment, to implement Canada’s international commitments on the peaceful use of nuclear energy, and to disseminate objective, scientific, technical and regulatory information to the public. A key part of the CNSC’s mission is to regulate the security of nuclear material, nuclear substances, nuclear facilities, prescribed equipment and prescribed information.

The existing NSR apply to nuclear facilities that process, use or store Category I, II or III nuclear material, including nuclear power plants, as set out in Schedule 1 of the existing NSR. They also apply to facilities such as nuclear fuel fabrication facilities and nuclear substance processing facilities listed under Schedule 2 of the existing NSR, as well as proponents of new nuclear facilities. The existing NSR are divided into two parts. Part 1 sets security-related requirements and general obligations for licence applications submitted in accordance with the Act. It also includes information about security requirements for “high-security sites” (HSS), as defined in the Regulations. Part 2 provides security-related requirements for the licensing and operation of nuclear fuel and processing facilities that are listed in Schedule 2 of the Regulations.

The last major revision of the existing NSR was completed in 2006. These amendments incorporated the results of domestic and international analysis and recommendations that were driven by the significant change to the security context following the terrorist attacks on the United States (U.S.) on September 11, 2001.

This regulatory proposal is associated with significant new federal government activities with respect to the Canadian Small Modular Reactor (SMR) Roadmap Steering Committee.^{footnote 3} This Steering Committee identified, in its report titled SMR Roadmap, that “the current regulations would require SMRs to incorporate security infrastructure comparable to today’s full-scale nuclear power plants.” One of the priority recommendations from that report is for the CNSC to revise the NSR to remove prescriptive requirements and cover high-level principles. The SMR Roadmap also recommended that the NSR provide for the application of a graded approach based on risk-informed criteria. The follow-up to the SMR Roadmap, the SMR Action Plan, was released in December 2020. It further underlined the importance of removing prescriptive requirements from the NSR as highlighted in action CNSC01 “Nuclear Security” and CNSC02 “Regulatory Efficiency.” As part of the SMR Action Plan, the Minister of Natural Resources detailed in the Message from the Minister the importance of SMR technology to Canada’s plan to achieve a net-zero economy^{footnote 4} by 2050.

In Budget 2022, the Government of Canada committed to supporting SMR development and deployment in Canada by providing $120.6 million over five years, starting in 2022–2023, and $0.5 million ongoing. This funding includes

• $50.7 million, and $0.5 million ongoing to the CNSC to build capacity for the regulation of SMRs and to work with international partners on global regulatory harmonization.
• $69.9 million to Natural Resources Canada to undertake research for SMR waste management, to create a fuel supply chain, to strengthen international nuclear cooperation agreements, and to enhance domestic safety and security policies and practices.

The proposed NSR 2023 would support the Government of Canada’s commitments related to SMR development and deployment.

Objective

The policy goals for repealing and replacing the existing NSR include

• Ensuring continued security of nuclear facilities and prescribed information to protect the health and safety of Canadians and the environment.
• Mitigating new threats and risks to nuclear facilities, nuclear materials and nuclear substances in Canada.
• Removing barriers to the development and deployment of new reactor designs and technologies as per the CNSC’s commitments in the SMR Action Plan (PDF) and SMR Roadmap.
• Aligning the regulations with the Cabinet Directive on Regulation and the Policy on Regulatory Development by implementing performance-based regulations where appropriate.
• Aligning the regulations with international conventions and IAEA recommendations, guidance and best practices, as well as ensuring that Canada continues to fulfill its international obligations for the security of nuclear and radioactive material.
• Improving the clarity and readability of the regulations.

Description

The key elements of this regulatory proposal are summarized below.

Move towards a more performance-based approach

The proposed NSR 2023 would include performance-based requirements where practical. The performance-based requirements would include, but not be limited to, the application of traditional barriers/physical protection systems, the use of on-site and/or off-site armed response forces, the defence against design basis threat (DBT)^{footnote 5} sabotage events, the use of alternative measures, such as engineered systems and novel concepts of operation, safety- and security-by-design containment systems, or any combination thereof. The proposed NSR 2023 would establish the performance-based requirements and objectives, and these performance objectives would be applied to licensees and other affected stakeholders using a risk-informed approach, commensurate with the risk and complexity of the licensed activity.

Inclusion of new requirements for threat and risk assessment

The proposed NSR 2023 would require nuclear facilities to

• Conduct threat and risk assessments (TRAs) at least every five years;
• Include both physical and cyber threats in TRAs; and
• Require licensees to maintain and update TRAs on a regular basis (every 12 months), or when the threats change, or following a nuclear security incident.

Inclusion of new requirements for cybersecurity and for the protection of sensitive information

The proposed NSR 2023 would require nuclear facilities to

• Address the cybersecurity risks identified in their TRA in their cybersecurity program; and
• Protect, from cyber attacks, computer-based systems and components that perform or impact the following functions: nuclear safety, nuclear security, emergency preparedness and safeguards.

In addition, the proposed NSR 2023 would require applicants and licensees to identify sensitive information in physical or digital form and to be protected against the threats identified in the licensee’s TRA throughout the lifecycle of the information. This new requirement would apply to computer-based systems and components used for processing, storing and transmitting sensitive information.

Better alignment with international recommendations, guidance and best practices

The proposed NSR 2023 would include new requirements to

• Enhance nuclear security culture by requiring licensees to develop, implement, and promote nuclear security culture measures and practices at their respective facilities;
• Implement provisions for effective interfaces between nuclear safety, security, and safeguards at nuclear facilities. It would require licensees to assess and manage the interface with the safety, security and safeguard activities in such a way as to ensure that they do not adversely affect each other and that, to the degree possible, they are mutually supportive;
• Require nuclear facilities to conduct regular security exercises, at a minimum every five years, including during transport applications;
• Implement monitoring of nuclear substances at non-HSS to prevent the unauthorized removal of nuclear substances and defend against insider threats; and
• Implement a two-person rule or equivalent measures to mitigate potential insider threats in the central alarm station at HSS.

Update for new security clearance screening standard

The proposed NSR 2023 would update the security screening standard for facility access clearance to include new requirements similar to those in the Treasury Board of Canada Secretariat (TBS) Standard on Security Screening for site access status, site access clearance and enhanced security screening. In particular, credit checks would be required for individuals with enhanced site access clearance. In addition, the site access status and site access clearance validity would expand from 5 to 10 years to align with the Standard on Security Screening.

Use of private security services at nuclear facilities

Under the proposed NSR 2023, licensees would be required to ensure that security guards (non-nuclear security officers) are equipped, qualified and trained in accordance with provincial regulations. Licensees would also be required to develop and maintain procedures and instructions for these security guards.

Introduce and revise definitions and terminology

The proposed NSR 2023 would update and clarify certain definitions. For example

• The term “security monitoring room” would be replaced with “central alarm station” to avoid confusion with small modular reactors;
• The definitions of “design basis threat,” “direct visual surveillance,” “effective intervention,” “off-site response force,” “protected area,” “vital area” and “sabotage” would be revised;
• The definitions of “explosive substance,” “firearm” and “weapon” would refer to the existing definitions in the Criminal Code;
• The term “physical protection” would be replaced by “nuclear security measures” to include both cyber and physical security measures; and
• There would be new definitions of “limited access area,” “physical barrier,” “sensitive information,” and “security exercise.”

Simplified layout

To enhance clarity and expectations for licensees,

• Schedule 2 of the existing NSR would be removed entirely. The proposed NSR 2023 would not name specific licensees or facilities to which the Regulations apply.
• The proposed NSR 2023 would describe the nuclear facilities subject to the proposed NSR 2023 by “nuclear facility” groups and specifically exclude facilities that are not subject to the proposed NSR 2023 (e.g. particle accelerators, uranium mines and mills).
• The requirements in the proposed NSR 2023 would be reorganized to assist applicants and licensees in locating the applicable requirements to their licensed activity.
• Part 1 of the proposed NSR 2023 would include general requirements for nuclear facilities. Part 2 would include requirements for HSS. Part 3 would apply for transport applications.

Consequential amendments

Consequential amendments to the Class I Nuclear Facilities Regulations, Nuclear Substances and Radiation Devices Regulations, Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission), and Packaging and Transport of Nuclear Substances Regulations, 2015 would be made so that they reference the proposed NSR 2023 accurately and so the language used in the administrative monetary penalties (AMPs) reflects modern regulatory practices. In addition, the consequential amendments to the Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission) would include new AMPs for the new requirements in the proposed NSR 2023. Examples of the proposed new AMPs include those related to cybersecurity, the protection of sensitive information, and security culture for all nuclear facilities, as well as AMPs related to threat and risk assessments, nuclear substance monitoring, and private security guards for non-HSS.

Regulatory development

Consultation

Since 2016, the CNSC has undertaken significant and continuous consultation with stakeholders. In 2016 and 2017, consultation workshops were held with nuclear industry representatives to obtain early input on potential improvements to the Regulations based on new security technologies, new and evolving threats, new SMR possibilities, and the industry’s operating experience with the existing NSR. In 2019, the CNSC co-hosted a workshop alongside the World Institute of Nuclear Security (WINS) for HSS representatives to explore modernization options for the security requirements for preventing potential sabotage events. In the meantime, the CNSC has been working with international counterparts to understand the evolving global security context and challenges. During these years, informed by comments and input, the CNSC has been developing proposed amendments, comparing options, and making evidence-based decisions about the Regulations. In 2021, the CNSC embarked on broader consultation with all stakeholders on its regulatory proposals. A detailed breakdown of the CNSC’s consultation for this regulatory proposal is discussed below.

Early consultation (2016–2020)

The CNSC held three consultation workshops, in 2016 and 2017, with industry stakeholders to obtain preliminary input on potential amendments to the existing NSR. The stakeholders who attended the workshops were those directly responsible for implementing security measures at nuclear facilities or responsible for the security of nuclear material. The workshops included three different participant groups:

• Licensees listed in Schedule 2 of the existing NSR, other licensees who possess, use, store and transport Category III nuclear material not covered in Schedule 2 of the existing NSR, and licensees who operate research-type reactor facilities (e.g. SLOWPOKE operators);
• Licensees who operate HSS (e.g. nuclear power plants) and possess, use or transport Category I and II nuclear material; and
• Vendors, designers, and licensees interested in the construction and deployment of SMRs.

In December 2017, the CNSC released a stakeholder workshop report, which summarized the feedback received from the workshop participants. The CNSC also received feedback on the existing NSR through two discussion papers: in 2014, DIS-14-02, Modernizing the CNSC’s Regulations, and in 2016, DIS-16-04, Small Modular Reactors: Regulatory Strategy, Approaches and Challenges. DIS-14-02 was posted on the CNSC website on November 17, 2014, for an initial 120-day consultation period, which was then extended to May 29, 2015, at the request of stakeholders. Following the consultation period, the comments received were posted for additional feedback in June and July 2015. DIS-16-04 was posted on the CNSC website for 120 days from May to September 2016, and the comments received were posted for additional feedback in November and December 2016. A summary of the comments received from stakeholders, as well as the CNSC’s responses to those comments, was published in What We Heard Report – DIS-14-02 and in What We Heard Report – DIS-16-04, respectively.

2021 Consultation

In 2021, the CNSC issued two more discussion papers related to modernizing the nuclear security regulatory framework: DIS-21-02, Proposals to Amend the Nuclear Security Regulations, and DIS-21-03, Cyber Security and the Protection of Digital Information. DIS-21-02, published for 90 days on the e-consultation platform Let’s Talk Nuclear Safety^{footnote 6} from April to July 2021, describes the CNSC’s proposed regulatory changes to areas such as physical protection (prevention of theft and sabotage), cybersecurity and the protection of nuclear security information, as well as security culture and the impact on NMAC, to name a few. DIS-21-03, published for 90 days on Let’s Talk Nuclear Safety from July to October 2021, added more details on the proposed revisions for regulating cybersecurity and the protection of digital information. From these two discussion papers, a total of 242 comments were received.

The CNSC hosted two information sessions with environmental non-governmental organizations (ENGOs) and members of the public on April 13, 2021, to inform participants about the regulatory amendment project, the past consultation and research that informed the CNSC’s proposals, as well as how to comment on the discussion papers and participate in the stakeholder workshops that occurred following these information sessions. From April to September 2021, CNSC held a series of consultation sessions with over 150 participants from the public, ENGOs, industry, Government of Canada departments and agencies, and representatives from various provincial governments. These sessions included a walkthrough of the regulatory amendment process, highlighted specific proposed amendments to the NSR, and the rationale behind the changes. Overall, in 2021, the CNSC received comments from 37 unique stakeholders totalling over 500 comments. The CNSC summarized all stakeholder comments and the CNSC’s path forward on the regulatory proposals in the What We Heard Report: DIS-21-02 and DIS-21-03. Stakeholders support most of the proposed amendments to the existing NSR. Their principal concerns touched on the proposals for performance-based regulations, including those for the protection against theft and sabotage, new cybersecurity and protection of sensitive information provisions, and the cost of performing security screenings. Additional details on these concerns are presented below.

Performance-based regulations

There was strong support from industry stakeholders for performance-based requirements that have clear performance-based objectives as well as for alternative approaches to protect against theft and sabotage. However, industry stakeholders requested clarity on what the CNSC would consider sufficient in meeting nuclear safety objectives. Certain industry stakeholders emphasized that considerations ought to be different between large nuclear power plants and small nuclear facilities, the latter having smaller inventories of nuclear materials. The public and ENGOs cautioned that the proposed NSR 2023 must ensure that current levels of security are maintained or strengthened, and that the application of nuclear security should be at the same level, regardless of the geographic location or technology used in that facility (e.g. urban versus remote locations).

In consideration of the concerns above, it should be noted that the implementation of any performance-based requirement needs to be approved by the CNSC. Applicants and licensees would be required to demonstrate that they would be able to achieve specific and measurable objectives or outcomes. The proposed NSR 2023 would continue to ensure the continuity of Canada’s robust nuclear security regime, while affording licensees and applicants greater flexibility in demonstrating how they can meet nuclear security regulatory requirements. The CNSC would provide further guidance on how to meet performance-based requirements in its regulatory documents (REGDOCs).

Cybersecurity threats and cybersecurity in TRAs

Cybersecurity requirements are currently found in the licence^{footnote 7} of each HSS. The CNSC requires HSS to follow the Canadian Standards Association (CSA) standard N290.7 Cyber security for nuclear power plants and small reactors facilities via licence conditions^{footnote 8} and cites this standard as guidance for other nuclear facilities. Representatives from research reactors, SMRs and other nuclear substance processing facilities expressed the need for a risk-informed approach to requirements for cybersecurity. Although the research reactor licensees supported the risk-informed approach to cybersecurity, they also raised concerns regarding the use of the risk-informed approach, as they thought it was unclear how CSA N290.7 could be applied to less risky licensed activities.

Representatives from HSS voiced concerns over costs to implement the new 2021 version of the CSA N290.7 standard. However, it should be noted that these costs will be borne by the licensee regardless of the requirements in the proposed NSR 2023, as the previous version of that standard is already a requirement for HSS through the licence conditions for those facilities.

Stakeholders from all groups, though most strongly those from the SMR vendors and designers, the research reactors, and the fuel cycle licensees, questioned the need to submit revisions to the TRA on an annual basis. The CNSC then clarified that the proposal would require the TRA be reviewed by the licensee every year, but revised only if there is a change. There was general agreement among industry stakeholders to include cyber threats in the TRA, and to have requirements to protect against cyber threats, as some HSS were already doing this. Licensees from all groups and SMR vendors and designers, however, expressed a need for more guidance on how to assess cyber threats and how to integrate them into the TRA.

Industry stakeholders recommended the use of a risk-informed approach to determine the systems that provide or impact the safety, security, emergency preparedness and safeguards that would be included in the licensee’s TRA. Industry stakeholders noted that the program elements set out in the CSA N290.7 standard are suitable in general, and certain industry stakeholders sought the use of the risk-informed approach, which would allow licensees of facilities with Category III nuclear material the flexibility to propose alternative methods, approaches and security measures. However, industry stakeholders also requested that the CNSC provide further guidance as to how CSA N290.7 could be applied for these facilities.

The CNSC intends to provide guidance regarding TRAs and the application of the risk-informed approach for cybersecurity considerations in its regulatory documents (REGDOCs).

Protection of sensitive information

Most licensees agreed with CNSC’s proposed lifecycle approach for the protection of sensitive information, though some expressed concerns over the proposed increase in scope of information to be protected and found the definition of sensitive information to be overly broad. Most licensees already use risk-informed information classification schemes, and generally agreed that classifying and marking information is necessary to adequately handle and protect information. However, some expressed concerns that the proposed classification scheme^{footnote 9} would be difficult to align with their existing classification schemes, could potentially lead to over-classifying information, and that implementing multiple sensitivity levels would be overly burdensome in achieving the regulatory objective.

The CNSC would clarify requirements and develop guidance on how to identify and protect sensitive information, in its regulatory documents.

Security clearance screening standard

Industry stakeholders expressed concerns with expanding the need to conduct financial and security checks for all employees, as opposed to applying the standard based on the level of responsibility for individual roles. There were also concerns about the accessibility of technology used to conduct fingerprinting, as some have faced challenges with collecting employees’ fingerprints.

The CNSC recognizes that employers have experienced issues with fingerprinting due to COVID-19 restrictions and the lack of technology availability. As a result, CNSC has changed the proposal to not require finger printing as part of the law enforcement inquiry (criminal record name check). Based on the feedback received during consultation, the proposal related to credit checks was also changed so that the credit checks would be mandatory only for individuals with an enhanced security site access clearance, based on a risk-informed approach.

Canada Gazette, Part I, prepublication

In order to provide the regulated community, members of the public, and Indigenous groups with the appropriate time for a detailed and comprehensive review and verification of the proposed NSR 2023 and its associated Regulatory Impact Analysis Statement (RIAS), and to better facilitate the feedback and comments from all stakeholders, the CNSC is proposing a 60-day consultation period.

Modern treaty obligations and Indigenous engagement and consultation

The initial assessment examined the geographical scope and subject matter of the initiative in relation to modern treaties in effect and did not identify any potential modern treaty implications. Although no clear linkages or impacts on Modern Treaty Partners have been identified as a result of the proposed NSR 2023, Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) advised to include all modern treaty holders in CNSC’s engagement strategy where there is the potential for nuclear projects to be proposed. CIRNAC provided a list of modern treaty partners to reach out to, which includes the regions of the Northwest Territories, Nunavut, Yukon, Labrador and Northern Quebec. CNSC contacted modern treaty partners in these regions with information on the proposed NSR 2023 and offered to provide more information should there be interest.

Instrument choice

The CNSC determined that repealing and replacing the Regulations was the most effective and appropriate instrument. Three alternatives to this regulatory option were considered as part of this project, as detailed below.

1. Status quo

The alternative of maintaining the status quo was rejected.

The threats and risks faced by nuclear facilities in Canada have changed significantly since the NSR entered into force and were last amended in 2006. New technologies and measures to protect nuclear facilities, nuclear material and nuclear substances have also been developed since that time. The risk to Canadians and the environment continues to increase over time, as past threats faced by Canadian nuclear facilities evolve and new countermeasures, counter technologies or other security measures are not able to be properly considered and deployed.

SMR technology is an emerging technology that is an important component of Canada’s net-zero initiatives announced in the Message from the Minister, given by the Minister of Natural Resources in 2021, and in Budget 2022. Without new SMRs, nuclear power generating will be severely limited in its contribution to decarbonization initiatives. Amendments to improve the efficiency and clarity of the prescriptive requirements in the existing NSR were identified as a priority in Pillar 2: Policy, legislation and regulation of the SMR Roadmap. The action to amend the existing NSR is SMR Roadmap recommendation 22 with the resulting commitment from the CNSC to amend the existing NSR captured in actions CNSC01 and CNSC02 of the SMR Action Plan.

2. Licence conditions

The alternative of adding the new security requirements to individual licences as licence conditions was rejected. Since most of the requirements are common to all nuclear facilities or at least a subset of facilities (i.e. HSS), rather than repeating the same requirements in each and every licence as licence conditions, it is more effective to capture these as a minimum set of generic requirements in regulation. However, the CNSC recognizes that licence conditions can be an effective way of prescribing certain regulatory requirements, including facility-specific requirements when needed.

3. Voluntary compliance

The alternative of voluntary compliance was rejected. Voluntary compliance, whether through the use of the CNSC’s regulatory guidance documents^{footnote 10} (REGDOCs) or via other programs proposed by licensees, implies that there is some discretion on the part of the licensee with respect to the implementation of nuclear security measures. This could potentially leave Canadian nuclear facilities vulnerable to physical and cyber threats. Voluntary compliance includes the possibility of licensees applying differing security measures or standards in terms of the level of security, which could lead to inconsistencies on how the security threats and risks are addressed across licensees. Voluntary compliance also does not provide the Canadian public or the international community with the assurance that adequate nuclear security protection measures have been taken to address threats to Canadian nuclear facilities, nuclear materials and nuclear substances.

Repeal and replace the NSR

After considering the non-regulatory options, the CNSC proceeded to consider amending the NSR or repealing and replacing the NSR. There would be a significant number of proposed changes to the NSR, including significant changes to the overall structure of the NSR. Due to this, it would not be practical or feasible for the regulated community or the public to review and understand the existing NSR alongside the regulations amending the NSR. Therefore, a repeal and replacement of the NSR is the most effective option and the option chosen for this regulatory proposal.

Incorporation by reference

The proposed NSR 2023 would incorporate the Treasury Board of Canada Secretariat Standard on Security Screening, as amended from time to time. Site access clearances and enhanced site access clearances would be granted to personnel working at the nuclear facilities based on the criteria in this standard. Using incorporation by reference of this standard would ensure that security clearances at nuclear facilities are issued based on the most up-to-date federal government security screening standards. For more information, please refer to the subsection titled “Changes to Government of Canada security clearance standards” under the “Issues” section.

Regulatory analysis

Benefits and costs

The requirements of the proposed NSR 2023 would enhance safety and security around nuclear sites and reduce the risk of catastrophic incidents that could damage the health of Canadians, the environment, or cause economic damages due to power outages. Since incidents and accidents at nuclear sites are extremely rare, the reduction in risk cannot be quantified. Additional benefits related to the proposed performance-based measures and security screening that have been monetized would result in a total present value benefit of $7.4 million.

The total present value cost associated with the proposed security enhancements would be $20.8 million, with the majority of costs related to cybersecurity provisions ($13.3 million) and CNSC compliance activities ($2.7 million).

While the monetized impacts of the proposed NSR 2023 would result in a net present value cost of $13.3 million, the non-monetized benefits associated with the reduced risk of incidents are expected to be far greater than the estimated costs.

A detailed CBA report for this regulatory proposal can be obtained by contacting the CNSC with the contact information at the end of this RIAS.

CBA methodology

The CBA for this regulatory proposal compared the incremental impacts between a baseline scenario and a regulatory scenario according to the Policy on Cost-Benefit Analysis. The baseline scenario shows the costs and benefits expected without the proposed NSR 2023 as described in the status quo option in the “Instrument choice” section. The regulatory scenario describes the expected incremental impacts of the proposed NSR 2023.

Monetized impacts are calculated using the International Standard Cost Model Manual (SCM) (PDF) from the Organisation for Economic Co-operation and Development (OECD). This is an internationally recognized methodology for determining and calculating the monetized effects of government regulation on business. For this CBA, the CNSC used the SCM to calculate both the compliance costs and the administrative burden costs for the regulatory proposal.

The proposed NSR 2023 would impact five high-security site licensees covering 13 sites as well as eight Class IA^{footnote 11} and Class IB^{footnote 12} licensees covering 11 sites, which include research reactors, nuclear fuel fabrication facilities and nuclear substances processing facilities that are non-high-security sites (non-HSS). Further, three organizations that transport nuclear material would be impacted to a more limited extent by the proposed requirements for transport security exercises.

At the time of this regulatory proposal, there are no SMRs in operation or under construction in Canada. However, over the 10-year time frame of analysis, there are several potential SMR projects that may be realized. In support of this, four organizations with interest in SMR technologies (Ontario Power Generation, Bruce Power, New Brunswick Power, and Canadian Nuclear Laboratories) provided cost-benefit data in support of SMRs.

The data used in this CBA were obtained via consultation with stakeholders. When needed, remaining data for labour costs were obtained from Statistics Canada.^{footnote 13}

The CNSC identified certain elements of licensee operations that would be affected by this regulatory proposal, including

• Monetized capital costs (new equipment/software and maintenance of that equipment/software);
• Monetized labour costs (revisions to programs/procedures, personnel training, new personnel time spent in security exercises);
• Monetized compliance costs for CNSC compliance activities;
• Monetized benefits related to security clearances and performance-based regulations; and
• Qualitative security benefits.

Present value totals are in 2021 Canadian dollars, discounted to 2022 using a rate of 7% over a 10-year time period (2023–2032) as directed by the Policy on Cost-Benefit Analysis. Discount rates of 0%, 3%, 5%, and 10% were used as part of the sensitivity analysis for this regulatory proposal.

Consultation on the CBA

The CNSC hosted workshops with affected stakeholders to determine the operational impacts (costs and benefits) of the various elements of the regulatory proposal. The CNSC took an iterative approach to these workshops and conducted the workshops in multiple phases:

• Introduction and overview of the regulatory cost-benefit process (June 21, 2021);
• Reviewing the operational impacts (August 6, 2021); and
• Reviewing the monetization of operational impacts (September 10, 2021).

These workshops included representatives from HSS, SMR proponents, and non-HSS. Industry representatives submitted their preliminary monetization data in advance, which was later discussed at the September workshop. Following the workshop, industry revised the monetization data based on CNSC feedback and submitted the revised data. This revised data was reviewed by the CNSC and compared with internal cost information where available (i.e. contracts for TRAs, costs for security clearances or equipment costs related to cybersecurity) to obtain the final monetization data.

The qualitative benefits were determined based on information from CNSC subject matter experts and benchmarking against international recommendations and best practices.

Costs

The estimated total incremental present value cost of the proposed NSR 2023 would be $20.8 million. Costs are grouped according to the main themes of the proposed amendments that would impose cost impacts on regulated parties. These themes are as follows:

• Proposed new requirements for cybersecurity and the protection of sensitive information for all nuclear facilities would result in a present value cost of $13.35 million;
• CNSC activities to verify compliance with the proposed NSR 2023 for all nuclear facilities would result in a present value cost of $2.74 million;
• Proposed new requirements for security exercises at non-HSS and transport security exercises at all nuclear facilities would result in a present value cost of $1.14 million;
• Proposed new requirements for nuclear substance monitoring at non-HSS would impose a present value cost of $0.84 million;
• Proposed new requirements to enhance the safety, security and safeguards interface at all nuclear facilities would impose a present value cost of $0.77 million;
• Proposed new requirements for licensees to promote security culture at all nuclear facilities would impose a present value cost of $0.74 million;
• Proposed changes to the requirements for TRAs at all nuclear facilities would impose a present value cost of $0.62 million; and
• Proposed new requirements for security guards at non-HSS would impose a present value cost of $0.56 million.

The proposed change to the central alarm station would not impose any incremental costs on licensees (HSS only) since they generally already perform this requirement and may propose alternatives to meet the performance objective without incurring additional costs.

The monetized impacts for these themes (except for CNSC compliance activities) are in the form of changes to licensees’ internal processes/programs/procedures, the purchase/upgrades and maintenance/repair of equipment (hardware and/or software), and labour costs for staff performing the new duties required in the proposed NSR 2023.

CNSC compliance activities are due to the CNSC being a cost-recovery organization under the Canadian Nuclear Safety Commission Cost Recovery Fees Regulations, and as such, the costs carried by the CNSC from compliance activities (e.g. inspections and desktop reviews) are billed back to the licensees. To verify compliance with the proposed NSR 2023, the CNSC would perform more inspections and reviews of the security programs and measures, and thus charge more cost recovery fees to the regulated community.

Stakeholders indicated that the first year for SMR deployment would be 2028. Thus, the data related to SMRs would be considered in the time period of 2028–2032.

Benefits

The primary benefit to Canadians from this regulatory proposal would be the reduction in risk of nuclear security incidents that is derived from enhanced nuclear security. This reduction in risk cannot be quantified in a practical fashion and must therefore be treated qualitatively. The prevention of damages to nuclear facilities that cause radioactive releases (from physical, cyber or insider threats) and the prevention of the theft of nuclear materials and nuclear substances would result in reduced health and safety risks to Canadians and the environment.

In addition, there is the reduced risk of economic damage due to power outages, such as lost revenue for power-generating utilities, recovery costs related to nuclear security incidents, increased electricity costs and possible electricity or radioisotope shortages should certain nuclear facilities be offline for an extended period due to a security incident.

The types of nuclear security incidents targeted in this proposal are extremely rare in Canada and globally. However, when incidents do occur, their impacts are significant and far-reaching, as shown in the following examples:

• Overall, cyber attack costs on the global business community were estimated at US$945 billion in 2021, which was an 80% increase over 2018, while other estimates put the total costs of cyber attacks in the order of several trillion U.S. dollars each year.^{footnote 14}
• The Colonial Pipeline ransomware attack in the United States in May 2021^{footnote 15} resulted in the theft of 100 GB of data and shut down the pipeline for six days. Colonial Energy paid approximately US$5 million in ransom to restore the system. The pipeline outage caused shortages of airline fuels and motor vehicle fuel for several days in certain regions of the United States.
• In 2013, the Canadian Anti-Fraud Centre received over 16 000 complaints of cyber-related fraud accounting for more than $29 million in reported losses. A major example was known as “Citadel,” where botnets installed malware on computers to steal personal and financial data and targeted major financial institutions in Canada and internationally, costing an estimated $500 million in global economic losses.
• According to a survey conducted by Public Safety Canada in 2017, nearly 70% of Canadian businesses have been victims of cyber attacks with an average cost of $15,000.^{footnote 16}
• In September 2019, there was a cyberattack at the Kudankulam Nuclear Power Plant in Tamil Nadu, India, where a large amount of sensitive information was stolen off the administrative network.^{footnote 17} Due to the sensitive information that was stolen, this incident increased the risk of sabotage or the risk of theft of nuclear substances or nuclear material from the nuclear facility.
• A security advisory that highlighted a critical remote code execution vulnerability in Log4j library, a widely deployed utility in software packages used by businesses, members of the public, and government organizations such as the Canada Revenue Agency and the Government of Quebec.^{footnote 18}

The monetized benefits of this regulatory proposal primarily revolve around cost savings from the proposed performance-based requirements ($0.83 million), which allow for the regulated parties to propose their own means to achieve the regulatory objective, as well as the proposed changes for the validity of site access clearance from 5 years to 10 years under the TBS Standard on Security Screening ($6.59 million). These cost savings are estimated to result in a total present value benefit of $7.42 million.

A further benefit from this regulatory proposal is in regard to SMR development and deployment in Canada. Removing the prescriptive requirements in the NSR would reduce regulatory obstacles to SMR development and is an important part of a broad initiative to promote SMR deployment in Canada. In addition, this regulatory proposal would fulfill one of the CNSC commitments identified in the SMR Action Plan on the modernization of the existing NSR.

Overall, while the monetized impacts show a net cost for this regulatory proposal, the benefits are expected to outweigh the quantitative costs if all the benefits could reasonably be quantified.

Impacts of the consequential amendments

The proposed NSR 2023 would include new administrative monetary penalties (AMPs) [e.g. for cybersecurity violations], which would be handled via the processes and procedures already implemented by licensees and by the CNSC. Therefore, cost impacts for the consequential amendments to the Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission) are expected to be minimal. No impacts are expected with the consequential amendments to the Class I Nuclear Facilities Regulations, the Nuclear Substances and Radiation Devices Regulations, and the Packaging and Transport of Nuclear Substances Regulations, 2015.

Cost-benefit statement

• Number of years: 10 (2023 to 2032)
• Base year for costing: 2021
• Present value (PV) base year: 2022
• Discount rate: 7%

Table 1: Monetized costs

Impacted stakeholder	Description of cost	2023	2028	2032	Total (PV)	Annualized value
Industry	Cybersecurity and information protection	$1,869,849	$1,240,294	$1,005,863	$13,346,906	$1,900,299
	CNSC compliance activities	$364,518	$259,896	$198,274	$2,739,437	$390,034
	Security exercises	$41,723	$189,121	$156,000	$1,139,827	$162,286
	Nuclear substance monitoring	$110,969	$79,119	$67,985	$841,584	$119,823
	Safety, security and safeguards interface	$267,970	$107,721	$143,146	$773,708	$110,159
	Security culture	$81,240	$94,664	$72,219	$735,410	$104,706
	Threat and risk assessment	$48,121	$34,310	$135,190	$623,556	$88,780
	Security guard qualification and training	$58,479	$41,694	$90,199	$564,723	$80,404
All stakeholders	Total costs	$2,842,868	$2,046,821	$1,868,876	$20,765,152	$2,956,490

Table 2: Monetized benefits

Impacted stakeholder	Description of benefit	2023	2028	2032	Total (PV)	Annualized value
Industry	Performance-based requirements	$0	$189,346	$144,451	$830,702	$118,273
	Security clearance validity period	$873,114	$639,974	$417,064	$6,593,390	$938,750
All stakeholders	Total benefits	$873,114	$829,320	$561,515	$7,424,092	$1,057,023

Table 3: Summary of monetized costs and benefits

Impacts	2023	2028	2032	Total (PV)	Annualized value
Total costs	$2,842,868	$2,046,821	$1,868,876	$20,765,152	$2,956,490
Total benefits	$873,114	$829,320	$561,515	$7,424,092	$1,057,023
NET IMPACT	($1,969,754)	($1,217,501)	($1,307,361)	($13,341,060)	($1,899,467)

Sensitivity analysis

As seen in the CBA, the costs carried by industry in relation to cybersecurity and the protection of sensitive information are the biggest contributor of overall monetized costs, at about 64% of the total costs. This is significantly more than the second-highest cost related to CNSC compliance activities, which stands at approximately 13% of the total costs. Similarly for the benefits, the changes to the security screening requirements make up approximately 89% of the total quantitative benefits. Increasing each of these cost or benefit items by 25%, 50%, 75% and 100%, while holding all other items constant, results in a net present value cost as low as $6.7 million or as high as $26.7 million, as shown in Table 4 below. This variance covers a wide range of potential effects of the main items on the overall net present value cost. The central scenario is also shown in Table 4 for reference.

Table 4: Net present value results from univariate sensitivity analysis

Sensitivity analysis of main cost-benefit items on net present value costs	Central scenario	25% Increase	50% Increase	75% Increase	100% Increase
Cybersecurity and information protection	$13,341,060	$16,677,787	$20,020,359	$23,357,086	$26,693,812
CNSC compliance activities	$13,341,060	$14,025,919	$14,710,779	$15,395,638	$16,080,497
Security clearance validity period	$13,341,060	$11,692,713	$10,044,365	$8,396,018	$6,747,670

It was also seen that neither the net present value, nor the annualized averages were overly sensitive to variations in the discount rate, for the selected discount rates of 0%, 3%, 5%, 7% (baseline), and 10%. The effect of the change in discount rate on the net present value and annualized averages is shown in Table 5 below.

Table 5: Net present value results from discount rate sensitivity analysis

Discount rate (%)	Net present value costs	Annualized averages
0.0	$19,316,067	$1,931,601
3.0	$16,351,706	$1,916,913
5.0	$14,732,354	$1,907,901
7.0	$13,341,102	$1,899,467
10.0	$11,599,804	$1,887,809

The complete sensitivity analysis is found in the CBA report.

Distributional analysis

The new requirements in the proposed NSR 2023 for TRAs, security exercises, and nuclear substance monitoring would be applied to the non-HSS, while those provisions already apply to HSS in the existing NSR. While cybersecurity is not an explicit requirement in the existing NSR, all HSS have implemented the standard CSA N290.7, Cyber security for nuclear power plants and small reactor facilities as per the requirements of the licence conditions for those facilities.^{footnote 19} However, non-HSS had not implemented the requirements of that standard under the existing NSR. Thus, several of the new provisions in the proposed NSR 2023 would have a proportionately higher impact on the non-HSS when compared to HSS as shown in Table 6 below.^{footnote 20}

Table 6: Breakdown of the costs per stakeholder group

Stakeholder group	Net present value costs	Annualized averages
Multi-unit nuclear power plant (HSS)	$5,863,706	$834,992
Class IB nuclear substance processing facilities (non-HSS)	$3,469,986	$494,126
Fuel fabrication facilities (non-HSS)	$3,226,412	$459,441
Research reactors (academic institutions) [non-HSS]	$501,539	$71,419
Single-unit power plants and Canadian Nuclear Laboratory (CNL) facilities (HSS)	$350,826	$49,958
Transport organizations	$160,366	$22,836
SMR	$(231,776)	$(33,005)

As seen in Table 6 above, multi-unit nuclear power plants would see the greatest overall monetized cost increases, mainly due to the proposed requirements for upgraded cybersecurity and the protection of sensitive information provisions. The non-HSS would see proportionately higher monetized costs, due to the aforementioned new requirements related to threat and risk assessments, private security guards,^{footnote 21} security exercises, and nuclear substance monitoring for those facilities.

Nevertheless, the non-HSS would also see a large, monetized benefit from the proposed changes to the security screening requirements. There would not be a requirement for the enhanced (5-year) site access clearances since all personnel at non-HSS would transition to a 10-year security screening validity.

The complete distributional analysis for this regulatory proposal is found in the CBA report.

Small business lens

Analysis under the small business lens concluded that the proposed NSR 2023 would not impact Canadian small businesses.

One-for-one rule

This regulatory proposal would repeal an existing regulatory title (the existing NSR) and replace it with a new regulatory title (NSR 2023). The new regulatory title would impose new administrative burden on applicants and licensees to demonstrate compliance with the new regulatory requirements, such as cybersecurity and the protection of information for all licensees, and new TRAs and security exercises for non-HSS licensees. Administrative burden related to this regulatory proposal would encompass reporting/submitting information/documentation to the CNSC to demonstrate compliance, notification to the CNSC for certain activities (e.g. security exercises), meetings with internal/external stakeholders, copying/filing information, such as for new TRAs, and assisting CNSC with compliance verification activities, such as inspections.

Overall, the annualized administrative cost is estimated at $16,169 (2012 Canadian dollars, a 7% discount rate, and a 2012 present value base year) and the annualized administrative costs per business is found to be $438.

Administrative burden was discussed and considered during the cost-benefit workshops with licensees in June-October 2021, and industry stakeholders included their estimates of administrative burden in their submissions to the CNSC. The CNSC reviewed these submissions and provided additional guidance and clarification to licensees on the specific costs for which administrative burden applies as defined by the Red Tape Reduction Act and as calculated per the Red Tape Reduction Regulations. Licensees revised their submissions related to administrative burden, which later informed the administrative burden calculations performed by CNSC.

Regulatory cooperation and alignment

This regulatory proposal is not related to a work plan or commitment under a formal regulatory cooperation forum.

Alignment with international regulatory regimes

Several of the objectives of this regulatory proposal are to align the NSR 2023 with international requirements and best practices. These include

• Entry into force of the Amendment to the Convention on the Physical Protection of Nuclear Material (CPPNM);
• New recommendations, guidance, and international best practices published by the IAEA;
• Recommendations from the 2015 IAEA IPPAS mission; and
• Recommendations from the 2019 IAEA Integrated Regulatory Review Service (IRRS) mission.

The proposed NSR 2023 would reflect the current security requirements in the IAEA CPPNM and align with international standards. The CPPNM established measures related to the prevention, detection, and punishment of offences pertaining to nuclear material. It is the only international legally binding convention related to the physical protection of nuclear material, and was signed, by Canada, on March 3, 1980.

An Amendment to the CPPNM came into force on May 8, 2016. This increased the scope of the CPPNM to encompass physical protection requirements for nuclear facilities and nuclear material in domestic use, storage and transport. It expanded upon the scope of offences identified in the CPPNM (e.g. theft of nuclear material) and also introduced new offences, such as smuggling nuclear material and sabotaging nuclear facilities. As part of the Amendment, states, including Canada, are required to prevent and combat offences and to minimize the radiological consequences of sabotage. The proposed NSR 2023 ensure that Canada continues to fulfill its international obligations for the security of nuclear and radioactive materials.

Canada would be addressing several recommendations and suggestions from the 2015 IPPAS report in this regulatory proposal. In total, five amendments are directly linked to the IPPAS mission findings to (1) improve nuclear security culture; (2) improve the protection of sensitive information; (3) enhance the interface between safeguards, security and safety; (4) conduct transport security drills and exercises at nuclear facilities; and (5) implement the two-person rule in the central alarm station. In addition, the CNSC would address the suggestions from the 2019 IRRS peer review mission to strengthen safety and security interfaces.

Assessment of aligned jurisdictions

The CNSC undertook an assessment of similarly capable and aligned jurisdictions with the broad objective of identifying areas of commonality and alignment. The results of that assessment include

• The U.S. Nuclear Regulatory Commission directed staff to undertake “limited rule-making,” including an articulation of exceptions for the current fleet of operating nuclear reactors, a review of prescriptive requirements for on-site response forces and secondary alarm stations, and a commitment to review consequence-based regulations in the future.
• The United Kingdom policy has remained unchanged through several administrations, whereby threats must be defeated (i.e. no acceptable consequence) through the shared responsibility of the operator and the State.
• France maintains a similar objective and approach as the United Kingdom to defeat the threat, with the allowance of very low-level consequences and dose limits.

The CNSC recognizes the importance of regulatory cooperation and will continue to engage with similarly capable and politically aligned jurisdictions.

Coordination with orders of government

The CNSC has engaged relevant provincial partners in order to gather feedback and perspectives on the impact of the proposed regulatory changes on the implementation of provincial public safety regulations. In support of this, CNSC held a workshop with provincial government departments and agencies on June 23, 2021, to inform them of the CNSC’s regulatory proposals and obtain feedback. In total, four provincial government organizations attended this workshop. However, the proposed NSR 2023 are strictly within the federal domain.

Strategic environmental assessment

In accordance with the Cabinet Directive on the Environmental Assessment of Policy, Plan and Program Proposals, a preliminary scan concluded that a strategic environmental assessment is not required.

Gender-based analysis plus

No gender-based analysis plus (GBA+) impacts have been identified for this proposal.

Implementation, compliance and enforcement, and service standards

Implementation

The coming into force date of the proposed NSR 2023 would be on the day upon which they are registered, with the exception of the security requirements for HSS, which would come into force one year following the registration of the proposed NSR 2023, and the security requirements for non-HSS, which would come into force two years following the registration of the proposed NSR 2023.

CNSC will work with licensees to coordinate implementation of the proposed NSR 2023. This will also include working with stakeholders, Indigenous peoples and the public to finalize the nuclear security series of the REGDOCs. The CNSC’s e-consultation platform for public consultation allows stakeholders, Indigenous peoples and the public to provide comments. CNSC will use the information gathered to collaborate with licensees and to inform the final REGDOCs before the Commission approves them for publication.

Compliance and enforcement

The proposed NSR 2023 would be enforced in accordance with the CNSC’s existing enforcement policy. CNSC inspectors regularly verify that licensees are complying with the NSCA and its regulations. If a licensee is found to be non-compliant with the proposed NSR 2023, the CNSC would use a graded enforcement approach to implement corrective measures. Additional information on the CNSC’s graded enforcement strategy is found in CNSC REGDOC-3.5.3, Regulatory Fundamentals.

Contact

Dana Beaton
Director General
Regulatory Policy Directorate
Canadian Nuclear Safety Commission
280 Slater Street
P.O. Box 1046, Station B
Ottawa, Ontario
K1P 5S9
Telephone: 613‑219‑0959
Email: consultation@cnsc-ccsn.gc.ca

PROPOSED REGULATORY TEXT

Notice is given that the Canadian Nuclear Safety Commission, under subsection 44(1)^{footnote a} of the Nuclear Safety and Control Act ^{footnote b} and subject to the approval of the Governor in Council, proposes to make the annexed Nuclear Security Regulations, 2023.

Interested persons may make representations concerning the proposed Regulations within 60 days after the date of publication of this notice. They are strongly encouraged to use the online commenting feature that is available on the Canada Gazette website but if they use email, mail or any other means, the representations should cite the Canada Gazette, Part I, and the date of publication of this notice, and be sent to Dana Beaton, Director General, Regulatory Policy Directorate, Canadian Nuclear Safety Commission, 280 Slater Street, P.O. Box 1046, Station B, Ottawa, Ontario K1P 5S9 (tel: 613‑219‑0959, email: consultation@cnsc-ccsn.gc.ca).

Ottawa, November 4, 2022

Wendy Nixon
Assistant Clerk of the Privy Council

TABLE OF PROVISIONS

Nuclear Security Regulations, 2023

Definitions

1 Definitions

PART 1

General Provisions

Application

2 Application

Licence Application

3 Required information

Security Requirements

General Requirements

4 Updated nuclear security plan

5 Threat and risk assessment

6 Effective intervention

7 Training program — behaviour of personnel

8 Security culture

9 Security interfaces

10 Compensatory measures

11 Compromise of access control system

12 Security guards

13 Arrangements with off-site response force

14 Alarm monitoring

15 Security exercise

Cybersecurity and Protection of Information

16 Cybersecurity program

17 Protection of sensitive information

18 Identity verification, clearance or authorization

Security Obligations Relating to Nuclear Substances

19 Category I nuclear material

20 Category II nuclear material

21 Category III nuclear material

22 Area for nuclear substances

Site Access Status

23 Site access status

24 Site access status — equivalent

25 Factors

26 List of persons

27 Revocation

Access Control

Access to Nuclear Facility

28 Requirements

29 Removal of nuclear substances

30 Detection of unauthorized removal

31 Entry of land vehicles

Searches

32 Sign regarding searches

33 Search or screening on leaving

34 Exception – search

PART 2

High-security Sites

Application

35 Application

Licence Application

36 Information in application

Design Basis Threat

37 Design basis threat

38 Nuclear security system

Nuclear Security Officers

39 Number and duties

40 Equipment

41 Training, competency and qualifications

42 Record — firearms

Security Requirements

43 On-site nuclear response force

44 Arrangements with off-site response force

45 Requirements for other off-site response force

46 Contingency plan

47 Security drill and exercise program

48 Security drill

49 Security exercise

Central Alarm Station

50 Central alarm station

51 Secondary alarm station

Clearances

Site Access Clearance

52 Site access clearance

53 Deemed site access clearance

Enhanced Security Clearance

54 Enhanced security clearance

55 Deemed site access clearance

Clearance Assessment, List and Revocation

56 Factors

57 List of persons

58 Revocation

Security Personnel

Nuclear Security Officer, Nuclear Security Support Person and Central Alarm Station Operator

59 Authorization — nuclear security officer

60 Authorization — nuclear security support person

61 Requirements for authorization

62 Deemed authorizations

63 Central alarm station operator

64 List of authorized persons

Nuclear Security Support Person With Escort

65 Authorization

Nuclear Security Measures

Power Supply

66 Uninterrupted power supply

Protected Area

67 Perimeter — physical barriers

68 Unobstructed area

69 Vehicle barrier

70 Nuclear security measures

Inner Area

71 Structure or physical barrier

72 Nuclear security measures

Vital Area

73 Identification of vital areas

74 Physical barrier

75 Nuclear security measures

Authorizations to Enter Protected, Inner and Vital Areas

Protected Area

76 Authorization to enter protected area

77 Authorization — with escort

78 Record of authorized persons

Inner Area

79 Authorization to enter inner area

80 Deemed authorization — protected area

81 Authorization — with escort

82 Record of authorized persons

Vital Area

83 Authorization to enter vital area

84 Record of authorized persons

Revocation

85 Revocation

Access Control

Prohibition on Permitting Access

86 Protected, inner or vital area

Protected Area

87 Identity verification

88 Unauthorized persons

89 Access with escort

90 Vehicle portals

91 Weapons, explosive substances and threat items

92 Removal of nuclear material

93 Prohibited activities

Inner Area

94 Requirement — two authorized persons

95 Unauthorized persons

96 Access with escort

97 Land vehicle

98 Weapons, explosive substances and threat items

99 Means of entry or exit

100 Removal of nuclear material

101 Prohibited activities

Vital Area

102 Unauthorized persons

103 Verification and recording of identity

104 Land vehicle

105 Weapons, explosive substances and threat items

106 Removal of nuclear material

107 Prohibited activities

Exception

108 Inspector

Searches

109 Sign regarding searches

110 Search

111 Exception to search requirement

112 Prohibition

PART 3

Licence to Transport

113 Application

114 Exemption

115 Transport security plan

116 Security exercise

PART 4

Consequential Amendments, Transitional Provisions, Repeal and Coming into Force

Consequential Amendments

117 Class I Nuclear Facilities Regulations

118 Nuclear Substances and Radiation Devices Regulations

119 Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission)

120 Packaging and Transport of Nuclear Substances Regulations, 2015

Transitional Provisions

122 Definition of former Regulations

123 Nuclear facility

124 Repeal

Coming Into Force

125 Registration

SCHEDULE

Nuclear Security Regulations, 2023

Definitions

Definitions

1 The definitions in this section apply in these Regulations.

Act

means the Nuclear Safety and Control Act. (Loi)

Category I nuclear material

means a nuclear substance listed in column 1 of the schedule that is in the form set out in column 2 and the quantity set out in column 3. (matière nucléaire de catégorie I)

Category II nuclear material

means a nuclear substance listed in column 1 of the schedule that is in the form set out in column 2 and the quantity set out in column 4. (matière nucléaire de catégorie II)

Category III nuclear material

means a nuclear substance listed in column 1 of the schedule that is in the form set out in column 2 and the quantity set out in column 5. (matière nucléaire de catégorie III)

central alarm station operator

means a person who has the authorization referred to in subsection 63(1). (opérateur du poste central d’alarme)

design basis threat

means a threat identified by the Commission under subsection 37(1) in respect of a high-security site. (menace de référence)

direct visual surveillance

means direct and continuous observation by a person who is physically present at the place that is under observation or observing remotely. (surveillance visuelle directe)

effective intervention

means an intervention that is timely and powerful enough to prevent sabotage or the unauthorized removal of nuclear substances. (défense efficace)

enhanced security clearance

means a clearance granted based on a security screening that is equivalent to a security screening for Top Secret clearance under the Standard on Security Screening. (autorisation de sécurité approfondie)

explosive substance

has the same meaning as in section 2 of the Criminal Code. (substance explosive)

firearm

has the same meaning as in section 2 of the Criminal Code. (arme à feu)

high-security site

means a nuclear facility referred to in subsection 2(1) where Category I or II nuclear material is produced, processed, used or stored. (site à sécurité élevée)

inner area

means an area that is within a protected area and meets the requirements of sections 71 and 72. (zone intérieure)

licensee

means,

• (a) in Part 1, a person who is licensed to carry on an activity described in any of paragraphs 26(a), (b), (e) or (f) of the Act in relation to Category I, II or III nuclear material or a nuclear facility referred to in subsection 2(1);
• (b) in this section and in Part 2, a person who is licensed to carry on an activity described in any of paragraphs 26(a), (b), (e) or (f) of the Act in relation to a high-security site; and
• (c) in Part 3, a person who is licensed to transport Category I, II or III nuclear material. (titulaire de permis)

limited access area

means a clearly demarcated area that surrounds a nuclear facility and to which the licensee controls access. (zone à accès limité)

nuclear material accountancy activities

means activities to record the quantities and locations at a nuclear facility of Category I, II or III nuclear material and any changes in those quantities and locations. (activités de comptabilité des matières nucléaires)

nuclear security measure

means a physical security or cybersecurity measure intended to deter, detect, delay or respond to a threat to a nuclear facility, nuclear substances or the confidentiality, integrity and availability of sensitive information. (mesure de sécurité nucléaire)

nuclear security officer

means a person who has the authorization referred to in subsection 59(1). (agent de sécurité nucléaire)

nuclear security support person

means a person, other than a nuclear security officer or central alarm station operator, whose duties and responsibilities in relation to a high-security site include any of the following:

• (a) the design, implementation, maintenance or repair of a nuclear security system, measure or device;
• (b) the control, maintenance or repair of firearms and related equipment;
• (c) the control, maintenance or repair of access control systems;
• (d) the assessment, denial, revocation or granting of security clearances or authorizations;
• (e) the monitoring of threats that may affect the site; and
• (f) training related to any of the activities referred to in paragraphs (a) to (e). (préposé à la sécurité nucléaire)

nuclear security system

means an integrated set of nuclear security measures at a nuclear facility. (système de sécurité nucléaire)

off-site response force

means a local, regional, provincial or federal police force, a Canadian Forces unit or a force that meets the requirements of section 45, or any combination of such forces or units, whose members are not stationed at a nuclear facility. (force d’intervention externe)

on-site nuclear response force

means

• (a) a team of nuclear security officers who are permanently stationed at a high-security site; or
• (b) a local, regional, provincial or federal police force or a Canadian Forces unit, or any combination of such forces or units,
  • (i) whose services the licensee has retained,
  • (ii) whose members are permanently stationed at a high-security site, and
  • (iii) whose members are equipped with firearms, trained and qualified to use firearms and authorized to carry firearms in Canada. (force d’intervention nucléaire interne)

physical barrier

means a fence, wall or similar impediment that controls access to the area that it encloses and delays unauthorized access to that area. (barrière physique)

prescribed information

means information prescribed by section 21 of the General Nuclear Safety and Control Regulations. (renseignements réglementés)

protected area

means an area that is surrounded by physical barriers that meet the requirements of section 67 and whose perimeter is equipped with nuclear security measures that meet the requirements of that section. (zone protégée)

sabotage

means any deliberate act or omission directed against a nuclear facility or nuclear substances that are in use, storage or transport that

• (a) endangers or could endanger the health or safety of any person; or
• (b) results or could result in contamination of the environment. (sabotage)

security exercise

means a test of elements of the contingency plan and nuclear security measures and, in the case of a security exercise referred to in subsection 116(1), of multiple security measures. (exercice de sécurité)

security guard

means a person who carries out duties related to the security of a nuclear facility referred to in subsection 2(1) that is not a high-security site, such as direct visual surveillance of the facility and the protection of persons and property. (garde de sécurité)

security personnel

means the nuclear security officers, nuclear security support persons and central alarm station operators of a nuclear facility and their supervisors. (personnel de sécurité)

sensitive information

means information — including prescribed information — in any form, including software, whose unauthorized disclosure, modification or destruction or to which denial of access could compromise nuclear security. (renseignements de nature délicate)

site access clearance

means a clearance granted based on a security screening equivalent to a security screening for site access clearance under the Standard on Security Screening. (autorisation d’accès au site)

site access status

means a clearance granted based on a security screening equivalent to a security screening for site access status under the Standard on Security Screening. (cote d’accès au site)

Standard on Security Screening

means the document entitled Standard on Security Screening published by the Treasury Board Secretariat, as amended from time to time. (Norme sur le filtrage de sécurité)

threat and risk assessment

means an assessment that

• (a) identifies threats that could, including through sabotage or the unauthorized removal of nuclear substances or sensitive information, compromise the security of a nuclear facility, its personnel or its operations or exploit vulnerabilities in its nuclear security measures or, in the case of the transport of Category I, II or III nuclear material, compromise the security of sensitive information or the nuclear material; and
• (b) evaluates the adequacy and effectiveness of an existing or proposed nuclear security system, or existing or proposed nuclear security measures, designed to protect against those threats. (évaluation de la menace et du risque)

threat item

means

• (a) an object, other than a match or pocket lighter, that is fabricated with combustible materials and could be used to inflict burn injuries on individuals or cause fire damage to property, or any component of such an object;
• (b) a component of a weapon or explosive device; and
• (c) any other item that could pose a threat to the security of a nuclear facility. (article dangereux)

vehicle portal

means a means of entry or exit, situated between the interior and exterior barriers surrounding a protected area, whose sides are enclosed and that consists of two movable barriers separated by a space sufficiently large to accommodate land vehicles. (sas pour véhicule)

vital area

means an area inside a protected area and containing equipment, systems, structures, components or nuclear substances whose sabotage could pose an unreasonable risk to the environment, or to the health or safety of persons, arising from exposure to radiation. (zone vitale)

weapon

has the same meaning as in section 2 of the Criminal Code. (arme)

PART 1

General Provisions

Application

Application

2 (1) This Part applies in respect of Category I, II and III nuclear material and in respect of the following nuclear facilities:

• (a) a nuclear fission or fusion reactor or subcritical nuclear assembly;
• (b) a plant for the processing, reprocessing or separation of an isotope of uranium, thorium or plutonium;
• (c) a plant for the manufacture of a product from uranium, thorium or plutonium;
• (d) a plant for the processing or use, in a quantity greater than 10¹⁵ Bq per calendar year, of nuclear substances other than uranium, thorium or plutonium; and
• (e) a vehicle that is equipped with a nuclear reactor.

High-security site

(2) If the provisions of both this part and Part 2 apply in respect of a high-security site, the provisions of Part 2 prevail to the extent of any inconsistency.

Licence Application

Required information

3 An application for a licence in respect of Category I, II or III nuclear material or a nuclear facility referred to in subsection 2(1), other than a transport licence, must contain, in addition to the information required by section 3 of the Nuclear Substances and Radiation Devices Regulations or sections 3 to 8 of the Class I Nuclear Facilities Regulations, as applicable,

• (a) a nuclear security plan containing
  • (i) a description of the proposed nuclear security system and nuclear security measures, including any characteristics of the design of the nuclear facility that improve its security,
  • (ii) a description of the areas where Category I, II or III nuclear material or other nuclear substances are to be produced, used, processed, stored or transported and the location of those areas,
  • (iii) the written arrangements made between the applicant and any off-site response force,
  • (iv) the plan and procedures to assess and respond to security incidents affecting the nuclear facility, and
  • (v) the cybersecurity program consisting of the plans, policies and procedures for the protection of the computer systems and electronic components of a nuclear facility against cybersecurity threats identified in the threat and risk assessment; and
• (b) the threat and risk assessment.

Security Requirements

General Requirements

Updated nuclear security plan

4 (1) The licensee must review the nuclear security plan at least once per year and update it to reflect any changes to the information that it is required to contain.

Submission to Commission

(2) The licensee must submit the updated nuclear security plan to the Commission on request of the Commission and before the end of the following periods:

• (a) 5 years after the day on which the most recent plan is submitted to the Commission; and
• (b) 60 days after the day on which an update to the plan identifies changes to the nuclear security measures or to the layout or operations of the nuclear facility.

Threat and risk assessment

5 (1) A licensee must conduct, at least once every five years, a threat and risk assessment specific to a nuclear facility at which it carries on licensed activities.

Update

(2) The licensee must update the threat and risk assessment at least once per year and after any security incident occurs that affects the nuclear facility or the licensee becomes aware of a new threat or a change in any threat that is identified in the assessment.

Modifications to nuclear security system

(3) The licensee must, before the next day on which it submits a nuclear security plan under subsection 4(2), make the modifications to its nuclear security system that are necessary to counter any threat identified in the threat and risk assessment.

Record

(4) The licensee must keep a record of the results of each threat and risk assessment.

Submission to Commission

(5) A licensee must submit the record to the Commission, together with a statement describing the modifications that were made and actions that were taken as a result of the assessment, within 60 days after the day on which the assessment is completed.

Effective intervention

6 A licensee must implement nuclear security measures that ensure an effective intervention, taking into account any threat identified in the threat and risk assessment.

Training program — behaviour of personnel

7 A licensee must develop and implement a training program to ensure that its supervisors are trained to recognize and report suspicious or undesirable changes in the behaviour of personnel, including contractors, that could pose a threat to security at a nuclear facility at which it carries on licensed activities.

Security culture

8 (1) A licensee must implement measures to promote and support security culture.

Record

(2) The licensee must keep a record of the measures that it implements.

Security interfaces

9 (1) A licensee must, to the extent possible, ensure that

• (a) nuclear security measures and, if any, nuclear material accountancy activities are designed and implemented to avoid and resolve conflicts between them and to detect, prevent and deter the unauthorized removal of any Category I, II or III nuclear material from the facility;
• (b) nuclear security measures do not compromise the environment or the health or safety of persons; and
• (c) measures taken to protect the environment or the health and safety of persons do not compromise the security of the nuclear facility.

Process to coordinate measures

(2) The licensee must establish, implement and maintain a process for

• (a) avoiding and resolving conflicts between nuclear security measures and, if any, nuclear material accountancy activities; and
• (b) coordinating nuclear security measures and environmental and health and safety measures.

Record

(3) The licensee must keep a record that sets out the process.

Compensatory measures

10 (1) If the nuclear security system or nuclear security measures for a nuclear facility at which a licensee carries on licensed activities become degraded or inoperative, the licensee must immediately implement compensatory measures that are as effective as the system or measures were before they became degraded or inoperative.

Records

(2) A licensee must keep a record that sets out the processes for implementing the compensatory measures and a record indicating each instance in which a compensatory measure is implemented.

Compromise of access control system

11 When a licensee becomes aware that any device or code that is part of an access control system has become degraded or inoperative or has been compromised in any other way, including by loss, theft or unauthorized transfer, the licensee must

• (a) despite section 10, immediately replace the device or code or restore it to its proper functioning; and
• (b) determine, based on an investigation, how it became degraded, inoperative or compromised.

Security guards

12 (1) A licensee must ensure that any security guards at a nuclear facility at which it carries on licensed activities are trained to carry out the duties assigned to them and are competent and qualified to do so.

Record

(2) The licensee must keep a record of the training that it provides to each of the security guards and proof of their qualifications to carry out their assigned duties.

Arrangements with off-site response force

13 (1) A licensee must make written arrangements with an off-site response force that is capable of making, at a nuclear facility at which the licensee carries on licensed activities, an effective intervention against any threat identified in the threat and risk assessment and whose members are equipped with firearms, authorized to carry firearms in Canada and trained and qualified to use them.

Provisions in arrangements

(2) The arrangements must provide for

• (a) a process for notifying the off-site response force immediately when an alarm signal is received from an area where nuclear substances are produced, processed, used or stored;
• (b) annual visits by members of the off-site response force to familiarize them with the facility;
• (c) the joint development by the licensee and the off-site response force of a contingency plan to facilitate effective interventions by the force;
• (d) the roles and responsibilities of the licensee and the off-site response force in responding to security incidents; and
• (e) the participation of the off-site response force in security exercises.

Arrangements signed

(3) The arrangements must be signed by the licensee and the off-site response force.

Alarm monitoring

14 (1) A licensee must have alarm monitoring capability or make arrangements with an alarm monitoring service.

Alarm monitoring service

(2) An alarm monitoring service with which the licensee has made arrangements must notify the licensee and the off-site response force immediately when it receives an alarm signal from the nuclear facility.

Security exercise

15 (1) A licensee must, in cooperation with the off-site response force, at least once every five years, conduct a security exercise that tests

• (a) the ability of the elements of the contingency plan and the nuclear security measures that are tested to ensure an effective intervention against threats identified in the threat and risk assessment; and
• (b) the readiness of the off-site response force and any security guards to respond to those threats.

Notice to Commission

(2) The licensee must notify the Commission in writing of its intent to conduct a security exercise at least four months before the date of the exercise.

Record

(3) Each time the licensee conducts a security exercise, it must create a record that contains

• (a) an outline of the exercise scenario;
• (b) an evaluation of the effectiveness of the elements of the contingency plan and the nuclear security measures that were tested and the readiness of the off-site response force and any security guards; and
• (c) a description of any corrective actions that are necessary, taking into account the evaluation.

Corrective action plan

(4) If a corrective action referred to in paragraph (3)(c) involves a phased approach, the licensee must create a corrective action plan that sets out

• (a) the reasons for the corrective action;
• (b) a rationale for the phased approach; and
• (c) a timetable setting out when each phase of the plan will be completed.

Corrective actions

(5) The licensee must implement the corrective actions and, if applicable, must do so according to the timetable referred to in paragraph (4)(c).

Submission to Commission

(6) The licensee must, within 90 days after the day on which the security exercise is completed, submit to the Commission the record referred to in subsection (3) together with the corrective action plan, if any.

Exception

(7) The requirements of this section do not apply in respect of a high-security site.

Cybersecurity and Protection of Information

Cybersecurity program

16 (1) A licensee must implement and maintain the cybersecurity program referred to in subparagraph 3(a)(v) for a nuclear facility at which it carries on licensed activities.

Protection against cybersecurity threats

(2) A licensee must protect the computer systems and electronic components of the nuclear facility against cybersecurity threats that are identified in the threat and risk assessment if those systems or components being compromised could adversely affect

• (a) nuclear safety;
• (b) nuclear security;
• (c) emergency preparedness and response;
• (d) safeguards, as defined in section 1 of the General Nuclear Safety and Control Regulations, and nuclear material accountancy activities; or
• (e) systems that support the functions referred to in paragraphs (a) to (d).

Protection of sensitive information

17 (1) A licensee must implement and keep updated nuclear security measures to protect the confidentiality, integrity and availability of sensitive information against the threats that are identified in the threat and risk assessment.

Access to sensitive information

(2) A licensee must not permit a person to access sensitive information unless the person must access it in order to perform their duties.

Identity verification, clearance or authorization

18 A licensee must implement measures to protect information that is collected, used, retained or disclosed for the purposes of identity verification or in relation to a site access status, a clearance or an authorization from loss or theft and from unauthorized access, use, disclosure, duplication or alteration.

Security Obligations Relating to Nuclear Substances

Category I nuclear material

19 A licensee must produce, process, use or store Category I nuclear material in an inner area.

Category II nuclear material

20 A licensee must produce, process, use or store Category II nuclear material in a protected area.

Category III nuclear material

21 A licensee must produce, process, use or store Category III nuclear material in

• (a) a protected area; or
• (b) an area that meets the requirements of section 22.

Area for nuclear substances

22 (1) A licensee must produce, process, use and store nuclear substances in an area within a nuclear facility that is under the control and direct visual surveillance of the licensee or designed and constructed to prevent persons from gaining unauthorized access to those substances.

Nuclear security measures

(2) The licensee must ensure that the area is equipped with nuclear security measures that

• (a) permit only authorized persons whose identity has been verified to access it;
• (b) detect any intrusion into it;
• (c) detect any tampering or attempted tampering that may cause any of the measures to malfunction or cease to function;
• (d) when an event referred to in paragraph (b) or (c) is detected, set off a continuous alarm signal that is both audible and visible to a person in the service of the licensee or of an alarm monitoring service under contract to the licensee; and
• (e) function continuously to detect the unauthorized removal of nuclear substances from the area.

Site Access Status

Site access status

23 (1) A person must not enter or remain in a nuclear facility unless they

• (a) have a site access status granted by the licensee that carries out licensed activities at the facility;
• (b) are escorted at all times by a person who has a site access status;
• (c) are a member of the off-site response force, peace officer or member of another external emergency response force who requires access to the facility for the purpose of carrying out their duties; or
• (d) are an inspector who is designated under section 29 of the Act to carry out inspections at a nuclear facility or a person chosen by such an inspector under section 33 of the Act to accompany them.

Information to verify

(2) Before granting a site access status to a person, a licensee must verify the following documents and information in respect of the person:

• (a) two pieces of valid government-issued identification, one of which must be photo identification;
• (b) a record showing the results of a criminal record check, which may be fingerprint-based;
• (c) their personal history, composed of their educational history, professional qualifications, employment history and character references; and
• (d) if their personal history cannot be established for the last five years, information relating to their trustworthiness including, if available, the results of a criminal record check from each country in which they have resided for one or more years in the last five years.

Term

(3) A site access status may be granted for any term not exceeding 10 years and must be subject to any terms and conditions necessary to minimize the risk to the security of the nuclear facility.

Site access status — equivalent

24 (1) For the purposes of these Regulations, a person is deemed to have been granted a site access status by a licensee if, rather than granting a site access status, the licensee accepts any of the following statuses or clearances in respect of the person:

• (a) a Reliability, Secret or Top Secret clearance granted under the Standard on Security Screening; or
• (b) a site access status, site access clearance or enhanced security clearance granted by another licensee.

Record

(2) A licensee that accepts a status or clearance under subsection (1) must keep a record that indicates how it verified that the person has the status or clearance.

Factors

25 A licensee may grant a site access status to a person only if, after considering the documents and information obtained under subsection 23(2), it determines that the person does not pose an unreasonable risk to the health or safety of persons or the security of the nuclear facility.

List of persons

26 (1) A licensee must establish and keep a list of the persons who have a site access status.

List to be provided

(2) A licensee must, on request, provide the list to the Commission or to an inspector designated under section 29 of the Act.

Revocation

27 (1) A licensee must revoke a person’s site access status if

• (a) the licensee concludes, based on an investigation, that the person poses or could pose an unreasonable risk to the health or safety of persons or the security of the facility;
• (b) the person is no longer employed by or otherwise under contract to the licensee;
• (c) the duties or functions of the person have been completed, suspended or otherwise terminated;
• (d) the person no longer requires the site access status to perform their duties or functions; or
• (e) the person provided false or misleading information in order to obtain the status.

Commission to be notified

(2) The licensee must notify the Commission in writing of any revocation made under paragraph (1)(a) within five working days after the day on which the site access status is revoked.

Access Control

Access to Nuclear Facility

Requirements

28 (1) A licensee must ensure that every person who enters or remains in a nuclear facility at which it carries on licensed activities is permitted to do so under subsection 23(1).

Identity verification

(2) The licensee must ensure that the identity of a person entering the nuclear facility is verified

• (a) in the case of a person who has site access status, by proof of their site access status and using a device capable of verifying their identity; or
• (b) in any other case, by two pieces of valid government-issued identification, one of which must be photo identification.

Removal of nuclear substances

29 A licensee must ensure that nuclear substances are not removed from a nuclear facility at which it carries on licensed activities except in accordance with a licence.

Detection of unauthorized removal

30 (1) If a licensee detects the unauthorized removal of nuclear substances from a nuclear facility at which it carries on licensed activities, it must

• (a) determine the reason for the unauthorized removal; and
• (b) assess and immediately respond to the unauthorized removal.

Record

(2) The licensee must keep a record that sets out the process by which it will ensure that any unauthorized removal of nuclear substances from the facility is dealt with in accordance with subsection (1).

Entry of land vehicles

31 A licensee must not permit a land vehicle to enter a nuclear facility unless

• (a) there is an operational requirement for the vehicle to be there and it is searched for explosive substances, weapons, threat items and unauthorized persons; or
• (b) it is used by a member of the off-site response force, peace officer or member of another external emergency response force for the purpose of carrying out their duties.

Searches

Sign regarding searches

32 (1) A licensee must post, at the entrance to a nuclear facility that is not a high-security site, a sign that is visible to any person who is about to enter the facility that states, in English and French, that the licensee must not

• (a) permit land vehicles to enter the facility unless they are searched for explosive substances, weapons, threat items and unauthorized persons; or
• (b) permit persons to leave the facility unless they allow themselves and everything in their possession, including any land vehicle, to be searched for Category I, II and III nuclear material by a person authorized by the licensee to do so or screened for such material using devices capable of detecting such material.

High-security site

(2) A licensee must post, at the entrance to a high-security site, a sign that is visible to any person who is about to enter the facility that states, in English and French, that the licensee must not

• (a) permit land vehicles to enter the facility unless they are searched for explosive substances, weapons, threat items and unauthorized persons; or
• (b) permit persons to leave the facility unless they allow themselves and everything in their possession, including any land vehicle, to be searched for Category I, II and III nuclear material by a nuclear security officer using devices capable of detecting such material.

Search or screening on leaving

33 (1) Subject to section 34, a licensee must not permit any person to leave a nuclear facility unless, on leaving the facility, the person and everything in their possession, including any land vehicle,

• (a) are searched for Category I, II and III nuclear material by a person authorized by the licensee to do so or screened for such material using devices capable of detecting it, in the case of a nuclear facility that is not a high-security site; and
• (b) are searched for Category I, II and III nuclear material by a nuclear security officer using devices capable of detecting such material, in the case of a nuclear facility that is a high-security site.

Conduct of search or screening

(2) The search or screening must be

• (a) a non-intrusive search or screening carried out by means of a hand-held scanner, a walk-through scanner equipped with a metal detector or any similar device; or
• (b) if a nuclear security officer or person authorized by the licensee determines that it is necessary in order to maintain security, a frisk search carried out by a person of the same sex as the person being searched and extending from head to foot, down the front and rear of the body, around the legs and inside clothing folds, pockets and footwear.

Exception – search

34 (1) The search requirement set out in paragraph 33(1)(b) does not apply in respect of a person whose identity as a nuclear security officer or a member of an on-site nuclear response force has been verified in accordance with subsection 28(2) and who requires emergency egress from a high-security site for the purposes of carrying out their duties.

Exception — search or screening

(2) The requirement for a search or screening set out in subsection 33(1) does not apply in respect of a person who satisfactorily establishes, through the provision of identification or other evidence, that they are a member of an off-site response force, peace officer or member of another external emergency response force and who requires, as verified by a person authorized by the licensee to do so, emergency egress from a nuclear facility for the purposes of carrying out their duties.

PART 2

High-security Sites

Application

Application

35 This Part applies in respect of high-security sites.

Licence Application

Information in application

36 In addition to meeting the requirements of paragraph 3(a), the nuclear security plan in an application for a license must contain

• (a) in the description of the proposed nuclear security system, a description of the central alarm station and the physical barriers, structures, devices and nuclear security measures in respect of each protected area, inner area and vital area;
• (b) a description of the potential targets of sabotage — including the protected areas, inner areas and vital areas — and their location;
• (c) information about the organizational structure, duties and responsibilities and training of nuclear security officers, the procedures to be followed by these officers and the minimum number of nuclear security officers and other personnel who carry out duties or functions related to security;
• (d) if there is no on-site nuclear response force proposed for the nuclear facility, a description of the nuclear security measures referred to in paragraph 43(4)(a);
• (e) a description of the on-site and off-site communications equipment, systems and procedures;
• (f) the tactical deployment plans developed with the off-site response force; and
• (g) any other information related to the protection of inner areas.

Design Basis Threat

Design basis threat

37 (1) The Commission must identify any threat involving any person or group that may have the capability, motivation and intent to attempt the following acts in respect of a high-security site:

• (a) the sabotage of the high-security site; or
• (b) the unauthorized removal of Category I or II nuclear material from the high-security site.

Commission informs licensees

(2) The Commission must inform each licensee of the design basis threats that are applicable to the high-security site at which the licensee carries on licensed activities.

Nuclear security system

38 (1) A licensee must design the nuclear security system taking into account the design basis threats and any other threat identified in a threat and risk assessment, evaluate the ability of the system to respond to those threats and make modifications to the system as necessary.

Nuclear security measures

(2) The licensee must implement nuclear security measures that ensure an effective intervention, taking into account the design basis threats and any other threat identified in the threat and risk assessment.

Record

(3) The licensee must keep a record that sets out the process it has put in place to design the nuclear security system and modify the system.

Nuclear Security Officers

Number and duties

39 (1) A licensee must have available at all times at a nuclear facility at which it carries on licensed activities a sufficient number of nuclear security officers to

• (a) conduct patrols and control and monitor the movement of persons, materials and vehicles at the facility, including in the limited access area;
• (b) conduct searches of persons, materials and vehicles for weapons, explosive substances, threat items and nuclear substances;
• (c) assess and respond to security incidents;
• (d) apprehend and detain unarmed intruders;
• (e) observe and report on the movements of armed intruders;
• (f) assist in making effective interventions against intruders;
• (g) operate nuclear security systems and measures; and
• (h) carry out any other duties and functions of nuclear security officers under these Regulations.

Record

(2) The licensee must keep a record of the duties and responsibilities of its nuclear security officers and give a copy of the record to each of them.

Equipment

40 A licensee must provide the nuclear security officers with the necessary equipment, devices and apparel to permit them to perform the duties referred to in section 39.

Training, competency and qualifications

41 (1) A licensee must ensure that a nuclear security officer does not carry out duties or responsibilities unless they have received initial training and any relevant follow-up training in respect of the duties or responsibilities and are competent and qualified to carry them out.

Follow-up training

(2) The licensee must ensure that each of its nuclear security officers receives follow-up training to inform them of any change in

• (a) their duties and responsibilities in responding to security incidents;
• (b) security procedures and nuclear security measures that have an impact on their duties and responsibilities;
• (c) threats identified in a threat and risk assessment that are relevant to their duties and responsibilities; or
• (d) the obligations of the licensee in relation to nuclear security, including its obligations under the Act and its regulations.

Record

(3) The licensee must keep a record of the training received by each of its nuclear security officers.

Record — firearms

42 The licensee must keep a record that indicates the name of each of its nuclear security officers whose duties and responsibilities require them to be equipped with a firearm and whether they are a member of the on-site nuclear response force and whether they are authorized to carry firearms in Canada and trained and qualified to use them.

Security Requirements

On-site nuclear response force

43 (1) Subject to subsection (4), the licensee must maintain an on-site nuclear response force that, in combination with the nuclear security measures for the facility, is capable of making an effective intervention taking into account the design basis threats and any other threat identified in the threat and risk assessment.

Equipment

(2) The licensee must provide nuclear security officers who are members of the on-site nuclear response force with the necessary equipment, devices and apparel to permit them to make an effective intervention, taking into account the design basis threats and any other threat identified in the threat and risk assessment.

Firearms

(3) The licensee must ensure that the nuclear security officers who are members of its on-site nuclear response force are authorized to carry firearms in Canada and are trained and qualified to use them.

Exception

(4) The licensee is not required to maintain an on-site nuclear response force in accordance with subsection (1) if it

• (a) implements additional nuclear security measures that are capable of ensuring an effective intervention, taking into account the design basis threats and any other threat identified in the threat and risk assessment;
• (b) ensures that a sufficient number of off-site response force members are available to make an effective intervention and are equipped, trained and qualified to do so; and
• (c) at least 90 days before the first day on which the nuclear facility is to operate without an on-site nuclear response force, provides to the Commission notice in writing of its intent not to maintain one and a description of the measures referred to in paragraph (a).

Arrangements with off-site response force

44 In addition to meeting the requirements of subsection 13(2), the arrangements with the off-site response force must provide for

• (a) a process for notifying the on-site nuclear response force, if any, immediately if an alarm signal is received from an area where nuclear substances are produced, processed, used or stored;
• (b) capability at all times for immediate and continuous communication among the central alarm station, nuclear security officers and the off-site response force;
• (c) the means by which the off-site response force is to assist the on-site nuclear response force, if any, at the request of the licensee, in making an effective intervention; and
• (d) the roles and responsibilities of the on-site nuclear response force, if there is one, in responding to security incidents;
• (e) the availability of sufficient personnel to make an effective intervention, if there is no on-site nuclear response force; and
• (f) annual consultation between the licensee and the off-site response force regarding tactical response and deployment arrangements that include effective communications, command of the response to security incidents, joint training and exercises and any other matter related to the security of the nuclear facility.

Requirements for other off-site response force

45 The licensee may use an off-site response force other than a local, regional, provincial or federal police force or Canadian Forces unit or combination of such forces or units only if the force that it uses is capable of making an effective intervention at the nuclear facility, taking into account the design basis threats and any other threat identified by a threat and risk assessment and consists of persons who are authorized to carry firearms in Canada and trained and qualified to use them.

Contingency plan

46 A licensee must develop and maintain a contingency plan to ensure that an effective intervention can be made, taking into account the design basis threats and any other threat identified by a threat and risk assessment.

Security drill and exercise program

47 (1) A licensee must implement a security drill and exercise program that

• (a) verifies and evaluates the effectiveness of the contingency plan and the nuclear security system and the readiness of security personnel; and
• (b) provides for all of the elements of the plan and the system to be verified and evaluated, including measures for the transport of nuclear substances.

Update

(2) The licensee must update the program after each security exercise taking into account the results of the evaluations carried out after the security exercise and security drills that have taken place since the previous security exercise.

Security drill

48 (1) A licensee must conduct a security drill at least once every 30 days to test the operation of one or more elements of the contingency plan or nuclear security measures and the readiness of its security personnel.

Record

(2) Each time it conducts a security drill, the licensee must create a record that contains

• (a) an outline of the drill scenario;
• (b) an evaluation of the effectiveness of the elements of the contingency plan and the nuclear security measures that were tested and the readiness of security personnel; and
• (c) a description of any corrective actions that are necessary, taking into account the evaluation.

Security exercise

49 (1) A licensee must, in cooperation with the off-site response force, conduct a security exercise at least once every two years that tests

• (a) the ability of the elements of the contingency plan and the nuclear security measures that are tested to ensure an effective intervention, taking into account the design basis threats and any other threat identified by a threat and risk assessment; and
• (b) the readiness of security personnel and the off-site response force to respond to those threats.

Notice to Commission

(2) The licensee must notify the Commission in writing of its intent to conduct a security exercise at least four months before the date of the exercise.

Record

(3) Each time it conducts a security exercise, the licensee must create a record that contains

• (a) an outline of the exercise scenario;
• (b) an evaluation of the effectiveness of the elements of the contingency plan and the nuclear security measures that were tested and the readiness of security personnel and the off-site response force; and
• (c) a description of any corrective actions that are necessary, taking into account the evaluation.

Corrective action plan

(4) If a corrective action referred to in paragraph 3(c) involves a phased approach, the licensee must create a corrective action plan that sets out

• (a) the reasons for the corrective action;
• (b) a rationale for the phased approach; and
• (c) a timetable setting out when each phase of the corrective action plan will be completed.

Corrective actions

(5) The licensee must implement the corrective actions and, if applicable, must do so according to the timetable referred to in paragraph (4)(c).

Submission to Commission

(6) The licensee must, within 90 days after the day on which the security exercise is completed, submit to the Commission the record referred to in subsection (3) together with the corrective action plan, if any.

Central Alarm Station

Central alarm station

50 (1) A licensee must ensure that the nuclear security measures referred to in paragraphs 67(2)(a), 70(1)(a), 72(1)(a) and 75(1)(a) are monitored from a central alarm station.

Requirements

(2) The central alarm station must

• (a) be located outside any inner area or vital area;
• (b) be designed, constructed and situated so as to resist forced entry by the use of hand-held tools, weapons, explosive substances or vehicles, taking into account the design basis threats and any other threat identified in a threat and risk assessment, and to reduce its vulnerability to damage caused by the use of those things until an effective intervention can be made;
• (c) be attended at all times by at least one central alarm station operator;
• (d) if it is not attended by at least two central alarm station operators, be equipped with independent measures to prevent the central alarm station operator from tampering with, compromising or disabling any nuclear security measure in the central alarm station;
• (e) be located and equipped so as to enable a central alarm station operator inside the central alarm station to receive, assess and acknowledge the alarm signals referred to in subparagraphs 70(1)(a)(iii), 70(1)(b)(ii), 72(1)(a)(iii) and 72(1)(b)(ii); and
• (f) be equipped with devices that
  • (i) enable and record secure communication with nuclear security officers, nuclear security support persons and the off-site response force and are designed and installed so that the failure of one of the devices does not prevent that communication, and
  • (ii) will cause an alarm when an attempt is made to disable the nuclear security system and create a record of the attempt.

Access

(3) A licensee must not permit a person to enter the central alarm station unless the person must enter it to perform their duties and either is a member of security personnel or is authorized by the licensee to do so.

Definition of hand-held tool

(4) For the purposes of paragraph (2)(b), hand-held tool means an electric or manual portable tool that could be used to defeat a nuclear security system or nuclear security measure and includes a bolt cutter, pliers, a saw, a thermic lance and a cutting torch.

Secondary alarm station

51 A licensee must establish a secondary alarm station that is

• (a) located separately from the central alarm station; and
• (b) designed and equipped to monitor and operate the nuclear security system, devices and measures that are otherwise monitored or operated from the central alarm station in the event that the central alarm station is not functioning until the central alarm station is returned to its normal operation.

Clearances

Site Access Clearance

Site access clearance

52 (1) A person must not enter or remain in a high-security site unless they

• (a) have a site access clearance granted by the licensee that carries out licensed activities at the site;
• (b) are escorted at all times by a person who has a site access clearance;
• (c) are a member of the off-site response force, peace officer or member of another external emergency response force who requires access to the site for the purpose of carrying out their duties; or
• (d) are an inspector who is designated under section 29 of the Act to carry out inspections at a nuclear facility or a person chosen by such an inspector under section 33 of the Act to accompany them.

Information to verify

(2) Before granting a site access clearance to a person, a licensee must verify the following documents and information in respect of the person:

• (a) two pieces of valid government-issued identification, one of which must be photo identification;
• (b) a record showing the results of a criminal record check, which may be fingerprint-based;
• (c) their personal history, composed of their educational history, professional qualifications, employment history and character references;
• (d) if their personal history cannot be established for the last five years, information relating to the trustworthiness of the person including, where available, the results of a criminal record check from each country in which they have resided for one or more years in the last five years; and
• (e) a Canadian Security Intelligence Service security assessment in respect of the person.

Term

(3) A site access clearance may be granted for any term not exceeding ten years and must be subject to any terms and conditions necessary to minimize the risk to the security of the high-security site.

Deemed site access clearance

53 (1) For the purposes of these Regulations, a person is deemed to have been granted a site access clearance by a licensee if, rather than granting a site access clearance, the licensee accepts any of the following clearances in respect of the person:

• (a) a Secret or Top Secret clearance granted under the Standard on Security Screening; or
• (b) a site access clearance or enhanced security clearance granted by another licensee.

Record

(2) A licensee that accepts a status or clearance under subsection (1) must keep a record that indicates how it verified that the person has the status or clearance.

Enhanced Security Clearance

Enhanced security clearance

54 (1) A licensee must not permit a person employed by or otherwise under contract to them to carry out duties or responsibilities of security personnel or related to nuclear security intelligence unless the person has an enhanced security clearance granted by the licensee.

Information to verify

(2) Before granting an enhanced security clearance to a person, a licensee must obtain the information referred to in subsection 52(2), as well as the results of a credit check on the person.

Term

(3) An enhanced security clearance may be granted for any term not exceeding five years and must be subject to any terms and conditions necessary to minimize the risk to the security of the nuclear facility.

Clearance — equivalent

(4) For the purposes of these Regulations, a person is deemed to have been granted an enhanced security clearance by a licensee if, rather than granting that clearance, the licensee accepts a Top Secret clearance granted under the Standard on Security Screening in respect of the person.

Deemed site access clearance

55 A person to whom a licensee has granted an enhanced security clearance is deemed also to have been granted a site access clearance by that licensee.

Clearance Assessment, List and Revocation

Factors

56 A licensee may grant a site access clearance or enhanced security clearance to a person only if it determines that the person does not pose an unreasonable risk to the health or safety of persons or the security of the nuclear facility, considering the information obtained under subsection 52(2) or subsection 54(2) and taking the following factors into account:

• (a) the relevance of the information, including the circumstances of the underlying events or convictions, their seriousness, number and frequency, the date of the last event or conviction and any sentence or other disposition;
• (b) whether it is known or there are reasonable grounds to suspect that the person
  • (i) is or has been involved in — or contributes or has contributed to — criminal offences or acts of violence against persons or property,
  • (ii) is or has been involved in — or contributes or has contributed to — activities that constitute threats to the security of Canada as defined in section 2 of the Canadian Security Intelligence Service Act,
  • (iii) is or has been a member of a terrorist group as defined in subsection 83.01(1) of the Criminal Code or is or has been involved in — or contributes or has contributed to — the activities of such a group,
  • (iv) is or has been a member of a criminal organization as defined in subsection 467.1(1) of the Criminal Code or participates or has participated in — or contributes or has contributed to — activities of such an organization as described in that subsection, or
  • (v) is or has been associated with anyone who is known to be involved in or to contribute to — or in respect of whom there are reasonable grounds to suspect involvement in or contribution to — activities referred to in subparagraph (i) or (ii), or who is a member of a group or organization referred to subparagraph (iii);
• (c) whether there are reasonable grounds to suspect that the person is in a position in which there is a risk that they could be induced to commit an act or to assist or abet any person to commit an act that might constitute an unreasonable risk to the health or safety of persons or the security of the nuclear facility;
• (d) whether a clearance issued in respect of the person has previously been revoked;
• (e) whether the person has provided false or misleading information in order to obtain the clearance; and
• (f) any other relevant information to enable the licensee to assess the risk.

List of persons

57 (1) A licensee must establish and keep a list of the persons who have a site access clearance and those who have an enhanced security clearance.

List to be provided

(2) A licensee must, on request, provide the list to the Commission or to a person who is designated as an inspector under section 29 of the Act.

Revocation

58 (1) A licensee must revoke a person’s site access clearance or enhanced security clearance if

• (a) the licensee concludes, based on an investigation, that the person poses or could pose an unreasonable risk to the health or safety of persons or the security of the facility;
• (b) the person is no longer employed by or otherwise under contract to the licensee;
• (c) the duties or functions of the person have been completed, suspended or otherwise terminated;
• (d) the person no longer requires the clearance in order to perform their duties; or
• (e) the person provided false or misleading information in order to obtain the clearance.

Commission to be notified

(2) The licensee must notify the Commission in writing of any revocation made under paragraph (1)(a) within five working days after the revocation.

Security Personnel

Nuclear Security Officer, Nuclear Security Support Person and Central Alarm Station Operator

Authorization — nuclear security officer

59 (1) A person must not act as a nuclear security officer without the written authorization of the licensee.

Initial training

(2) Before granting the authorization to a person, the licensee must ensure that the person has received initial training in relation to the following topics, as relevant to the duties and responsibilities of nuclear security officers at the high-security site for which the authorization is to be issued, and has been evaluated on their knowledge of these topics:

• (a) first aid;
• (b) their duties and responsibilities in responding to security incidents;
• (c) security procedures and nuclear security measures at the high-security site;
• (d) threats to nuclear security, including sabotage and the unauthorized removal of nuclear substances; and
• (e) the obligations of the licensee in relation to nuclear security, including its obligations under the Act and its regulations.

Assessment

(3) No earlier than 30 days before granting the authorization to a person, the licensee must assess the person’s knowledge of the relevant security duties and responsibilities and their ability to carry them out.

Follow-up training

(4) Before granting the authorization to a person who has previously been granted one, the licensee must ensure that the person has received any follow-up training that is relevant to the duties and responsibilities of its nuclear security officers.

Authorization — nuclear security support person

60 A person must not act as a nuclear security support person without the written authorization of the licensee.

Requirements for authorization

61 (1) Before granting the authorization referred to in subsection 59(1) or section 60 to a person, the licensee must ensure that the person has an enhanced security clearance granted by the licensee and must obtain from the person

• (a) documentary proof that the person is a Canadian citizen or a permanent resident as defined in subsection 2(1) of the Immigration and Refugee Protection Act;
• (b) a certificate that is signed by a duly qualified medical practitioner certifying that the person does not have a medical condition that would prevent them from performing the tasks that are likely to be assigned by the licensee;
• (c) a certificate that is signed by a fitness consultant recognized by the Canadian Society for Exercise Physiology or a person with equivalent or higher qualifications certifying that the person is physically able to perform the tasks that are likely to be assigned by the licensee; and
• (d) a certificate that is signed by a duly qualified psychologist certifying that the person is psychologically able to perform the tasks that are likely to be assigned by the licensee.

Period of validity

(2) The authorization may be granted for any term not exceeding five years and must be subject to any terms and conditions necessary to minimize the risk to the security of the nuclear facility.

Copy of information and documents

(3) A licensee must give to a person for whom an authorization referred to in subsection (1) has been sought, at the person’s request, a copy of any information or documents relating to the authorization that are in the licensee’s possession that were submitted to the licensee by or on behalf of the person.

Deemed authorizations

62 (1) A person to whom a licensee has granted an authorization under subsection 59(1) or section 60 is deemed also to have been granted, in respect of the same high-security site for which the authorization is granted, an authorization to enter a protected area under section 76 and an authorization to enter an inner area under section 79.

Authorization — central alarm station operator

(2) A person to whom a licensee has granted an authorization under subsection 59(1) and who has completed the training referred to in subsection 63(3) is deemed also to have been granted an authorization to act as a central alarm station operator under subsection 63(1) in respect of the same high-security site while they are on duty in the central alarm station.

Central alarm station operator

63 (1) A person must not act as a central alarm station operator without the written authorization of the licensee.

Clearance and documents

(2) Before issuing the authorization referred to in subsection (1), the licensee must ensure that the person has an enhanced security clearance granted by the licensee and must obtain from the person the following documents:

• (a) a certificate that is signed by a duly qualified medical practitioner certifying that the person does not have a medical condition that would prevent them from performing the tasks that are likely to be assigned by the licensee; and
• (b) a certificate that is signed by a duly qualified psychologist certifying that the person is psychologically able to perform the tasks that are likely to be assigned by the licensee.

Training

(3) The licensee must also ensure that the person has received training related to the following topics:

• (a) the operation of the central alarm station;
• (b) their duties and responsibilities in responding to security incidents;
• (c) security procedures and nuclear security measures at the high-security site where the person is employed;
• (d) threats to nuclear security, including sabotage and the unauthorized removal of nuclear substances; and
• (e) the obligations of the licensee in relation to nuclear security, including its obligations under the Act and its regulations.

Period of validity

(4) An authorization referred to in subsection (1) may be granted for any term not exceeding five years and must be subject to any terms and conditions necessary to minimize the risk to the security of the facility.

List of authorized persons

64 (1) A licensee must establish and keep a list of the persons who have an authorization under subsection 59(1) or section 60 or 63.

List to be provided

(2) The licensee must, on request, provide the list to the Commission or to a person who is designated as an inspector under section 29 of the Act.

Nuclear Security Support Person With Escort

Authorization

65 (1) A person who does not have the authorization referred to in section 60 may act as a nuclear security support person and enter a protected area and an inner area if they do so for the purpose of performing duties required by the licensee, have the written authorization of the licensee and are escorted at all times

• (a) within a protected area by a person who has the authorization referred to in section 60; and
• (b) within the inner area by two persons, one of whom has the authorization referred to in section 60 and the other of whom has the authorization referred to in section 79.

Required information

(2) The licensee must, before granting an authorization under subsection (1), obtain the following information:

• (a) the name of the person for whom the authorization is sought;
• (b) the address of the person’s principal residence;
• (c) the name and business address of the person’s employer; and
• (d) a copy of two pieces of valid government-issued identification, one of which must be photo identification.

Condition

(3) The authorization must be subject to the condition that the person in respect of whom it is granted must be escorted in accordance with subsection (1).

Nuclear Security Measures

Power Supply

Uninterrupted power supply

66 A high-security site must be equipped with devices that, in the event of the loss of power, maintain an uninterrupted power supply for a period sufficient to allow for an alternate continuous power supply to be implemented for all nuclear security measures that require a power supply and are described in the nuclear security plan.

Protected Area

Perimeter — physical barriers

67 (1) A protected area must be enclosed by at least two physical barriers, including one interior barrier at the perimeter of the protected area and one exterior barrier that encloses the interior barrier.

Perimeter — nuclear security measures

(2) The perimeter of the protected area must

• (a) be equipped with two or more different nuclear security measures that
  • (i) detect intrusion or attempted intrusion and that are designed and installed so that the failure of one measure does not prevent the intrusion or attempted intrusion from being detected and an alarm from being set off,
  • (ii) detect any tampering or attempted tampering that may cause any of the measures referred to in subparagraph (i) or (iv) to malfunction or cease to function,
  • (iii) when an event referred to in subparagraph (i) or (ii) is detected, set off an alarm signal that is both audible and visible in the central alarm station and that can be stopped only by a central alarm station operator inside that station, and
  • (iv) facilitate an immediate assessment of the cause of the alarm by a central alarm station operator; and
• (b) if a measure referred to in paragraph (a) is not functional, be kept under the direct visual surveillance of a nuclear security officer who is equipped with
  • (i) a device that enables communication with the central alarm station, and
  • (ii) a device that can set off a continuous alarm signal that is audible and visible in the central alarm station and can be stopped only by a central alarm station operator inside that station.

Design, construction and implementation

(3) The physical barriers must be designed and constructed and the other nuclear security measures must be designed and implemented to

• (a) provide sufficient time for the off-site response force or, if any, on-site nuclear response force to respond to any intrusion into the protected area; and
• (b) reduce the risk of forced entry into the protected area by any vehicle.

Continuous physical barrier

(4) Permanent security facilities such as guard posts and vehicle portals may join with the exterior and interior physical barriers provided that a continuous barrier is maintained.

Means of entry or exit

(5) Each gate, door, window or other means of entry or exit in a physical barrier must be constructed so that it can be closed and securely locked to resist unauthorized entry.

Closed and locked

(6) The means of entry or exit must be kept closed and locked except when persons or land vehicles are entering or exiting the protected area under the direct visual surveillance of a nuclear security officer.

Unobstructed area

68 (1) The physical barriers that enclose a protected area must be separated by an unobstructed area at least 5 m wide that is free from any structures, equipment or other obstructions that could be used to penetrate, breach or surmount the physical barrier or to restrict observation of the area.

Requirements

(2) The unobstructed area must be

• (a) continuously and uniformly illuminated at an intensity sufficient to permit clear observation and assessment of the movement of any person or object within the unobstructed area; and
• (b) equipped with devices or technology, in addition to the measures referred to in paragraph 67(2)(a), that permit observation and assessment of the cause of any alarm at all times.

Vehicle barrier

69 The exterior barrier referred to in subsection 67(1) must be surrounded by an additional barrier that is designed to protect against the forced entry of land vehicles and, if the protected area is adjacent to a body of water, vessels into the protected area.

Nuclear security measures

70 (1) A protected area must be

• (a) equipped with nuclear security measures that
  • (i) detect intrusion or attempted intrusion and that are designed and installed so that the failure of one measure does not prevent the intrusion or attempted intrusion from being detected and an alarm from being set off,
  • (ii) detect any tampering or attempted tampering that may cause any of the measures referred to in subparagraph (i) or (iv) to malfunction or cease to function,
  • (iii) when an event referred to in subparagraph (i) or (ii) is detected, set off an alarm signal that is both audible and visible in the central alarm station and that can be stopped only by a central alarm station operator inside that station,
  • (iv) facilitate an immediate assessment of the cause of the alarm by a central alarm station operator, and
  • (v) detect the unauthorized removal of Category I, II or III nuclear material from the area; and
• (b) if a measure referred to in paragraph (a) is not functional, kept under the direct visual surveillance of a nuclear security officer who is equipped with
  • (i) a device that enables communication with the central alarm station, and
  • (ii) a device that can set off a continuous alarm signal that is audible and visible in the central alarm station and can be stopped only by a central alarm station operator inside that station.

Access control system

(2) A protected area must be equipped with an access control system that is

• (a) capable of recording each attempt to access the protected area and verifying the identity of the authorized person who enters the protected area by means of an access card reader and a device that uses biometric information; and
• (b) monitored to ensure that any tampering or attempt to tamper with the system is detected and assessed.

Inner Area

Structure or physical barrier

71 (1) Each inner area must be totally enclosed by a structure or physical barrier that is

• (a) located at least 5 m away from every point in the interior barrier that encloses the protected area; and
• (b) designed and constructed to, alone or in combination with other physical barriers, structures or nuclear security measures, prevent anyone who has, through the use of weapons or explosive substances or by using equipment, tools or techniques to breach the inner area, gained unauthorized access to Category I nuclear material from removing that material from that inner area before an effective intervention can be made.

Closed and locked

(2) Each gate, door, window or other means of entry or exit in the structure or barrier that encloses an inner area must be kept closed and locked with a device that, from outside the structure or barrier, can only be unlocked by two persons authorized under section 79 using two different means of access control at the same time.

Nuclear security measures

72 (1) Each inner area must be

• (a) equipped with nuclear security measures that
  • (i) employ two independent systems that detect intrusion into, and unauthorized movement within and out of, the inner area,
  • (ii) detect any tampering or attempted tampering that may cause any of the measures referred to in subparagraph (i) or (iv) to malfunction or cease to function,
  • (iii) when an event referred to in subparagraph (i) or (ii) is detected, set off two independent continuous alarm signals each of which is both audible and visible, one in the central alarm station that can be stopped only by a central alarm station operator inside that station, and the other in at least one other attended place outside the inner area that can be stopped only from that place by a person who is authorized under section 79 to enter the inner area,
  • (iv) facilitate an immediate assessment of the cause of an alarm, and
  • (v) detect the unauthorized removal of Category I, II or III nuclear material from the area; and
• (b) if a measure referred to in paragraph (a) is not functional, kept under the direct visual surveillance of a nuclear security officer who is equipped with
  • (i) a device that enables communication with the central alarm station, and
  • (ii) a device that can set off a continuous alarm signal that is audible and visible in the central alarm station and in at least one other attended place outside of the inner area and that can be stopped only by a central alarm station operator inside that station or from that other place by a person who is authorized under section 79 to enter the inner area.

Access control system

(2) Each inner area must be equipped with an access control system that is

• (a) capable of recording each attempt to access the inner area and verifying the identity of the authorized person who enters the inner area; and
• (b) monitored to ensure that any tampering or attempt to tamper with the system is detected and assessed.

Vital Area

Identification of vital areas

73 A licensee must establish a process to identify the vital areas and keep a record that sets out that process.

Physical barrier

74 (1) Each vital area must be enclosed by a physical barrier.

Means of entry or exit

(2) Each gate, door, window or other means of entry or exit in a physical barrier must be constructed so that it can be closed and securely locked to resist unauthorized entry.

Closed and locked

(3) The means of entry or exit must be kept closed and locked except when persons are entering or exiting the protected area under the direct visual surveillance of a nuclear security officer.

Nuclear security measures

75 (1) Each vital area must be

• (a) equipped with nuclear security measures that
  • (i) detect intrusion into, and unauthorized movement within and out of, the vital area,
  • (ii) detect any tampering or attempted tampering that may cause any of the measures referred to in subparagraph (i) or (iv) to malfunction or cease to function,
  • (iii) when an event referred to in subparagraph (i) or (ii) is detected, set off a continuous alarm signal which is both audible and visible in the central alarm station and in at least one other attended place outside the vital area and can be stopped only from the central alarm station by a central alarm station operator or from that other place by a person who is authorized under section 83 to enter the vital area,
  • (iv) facilitate an immediate assessment of the cause of an alarm, and
  • (v) detect the unauthorized removal of Category I, II or III nuclear material from the area; and
• (b) if a measure referred to in paragraph (a) is not functional, kept under the direct visual surveillance of a nuclear security officer who is equipped with
  • (i) a device that enables communication with the central alarm station, and
  • (ii) a device that can set off a continuous alarm signal that is both audible and visible in the central alarm station and in at least one other attended place outside the vital area and can be stopped only from the central alarm station by a central alarm station operator or from that other place by a person who is authorized under section 83 to enter the vital area.

Access control system

(2) Each vital area must be equipped with an access control system that is

• (a) capable of recording each attempt to access the vital area and verifying the identity of the authorized person who enters the vital area; and
• (b) monitored to ensure that any attempt to tamper with the system is detected and assessed.

Authorizations to Enter Protected, Inner and Vital Areas

Protected Area

Authorization to enter protected area

76 (1) A person must not enter a protected area unless they have a site access clearance and the written authorization of the licensee.

Identification report

(2) A licensee must, before granting an authorization to enter a protected area to a person, ensure that the person has a site access clearance and prepare an identification report that contains the following information and documents:

• (a) the person’s name and date and place of birth;
• (b) documentary proof of the person’s lawful presence in Canada;
• (c) the address of the person’s principal residence;
• (d) a photograph depicting a frontal view of the person’s face;
• (e) the person’s occupation;
• (f) documentary proof that the person has a site access clearance;
• (g) documentary proof of the person’s radiation protection training; and
• (h) the documents that the licensee verified before granting the site access clearance to the person.

Period of validity

(3) An authorization to enter a protected area may be granted for any term not exceeding five years and must be subject to any terms and conditions necessary to minimize the risk to the security of the nuclear facility.

Copy of information and documents

(4) The licensee must give to a person who has sought an authorization to enter a protected area, on the person’s request, a copy of any information or documents referred to in subsection (2) that the licensee possesses.

Authorization — with escort

77 (1) Despite subsection 76(1), a person may enter a protected area if they have an authorization granted by the licensee under subsection (2) and are escorted in accordance with the conditions of the authorization.

Requirements

(2) A licensee may grant an authorization to enter a protected area to a person without ensuring that the person has a site access clearance or preparing the identification report referred to in subsection 76(2) if

• (a) the person provides documentary proof of their name and address and two valid pieces of government-issued identification, one of which is photo identification; and
• (b) the authorization is subject to the condition that the person is escorted within the protected area at all times by a person who has an authorization granted under section 76.

Record of authorized persons

78 (1) A licensee must

• (a) keep a record of the name of each person to whom an authorization to enter a protected area has been granted;
• (b) retain the record for one year after the authorization expires or is revoked; and
• (c) make a copy of the record available to its nuclear security officers.

Record to be provided to Commission

(2) A licensee must, on request, provide the record to the Commission or to a person who is designated as an inspector under section 29 of the Act.

Inner Area

Authorization to enter inner area

79 (1) A person must not enter an inner area unless they have the written authorization of the licensee.

Enhanced security clearance required

(2) The licensee must not grant a person an authorization to enter an inner area unless the person has an enhanced security clearance.

Period of validity

(3) An authorization to enter an inner area may be granted for any term not exceeding five years and must be subject to any terms and conditions necessary to minimize the risk to the security of the nuclear facility.

Copy of information and documents

(4) A licensee must give to a person who has sought an authorization referred to in subsection (1), at the person’s request, a copy of any information or documents relating to the authorization that are in the licensee’s possession that were submitted to the licensee by or on behalf of the person.

Deemed authorization — protected area

80 A person to whom a licensee has granted an authorization under section 79 is deemed also to have been granted an authorization to enter a protected area.

Authorization — with escort

81 (1) Despite subsection 79(1), a person may enter an inner area if they do so for the purpose of performing duties required by the licensee, have the written authorization of the licensee and are escorted at all times within the inner area by two persons, each of whom has an authorization granted under section 79 and at least one of whom is a nuclear security officer.

Required information

(2) A licensee must, before issuing an authorization referred to in subsection (1), obtain the following information:

• (a) the name of the person for whom the authorization is sought;
• (b) the address of the person’s principal residence;
• (c) the name and business address of the person’s employer; and
• (d) documentary proof of the person’s lawful presence in Canada.

Condition

(3) The authorization must be subject to the condition that the person in respect of which it is granted must be escorted in accordance with subsection (1).

Record of authorized persons

82 (1) A licensee must

• (a) keep a record of the name of each person to whom an authorization to enter each inner area has been granted;
• (b) retain the record for one year after the authorization expires or is revoked; and
• (c) make a copy of the record available to its nuclear security officers.

Record to be provided to Commission

(2) A licensee must, on request, provide the record to the Commission or to a person who is designated as an inspector under section 29 of the Act.

Vital Area

Authorization to enter vital area

83 (1) A person must not enter a vital area unless they have the written authorization of the licensee.

Enhanced security clearance

(2) The licensee must not grant a person an authorization to enter a vital area unless the person has an enhanced security clearance.

Period of validity

(3) An authorization to enter a vital area may be granted for any term not exceeding five years and must be subject to any terms and conditions necessary to minimize the risk to the security of the nuclear facility.

Copy of information and documents

(4) A licensee must give to a person for whom an authorization referred to in subsection (1) has been sought, at the person’s request, a copy of any information or documents relating to the authorization that are in the licensee’s possession that were submitted to the licensee by or on behalf of the person.

Record of authorized persons

84 (1) A licensee must

• (a) keep a record of the name of each person to whom an authorization to enter each vital area has been granted;
• (b) retain the record for one year after the authorization expires or is revoked; and
• (c) make a copy of the record available to its nuclear security officers.

Record to be provided to Commission

(2) A licensee must, on request, provide the record to the Commission or to a person who is designated as an inspector under section 29 of the Act.

Revocation

Revocation

85 (1) A licensee must revoke an authorization granted under this Part to a person if

• (a) the licensee concludes, based on an investigation, that the person poses or could pose an unreasonable risk to the health or safety of persons or the security of the facility;
• (b) the person is no longer employed by or otherwise under contract to the licensee;
• (c) the duties or functions of the person have been completed, suspended or otherwise terminated;
• (d) the person no longer requires the authorization in order to perform their duties; or
• (e) the person provided false or misleading information in order to obtain the authorization.

Commission to be notified

(2) The licensee must notify the Commission in writing of any revocation made under paragraph (1)(a) within five working days after the revocation.

Access Control

Prohibition on Permitting Access

Protected, inner or vital area

86 Except as otherwise provided in this Part, a licensee must not permit any person to enter or remain in a protected area, an inner area or a vital area unless the person is a member of an off-site response force, peace officer or member of another external emergency response force who requires access to that area for the purpose of carrying out their duties.

Protected Area

Identity verification

87 The identity of a person entering a protected area must be verified

• (a) in the case of a person who has an authorization granted under section 76 or 77, by two separate personnel identity verification systems, one of which must use biometric information; and
• (b) in any other case, by two pieces of valid government-issued identification, one of which must be photo identification, and a device that uses biometric information.

Unauthorized persons

88 (1) A licensee must not permit an unauthorized person to enter or remain in a protected area.

Reporting unauthorized person

(2) If a person observes anyone in a protected area who they believe, on reasonable grounds, is not authorized to be in the area, they must immediately report that fact to a nuclear security officer.

Access with escort

89 A licensee must not permit a person who has an authorization granted under section 65 or 77 to enter or remain in a protected area unless the person is escorted in accordance with section 65 or 77, as the case may be.

Vehicle portals

90 (1) A licensee must ensure that vehicle portals are used for the entry and exit of land vehicles into and from a protected area.

Gates not open

(2) The gates of a vehicle portal must not be open at the same time, except if required in the event of an emergency.

Measures when gates open

(3) If both gates of a vehicle portal are open at the same time, the vehicle portal must be either

• (a) attended by at least one member of the on-site nuclear response force who is equipped with a land vehicle; or
• (b) equipped with other measures that prevent unauthorized access to the protected area.

Operational requirement

(4) A licensee must not permit a land vehicle to enter a protected area unless there is an operational requirement for it to be there.

Weapons, explosive substances and threat items

91 A licensee must ensure that weapons, explosive substances and threat items are not taken into a protected area unless they are under the control of a nuclear security officer or a member of an on-site nuclear response force or off-site response force.

Removal of nuclear material

92 A licensee must ensure that Category I, II or III nuclear material is not removed from a protected area except in accordance with a licence.

Prohibited activities

93 A person must not

• (a) take any weapons, explosive substances or threat items into a protected area unless these are under the control of a nuclear security officer or a member of an on-site nuclear response force or an off-site response force; or
• (b) remove any Category I, II or III nuclear material from a protected area without the authorization of the licensee.

Inner Area

Requirement — two authorized persons

94 No person who is authorized under section 79 to enter an inner area may do so unless at least one other person who is also authorized to enter it does so at the same time and remains in a place where they are visible to the person.

Unauthorized persons

95 (1) A licensee must not permit an unauthorized person to enter or remain in an inner area.

Reporting unauthorized person

(2) If a person observes anyone in an inner area who they believe, on reasonable grounds, is not authorized to be in the area, they must immediately report that fact to a nuclear security officer.

Access with escort

96 A licensee must not permit a person who has an authorization granted under section 65 or 81 to enter or remain in the inner area unless the person is escorted in accordance with section 65 or 81, as the case may be.

Land vehicle

97 A licensee must not permit a land vehicle to enter an inner area unless there is an operational requirement for it to be there.

Weapons, explosive substances and threat items

98 A licensee must ensure that weapons, explosive substances and threat items are not taken into an inner area unless they are under the control of a nuclear security officer or a member of an on-site nuclear response force or an off-site response force.

Means of entry or exit

99 (1) A licensee must not permit a gate, door, window or other means of entry or exit in the structure or barrier that encloses an inner area to be unlocked, opened or kept open unless

• (a) it is kept open only for the time required to allow the passage of persons or things into or out of the inner area; and
• (b) while it is open, it is kept under the direct visual surveillance of a nuclear security officer who is dedicated exclusively to that task.

Unlocked from outside

(2) A licensee must not permit a gate, door, window or other means of entry or exit in the structure or barrier that encloses an inner area to be unlocked from the outside unless it is unlocked by two persons who are authorized to enter the inner area under section 79, at least one of whom is a nuclear security officer.

Removal of nuclear material

100 A licensee must ensure that Category I, II or III nuclear material is not removed from an inner area except in accordance with a licence.

Prohibited activities

101 A person must not

• (a) take any weapons, explosive substances or threat items into an inner area unless these are under the control of a nuclear security officer or a member of an on-site nuclear response force or an off-site response force; or
• (b) remove any Category I, II or III nuclear material from an inner area without the authorization of the licensee.

Vital Area

Unauthorized persons

102 (1) A licensee must not permit a person to enter or remain in a vital area without the written authorization of the licensee.

(2) If a person observes anyone in a vital area who they believe, on reasonable grounds, is not authorized to be in the area, they must immediately report that fact to a nuclear security officer.

Verification and recording of identity

103 The identity of any person entering a vital area must be verified by a system that records the identity of the person.

Land vehicle

104 A licensee must not permit a land vehicle to enter a vital area unless there is an operational requirement for it to be there.

Weapons, explosive substances and threat items

105 A licensee must ensure that weapons, explosive substances and threat items are not taken into a vital area unless they are under the control of a nuclear security officer or a member of an on-site nuclear response force or an off-site response force.

Removal of nuclear material

106 A licensee must ensure that Category I, II or III nuclear material is not removed from a vital area without the authorization of the licensee.

Prohibited activities

107 A person must not

• (a) take any weapons, explosive substances or threat items into a vital area unless these are under the control of a nuclear security officer or a member of an on-site nuclear response force or an off-site response force; or
• (b) remove any Category I, II or III nuclear material from a vital area without the authorization of the licensee.

Exception

Inspector

108 Subsections 76(1), 79(1) 83(1), 88(1), 95(1), and 102(1) do not apply to or in respect of an inspector who has a clearance issued under the Standard on Security Screening and is designated under section 29 of the Act to carry out inspections at a high-security site or a person chosen under section 33 of the Act to accompany them.

Searches

Sign regarding searches

109 A licensee must post, at the entrance to each protected area and inner area, a sign that is visible to any person who is about to enter the area that states, in English and French, that the licensee must not permit any person to

• (a) enter the area unless they allow themselves and everything in their possession, including any land vehicle, to be searched by a nuclear security officer for weapons, explosive substances, threat items and, in the case of a land vehicle, unauthorized persons; or
• (b) leave the area unless they allow themselves and everything in their possession, including any land vehicle, to be searched for Category I, II and III nuclear material by a nuclear security officer using devices capable of detecting such material.

Search

110 (1) Subject to section 111, a licensee must not permit any person to enter or leave a protected area or an inner area unless

• (a) on entering the area, they and everything in their possession, including any land vehicle, are searched by a nuclear security officer using appropriate detection and screening devices for weapons, explosive substances and threat items and, in the case of a land vehicle, searched by a nuclear security officer for unauthorized persons; and
• (b) on leaving the area, they and everything in their possession, including any land vehicle, are searched for Category I, II and III nuclear material and other nuclear substances by a nuclear security officer using devices capable of detecting that material.

Weapons, explosive substances or threat items

(2) A licensee that has reasonable grounds to suspect that a person who is in a protected area or an inner area has in their possession weapons, explosive substances or threat items that are not under the control of a nuclear security officer or a member of an on-site nuclear response force or off-site response force or has in their possession Category I, II or III nuclear material without the authorization of the licensee must not permit the person to remain in that area unless the person and everything in their possession, including any land vehicle, are searched by a nuclear security officer for the weapons, explosive substances, threat items or nuclear material.

Conduct of search

(3) A search of a person conducted under this section must be

• (a) a non-intrusive search carried out by means of a hand-held scanner, a walk-through scanner or any similar device; or
• (b) if a nuclear security officer determines that it is necessary in order to maintain security, a frisk search carried out by a person of the same sex as the person being searched and extending from head to foot, down the front and rear of the body, around the legs and inside clothing folds, pockets and footwear.

Search of land vehicle

(4) A search of a land vehicle conducted under this section must take place in a vehicle portal.

Exception to search requirement

111 (1) The requirement for a search set out in subsection 110(1) or (2) does not apply in respect of a nuclear security officer whose identity has been verified in accordance with section 87 and who, for the purposes of carrying out their duties, is entering a protected area or inner area on foot or requires emergency access to or egress from a nuclear facility, as the case may be.

Emergencies

(2) The requirement for a search set out in subsection 110(1) or (2) does not apply in respect of a person who satisfactorily establishes, through the provision of identification or other evidence, that they are a member of an off-site response force, peace officer or member of another external emergency response force and who requires, as verified by a nuclear security officer, emergency access to or egress from a protected area or inner area, as the case may be, for the purpose of carrying out their duties, if they are escorted

• (a) in any protected area by a person who has an authorization granted under section 76, and
• (b) in any inner area by two persons, each of whom has an authorization granted under section 79 or is a nuclear security officer.

Prohibition

112 A person who refuses to submit to a search to which they are subject under section 110 must not enter or leave a protected area or inner area.

PART 3

Licence to Transport

Application

113 This Part applies in respect of the transport of Category I, II or III nuclear material.

Exemption

114 (1) A person may, without a licence to carry on that activity, transport Category I, II or III nuclear material within an area in which the material is required by sections 19 to 21 to be produced, processed, used or stored.

Non-derogation

(2) For greater certainty, the exemption established in subsection (1) relates only to the activity specified in that subsection and does not derogate from the licence requirement imposed by section 26 of the Act in relation to other activities.

Transport security plan

115 An application for a licence to transport Category I, II or III nuclear material must contain, in addition to the other information required by section 7 of the Packaging and Transport of Nuclear Substances Regulations, 2015, a transport security plan that includes

• (a) the name, quantity, radiation level in Gy/h, chemical and physical characteristics and isotopic composition of the nuclear material;
• (b) a threat and risk assessment;
• (c) a description of the conveyance;
• (d) the proposed security measures;
• (e) a description of how the applicant will evaluate and improve the security measures, including the proposed scheduling of security exercises;
• (f) the planned route and at least one alternate route;
• (g) the tracking and communication arrangements made among the applicant, the operator of the land vehicle transporting the nuclear material, the recipient of the material and any off-site response force throughout the transport; and
• (h) the arrangements made between the applicant and any off-site response force throughout the transport.

Security exercise

116 (1) The licensee must conduct security exercises in accordance with its transport security plan, and in any event at least once every five years.

Record

(2) Each time it conducts a security exercise, the licensee must create a record that contains

• (a) an outline of the exercise scenario;
• (b) an evaluation of the effectiveness of the security measures that were tested; and
• (c) a description of any corrective actions that are necessary, taking into account the evaluation.

Corrective action plan

(3) If a corrective action referred to in paragraph 2(c) involves a phased approach, the licensee must create a corrective action plan that sets out

• (a) the reasons for the corrective action;
• (b) a rationale for the phased approach; and
• (c) a timetable setting out when each phase of the corrective action plan will be completed.

Corrective actions

(4) The licensee must implement the corrective actions referred to in paragraph (2)(c) and, if applicable, must do so according to the timetable referred to in paragraph (3)(c).

Submission to Commission

(5) The licensee must, within 90 days after the day on which the security exercise is completed, submit to the Commission the record referred to in subsection (2) together with the corrective action plan, if any.

PART 4

Consequential Amendments, Transitional Provisions, Repeal and Coming into Force

Consequential Amendments

Class I Nuclear Facilities Regulations

117 Paragraph 3(i) of the Class I Nuclear Facilities Regulations ^{footnote 22} is replaced by the following:

• (i) if the application is in respect of a nuclear facility referred to in subsection 2(1) of the Nuclear Security Regulations, 2023, the information required by section 3 and, if any, section 36 of those Regulations;

Nuclear Substances and Radiation Devices Regulations

118 Subparagraph 3(1)(n)(ii) of the Nuclear Substances and Radiation Devices Regulations ^{footnote 23} is replaced by the following:

• (ii) the information required by section 3 and, if any, section 36 of the Nuclear Security Regulations, 2023;

Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission)

119 Part 9 of the schedule to the Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission) ^{footnote 24} is replaced by:

PART 9

Nuclear Security Regulations, 2023

Item	Column 1 Provision	Column 2 Short-form Description	Column 3 Category
1	4(1)	Failure to review and update nuclear security plan at the specified interval	B
2	4(2)	Failure to submit updated nuclear security plan to Commission within prescribed time	B
3	5(1)	Failure to conduct threat and risk assessment at the specified interval	B
4	5(2)	Failure to update threat and risk assessment at the specified interval	B
5	5(3)	Failure to make necessary modifications to the nuclear security system in the prescribed time	B
6	5(4)	Failure to keep record of results of each threat and risk assessment	A
7	5(5)	Failure to submit record of threat and risk assessment and statement describing modifications and actions to the Commission within the prescribed period	B
8	6	Failure to implement nuclear security measures that ensure effective intervention	B
9	7	Failure to develop and implement training program	B
10	8(1)	Failure to implement measures to promote and support security culture	B
11	8(2)	Failure to maintain record of measures implemented to promote and support security culture	A
12	9(1)	Failure to ensure that measures and activities are designed and implemented as required and ensure that measures do not compromise the environment, the health or safety of persons or security of the facility	B
13	9(2)	Failure to establish, implement and maintain the required process regarding conflicts and coordination	B
14	9(3)	Failure to keep a record setting out the process	A
15	10(1)	Failure to immediately implement required compensatory measures when nuclear security system or measures are degraded or inoperative	B
16	10(2)	Failure to keep record setting out process for implementing compensatory measures and record indicating implementation of compensatory measures	A
17	11(a)	Failure to immediately replace or restore functioning of degraded, inoperative or compromised device or code	A
18	11(b)	Failure to determine how device or code became degraded, inoperative or compromised	A
19	12(1)	Failure to ensure security guards are trained, competent and qualified	B
20	12(2)	Failure to keep the required record of security guard training and proof of their qualifications	A
21	13(1)	Failure to make written arrangements with an off-site response force capable of making an effective intervention at nuclear facility and that meets firearms requirements	B
22	13(2)	Failure to include specified provisions in arrangements with off-site response force	B
23	13(3)	Failure to have arrangements signed as required	A
24	14(1)	Failure to have alarm monitoring capacity or make arrangements with an alarm monitoring service	B
25	14(2)	Failure of alarm monitoring service to immediately notify the licensee and off-site response force on receipt of an alarm signal	B
26	15(1)	Failure to conduct a security exercise testing the prescribed elements at the specified interval	B
27	15(2)	Failure to notify Commission in writing within prescribed time of intent to conduct security exercise	A
28	15(3)	Failure to create a record containing the required information each time a security exercise is conducted	A
29	15(4)	Failure to create a corrective action plan setting out the required information	B
30	15(5)	Failure to implement corrective actions	B
31	15(6)	Failure to submit the record and any corrective action plan to the Commission within the prescribed period	A
32	16(1)	Failure to implement and maintain the cybersecurity program	C
33	16(2)	Failure to protect computer systems against cybersecurity threats as required	B
34	17(1)	Failure to implement and keep updated nuclear security measures to protect the confidentiality, integrity and availability of sensitive information as required	B
35	17(2)	Permitting person to access sensitive information who does not require access in order to perform their duties	B
36	18	Failure to implement measures to protect information for identity verification and regarding site access status, clearances and authorizations as required	B
37	19	Failure to produce, process, use, or store Category I nuclear material in an inner area	C
38	20	Failure to produce, process, use or store Category II nuclear material in a protected area	C
39	21	Failure to produce, process, use or store Category III nuclear material in a protected area or an area that meets prescribed requirements	B
40	22(1)	Failure to produce, process, use or store nuclear substances in an area under control and direct visual surveillance or designed and constructed to prevent unauthorized access	B
41	22(2)(a)	Failure to ensure that area where nuclear substances are produced, processed, used or stored is equipped with measures that permit access only to authorized persons	B
42	22(2)(b)	Failure to ensure that area where nuclear substances are produced, processed, used or stored is equipped with measures that detect intrusion	B
43	22(2)(c)	Failure to ensure that area where nuclear substances are produced, processed, used or stored is equipped with measures that detect tampering or attempted tampering	B
44	22(2)(d)	Failure to ensure that area where nuclear substances are produced, processed, used or stored is equipped with measures that set off a continuous alarm signal when intrusion, tampering or attempted tampering is detected	B
45	22(2)(e)	Failure to ensure that area where nuclear substances are produced, processed, used or stored is equipped with the required measures to detect unauthorized removal of nuclear substances	B
46	23(1)	Entering or remaining in a nuclear facility without site access status and while unescorted or unauthorized	B
47	23(2)(a) to (d)	Failure to verify identification, criminal record check, personal history or information relating to trustworthiness before granting site access status	B
48	23(3)	Granting of site access status for a term exceeding 10 years or not subject to necessary terms and conditions	B
49	24(2)	Failure to keep a record indicating how status or clearance was verified	A
50	25	Granting a site access status to a person who poses an undue risk to health or safety of persons or security of the nuclear facility	B
51	26(1)	Failure to establish and keep list of persons with site access status	A
52	26(2)	Failure to provide the list of persons with site access status to the Commission or an inspector	A
53	27(1)(a)	Failure to revoke site access status of a person who poses or could pose an unreasonable risk to health or safety of persons or security of the nuclear facility	B
54	27(1)(b)	Failure to revoke site access status of a person who is no longer employed by or under contract to the licensee	B
55	27(1)(c)	Failure to revoke site access status of person whose duties or functions are completed, suspended or otherwise terminated	B
56	27(1)(d)	Failure to revoke the site access status of a person who no longer requires it to perform their duties	B
57	27(1)(e)	Failure to revoke the site access status of a person who provided false or misleading information	B
58	27(2)	Failure to notify the Commission of revocation of site access status within prescribed time	A
59	28(1)	Failure to ensure that every person who enters or remains in nuclear facility is authorized to do so	B
60	28(2)	Failure to ensure that identity of person entering nuclear facility is verified as required	B
61	29	Failure to ensure nuclear substances not removed from nuclear facility except in accordance with licence	B
62	30(1)(a)	Failure to determine the reason for unauthorized removal of nuclear substances from the nuclear facility	A
63	30(1)(b)	Failure to immediately assess and respond to the unauthorized removal of nuclear substances	B
64	30(2)	Failure to keep a record setting out process regarding unauthorized removal of nuclear substances	A
65	31	Permitting a land vehicle to enter a nuclear facility without operational requirement and search and if used by an unauthorized person	B
66	32(1)	Failure to post required sign at entrance to nuclear facility that is not a high-security site	B
67	32(2)	Failure to post required sign at entrance to high-security site	B
68	33(1)(a)	Permitting a person to leave a nuclear facility that is not a high-security site without searching or screening them and their possessions	B
69	33(1)(b)	Permitting a person to leave a high-security site without searching them and their possessions	B
70	33(2)	Failure to conduct search or screening in accordance with requirements	B
71	38(1)	Failure to design the nuclear security system taking into account the specified threats, evaluate that system or modify the system as necessary	B
72	38(2)	Failure to implement nuclear security measures taking into account the specified threats	B
73	38(3)	Failure to maintain record that sets out process for design of nuclear security system	A
74	39(1)	Failure to provide sufficient number of nuclear security officers to carry on the specified activities	C
75	39(2)	Failure to keep record of duties and responsibilities of nuclear security officers and to give a copy of record to nuclear security officer	A
76	40	Failure to provide nuclear security officers with necessary equipment, devices and apparel	B
77	41(1)	Failure to ensure nuclear security officer only carries out duties or responsibilities for which they are trained, competent and qualified	B
78	41(2)	Failure to ensure nuclear security officer receives follow-up training	B
79	41(3)	Failure to keep record of training received by each nuclear security officer	B
80	42	Failure to keep record of names of nuclear security officers	A
81	43(1)	Failure to maintain on-site nuclear response force capable of making an effective intervention as required	C
82	43(2)	Failure to provide members of on-site response force with necessary equipment, devices and apparel	C
83	43(3)	Failure to ensure that nuclear security officers in the on-site nuclear response force are qualified and authorized to carry firearms in Canada and trained to use them	C
84	43(4)(a)	Failure to implement the required nuclear security measures if there is no on-site nuclear response force	C
85	43(4)(b)	Failure to ensure that the off-site response force meets the specified requirements if there is no on-site nuclear response force	B
86	43(4)(c)	Failure to provide notice in writing to the Commission of intent not to have an on-site nuclear response force and a description of the required measures within the prescribed time	B
87	44	Failure to include the specified provisions in arrangements with off-site response force	B
88	45	Failure to use an off-site response force capable of making an effective intervention and consisting of persons with the required training, qualifications and authorization	B
89	46	Failure to develop and maintain a contingency plan to ensure an effective intervention taking into account the specified threats	B
90	47(1)	Failure to implement the required security drill and exercise program	B
91	47(2)	Failure to update the security drill and exercise program each time a security exercise is conducted	B
92	48(1)	Failure to conduct security drill at the specified interval	B
93	48(2)	Failure to create the required record each time a security drill is conducted	B
94	49(1)	Failure to conduct a security exercise as required at the specified interval	B
95	49(2)	Failure to notify the Commission within the prescribed time of intent to conduct a security exercise	B
96	49(3)	Failure to create a record containing the required information each time a security exercise is conducted	B
97	49(4)	Failure to create a corrective action plan setting out the required information	B
98	49(5)	Failure to implement corrective actions	B
99	49(6)	Failure to submit the record and any corrective action plan to the Commission within the prescribed period	A
100	50(1)	Failure to ensure that specified nuclear security measures are monitored from a central alarm station	B
101	50(2)(a)	Central alarm station not located outside of an inner area or vital area	B
102	50(2)(b)	Central alarm station not designed, constructed and situated as required	B
103	50(2)(c)	Central alarm station not attended at all times by central alarm station operator	B
104	50(2)(d)	Central alarm station not attended by at least two central alarm station operators and not equipped with required independent measures	B
105	50(2)(e)	Central alarm station not located and equipped as required with respect to alarm signals	B
106	50(2)(f)	Central alarm station not equipped with required devices	B
107	50(3)	Permitting unauthorized person to enter the central alarm station who need not enter to perform their duties	B
108	51(a)	Failure to establish secondary alarm station located separately from the central alarm station	B
109	51(b)	Failure to establish secondary alarm station that is designed and equipped as required	B
110	52(1)	Entering or remaining in a high-security site without site access clearance and while unescorted or unauthorized to enter or remain there	B
111	52(2)(a) to (e)	Failure to verify identification, criminal record check, personal history, information relating to trustworthiness or security assessment before granting site access clearance	C
112	52(3)	Granting of site access clearance for a term exceeding 10 years or not subject to necessary terms and conditions	B
113	53(2)	Failure to keep a record indicating how status or clearance was verified	A
114	54(1)	Permitting a person who does not have enhanced security clearance to carry out duties or functions of security personnel or related to nuclear security intelligence	B
115	54(2)	Failure to obtain required information before granting enhanced security clearance to a person	B
116	54(3)	Granting of enhanced security clearance for a term exceeding five years or not subject to necessary terms and conditions	B
117	56	Granting a site access clearance or enhanced security clearance to a person who poses an unreasonable risk to health or safety of persons or security of the nuclear facility	C
118	57(1)	Failure to establish or keep list of persons with site access clearance and with enhanced security clearance	B
119	57(2)	Failure to provide list of persons with site access clearance and with enhanced security clearance to the Commission or an inspector	B
120	58(1)(a)	Failure to revoke clearance of a person who poses or could pose unreasonable risk to health or safety of persons or security of the facility	B
121	58(1)(b)	Failure to revoke clearance of a person who is no longer employed by or under contract to the licensee	B
122	58(1)(c)	Failure to revoke clearance of a person whose duties or functions have been complete, suspended or otherwise terminated	B
123	58(1)(d)	Failure to revoke clearance of a person who no longer requires it to perform their duties	B
124	58(1)(e)	Failure to revoke clearance of a person who provided false or misleading information	B
125	58(2)	Failure to notify the Commission in writing of revocation of a clearance within prescribed time	B
126	59(1)	Acting as nuclear security officer without written authorization	B
127	59(2)	Failure to ensure person has received initial training and has been evaluated before being granted nuclear security officer authorization	B
128	59(3)	Failure to assess, within the prescribed period, person’s knowledge of security duties and responsibilities and ability to carry them out	B
129	59(4)	Failure to ensure nuclear security officer has received follow-up training as required before authorization is granted again	B
130	60	Acting as nuclear security support person without the written authorization	B
131	61(1)	Failure to ensure person has enhanced security clearance and obtain required documents before person is granted authorization to act as nuclear security officer or nuclear security support person	B
132	61(2)	Granting of nuclear security officer or nuclear security support person authorization for a term exceeding five years or not subject to necessary terms and conditions	B
133	61(3)	Failure to give person copy of requested information or documents	A
134	63(1)	Acting as central alarm station operator without written authorization	B
135	63(2)	Failure to ensure person has enhanced security clearance and obtain required documents before person is granted authorization to act as central alarm station operator	B
136	63(3)	Failure to ensure person has received the required training before person is granted central alarm station operator authorization	B
137	63(4)	Granting a central alarm station operator authorization for a term exceeding five years or not subject to necessary terms and conditions	B
138	64(1)	Failure to establish or keep a list of persons authorized to act as nuclear security officers, nuclear security support persons and central alarm station operators	B
139	64(2)	Failure to provide the list of persons authorized to act as nuclear security officers, nuclear security support persons and central alarm station operators to the Commission or an inspector	B
140	65(1)	Acting as nuclear security support person without required authorization and escort	B
141	65(2)	Failure to obtain required information before issuing an authorization to act as a nuclear security support person	B
142	65(3)	Failure to include required conditions in authorization to act as a nuclear security support person	B
143	66	Failure to provide uninterrupted power supply for required nuclear security measures	B
144	67(1)	Failure to enclose protected area with the required physical barriers	B
145	67(2)(a)(i)	Failure to equip protected area perimeter with nuclear security measures to detect intrusion or attempted intrusion that are designed and installed as required	B
146	67(2)(a)(ii)	Failure to equip protected area perimeter with nuclear security measures that detect tampering or attempted tampering as required	B
147	67(2)(a)(iii)	Failure to equip protected area perimeter with nuclear security measures that set off the required alarm signal	B
148	67(2)(a)(iv)	Failure to equip protected area perimeter with nuclear security measures that facilitate immediate assessment of an alarm by a nuclear security officer	B
149	67(2)(b)	Failure to keep protected area perimeter under direct visual surveillance of a nuclear security officer equipped with the required devices	B
150	67(3)	Failure to design and construct physical barriers and design and implement nuclear security measures at protected area perimeter as required	B
151	67(5)	Failure to construct means of entry or exit that can be closed and locked	B
152	67(6)	Failure to keep means of entry or exit closed and locked unless under direct visual surveillance of nuclear security officer	B
153	68(1)	Failure to maintain specified unobstructed area between physical barriers	B
154	68(2)(a)	Failure to illuminate unobstructed area in the prescribed manner	B
155	68(2)(b)	Failure to equip unobstructed area with devices or technology to permit observation and assessment of the cause of an alarm	B
156	69	Failure to surround exterior barrier with the required additional barrier	B
157	70(1)(a)(i)	Failure to equip protected area with nuclear security measures to detect intrusion or attempted intrusion that are designed and installed as required	B
158	70(1)(a)(ii)	Failure to equip protected area with nuclear security measures that detect tampering or attempted tampering as required	B
159	70(1)(a)(iii)	Failure to equip protected area with nuclear security measures that set off the required alarm signal	B
160	70(1)(a)(iv)	Failure to equip protected area perimeter with nuclear security measures that facilitate immediate assessment of an alarm by a nuclear security officer	B
161	70(1)(a)(v)	Failure to equip protected area with measures that detect the unauthorized removal of Category I, II or III nuclear material	B
162	70(1)(b)	Failure to keep protected area perimeter under direct visual surveillance of a nuclear security officer equipped with the required devices	B
163	70(2)(a)	Failure to equip protected area with access control system that meets requirements	B
164	70(2)(b)	Failure to monitor access control system to detect and assess attempts to tamper	B
165	71(1)	Failure to enclose inner area with a structure or barrier that meets requirements	B
166	71(2)	Failure to keep means of entry or exit closed and locked with device that can only be unlocked by two authorized persons each using different means of access control	B
167	72(1)(a)(i)	Failure to equip inner area with the required nuclear security measures to detect intrusion and unauthorized movement	B
168	72(1)(a)(ii)	Failure to equip inner area with nuclear security measures that detect tampering or attempted tampering as required	B
169	72(1)(a)(iii)	Failure to equip inner area with nuclear security measures that set off the required alarm signals	B
170	72(1)(a)(iv)	Failure to equip inner area with nuclear security measures that facilitate immediate assessment of an alarm	B
171	72(1)(a)(v)	Failure to equip inner area with nuclear security measures that detect the unauthorized removal of Category I, II or III nuclear material	B
172	72(1)(b)	Failure to keep inner area under direct visual surveillance of a nuclear security officer equipped with the required devices	B
173	72(2)(a)	Failure to equip inner area with access control system that meets requirements	B
174	72(2)(b)	Failure to monitor access control system to detect and assess attempts to tamper	B
175	73	Failure to establish process to identify vital areas and keep the required record	B
176	74(1)	Failure to enclose vital area with a physical barrier	B
177	74(2)	Failure to construct means of entry or exit that can be closed and locked	B
178	74(3)	Failure to keep means of entry or exit closed and locked unless under direct visual surveillance of nuclear security officer	B
179	75(1)(a)(i)	Failure to equip vital area with nuclear security measures to detect intrusion and unauthorized movement	B
180	75(1)(a)(ii)	Failure to equip vital area with nuclear security measures that detect tampering or attempted tampering as required	B
181	75(1)(a)(iii)	Failure to equip vital area with nuclear security measures that set off the required alarm signal	B
182	75(1)(a)(iv)	Failure to equip vital area with nuclear security measures that facilitate immediate assessment of an alarm signal	B
183	75(1)(a)(v)	Failure to equip inner area with measures that detect the unauthorized removal of Category I, II or III nuclear material	B
184	75(1)(b)	Failure to keep vital area under direct visual surveillance of a nuclear security officer equipped with the required devices	B
185	75(2)(a)	Failure to equip vital area with access control system that meets requirements	B
186	75(2)(b)	Failure to monitor vital area access control system to detect and assess attempts to tamper	B
187	76(1)	Entering protected area without site access clearance and written authorization	B
188	76(2)	Failure to prepare an identification report containing the required information and documents	B
189	76(3)	Granting of authorization to enter a protected area for a term exceeding five years or not subject to necessary terms and conditions	B
190	76(4)	Failure to give person copy of requested information or documents	B
191	77(1)	Entering an inner area without required authorization and escort	B
192	77(2)	Granting an authorization to enter protected area without proof of name and address and identification and without condition that person be escorted	B
193	78(1)(a)	Failure to keep a record of the name of person authorized to enter protected area	B
194	78(1)(b)	Failure to retain the record of name of each person authorized to enter a protected area for the prescribed period	A
195	78(1)(c)	Failure to make copy of record of name of each person authorized to enter protected area available to nuclear security officers	A
196	78(2)	Failure to provide record of names of persons authorized to enter protected area available to the Commission or an inspector	B
197	79(1)	Entering inner area without written authorization	B
198	79(2)	Granting a person who does not have enhanced security clearance an authorization to enter an inner area	B
199	79(3)	Granting of authorization to enter an inner area for a term exceeding five years or not subject to necessary terms and conditions	B
200	79(4)	Failure to give person copy of requested information or documents	B
201	81(1)	Entering an inner area without required authorization and escort	B
202	81(2)	Failure to obtain required information prior to issuing an authorization to enter inner area	C
203	81(3)	Failure to include required condition in authorization to enter inner area	B
204	82(1)(a)	Failure to keep a record of the name of each person authorized to enter each inner area	B
205	82(1)(b)	Failure to retain the record of names of persons authorized to enter inner area for the prescribed period	B
206	82(1)(c)	Failure to make copy of record of names of persons authorized to enter inner area available to nuclear security officers	B
207	82(2)	Failure to provide record of names of persons authorized to enter inner area available to the Commission or an inspector	B
208	83(1)	Entering a vital area without written authorization	B
209	83(2)	Failure to ensure person has enhanced security clearance before granting authorization to enter a vital area	B
210	83(3)	Granting of authorization to enter a vital area for a term exceeding five years or not subject to necessary terms and conditions	B
211	83(4)	Failure to give person copy of requested information or documents	B
212	84(1)(a)	Failure to keep a record of the name of each person authorized to enter each inner area	B
213	84(1)(b)	Failure to retain the record of names of persons authorized to enter each vital area for the prescribed period	B
214	84(1)(c)	Failure to make copy of record of names of persons authorized to enter each vital area available to nuclear security officers	B
215	84(2)	Failure to provide record of names of persons authorized to enter vital area available to the Commission or an inspector	B
216	85(1)(a)	Failure to revoke authorization of a person who poses or could pose unreasonable risk to health or safety of persons or security of the facility	B
217	85(1)(b)	Failure to revoke authorization of a person who is no longer employed by or under contract to the licensee	B
218	85(1)(c)	Failure to revoke authorization of a person whose duties or functions have been completed, suspended or otherwise terminated	B
219	85(1)(d)	Failure to revoke authorization of a person who no longer requires it to perform their duties	B
220	85(1)(e)	Failure to revoke authorization of a person who provided false or misleading information	B
221	85(2)	Failure to notify the Commission in writing of revocation of authorization within specified time	B
222	87	Failure to verify identity of person entering protected area as required	C
223	88(1)	Permitting unauthorized person to enter or remain in protected area	B
224	88(2)	Failure to immediately report unauthorized person in protected area to nuclear security officer	B
225	89	Permitting unescorted person to enter or remain in protected area	B
226	90(1)	Failure to confine entry and exit of land vehicles to vehicle portals	C
227	90(2)	Failure to ensure that gates of vehicle portal are not both open at the same time	B
228	90(3)	Failure to attend vehicle portal or equip with required measures while both gates are open	B
229	90(4)	Permitting land vehicle to enter protected area without operational requirement	B
230	91	Failure to ensure that weapons, explosive substances and threat items only enter protected area under the control of an authorized person	B
231	92	Failure to ensure Category I, II or III nuclear material is only removed from protected area in accordance with a licence	B
232	93(a)	Taking weapons, explosive substances or threat items into protected area other than under the control of an authorized person	B
233	93(b)	Removing Category I, II or III nuclear material from protected area without authorization of licensee	B
234	94	Entering and remaining in an inner area without another authorized person as required	B
235	95(1)	Permitting an unauthorized person to enter or remain in an inner area	B
236	95(2)	Failure to immediately report unauthorized person in inner area to nuclear security officer	B
237	96	Permitting unescorted person to enter or remain in inner area	B
238	97	Permitting land vehicle to enter inner area without operational requirement	B
239	98	Failure to ensure that weapons, explosive substances and threat items only enter inner area under the control of an authorized person	B
240	99(1)(a)	Permitting means of entry or exit into inner area to be unlocked, opened or kept open longer than required	B
241	99(1)(b)	Permitting means of entry or exit into inner area to be unlocked, opened or kept open without direct visual surveillance of a nuclear security officer	B
242	99(2)	Permitting the means of entry or exit in structure or barrier enclosing an inner area to be unlocked by unauthorized persons	B
243	100	Failure to ensure that Category I, II or III nuclear material is only removed from inner area in accordance with a licence	B
244	101(a)	Taking weapons, explosive substances or threat items into inner area other than under the control of an authorized person	B
245	101(b)	Removing Category I, II or III nuclear material from protected area without authorization of licensee	B
246	102(1)	Permitting an unauthorized person to enter or remain in a vital area	C
247	102(2)	Failure to immediately report unauthorized person in vital area to nuclear security officer	B
248	103	Failure to verify identity of authorized person entering vital area as required	B
249	104	Permitting land vehicle to enter vital area without operational requirement	B
250	105	Failure to ensure that weapons, explosive substances and threat items only enter vital area under the control of an authorized person	B
251	106	Failure to ensure that Category I, II or III nuclear material is not removed from vital area without authorization of licensee	B
252	107(a)	Taking weapons, explosive substances or threat items into vital area other than under the control of an authorized person	B
253	107(b)	Removing Category I, II or III nuclear material from protected area without authorization of licensee	B
254	109	Failure to post required sign at entrance to protected area or inner area	A
255	110(1)	Permitting a person to enter or leave a protected area or an inner area without searching them and their possessions	B
256	110(2)	Permitting a person to remain in protected area or inner area without searching them and their possessions if reasonable grounds to suspect person possesses unauthorized object	B
257	110(3)	Failure to conduct search in accordance with requirements	B
258	110(4)	Failure to conduct search of a land vehicle entering or leaving a protected area in a vehicle portal	B
259	112	Entering or leaving protected area or inner area after refusing search	B
260	116(1)	Failure to conduct a security exercise as required at the specified interval	B
261	116(2)	Failure to create a record containing the required information each time a security exercise is conducted	B
262	116(3)	Failure to create a corrective action plan setting out the required information	B
263	116(4)	Failure to implement corrective actions	B
264	116(5)	Failure to submit the record and any corrective action plan to the Commission within the prescribed period	A

Packaging and Transport of Nuclear Substances Regulations, 2015

120 Paragraph 6(1)(a) of the Packaging and Transport of Nuclear Substances Regulations, 2015 ^{footnote 25} is replaced by the following:

• (a) the nuclear substance is a Category I, II or III nuclear material, as defined in section 1 of the Nuclear Security Regulations, 2023, and is transported outside the area in which it is required, under sections 19 to 21 of those Regulations, to be produced, processed, used or stored;

121 Paragraph 7(b) of the Regulations is replaced by the following:

• (b) the information required by section 115 of the Nuclear Security Regulations, 2023 if the substance is a Category I, II or III nuclear material, as defined in section 1 of those Regulations;

Transitional Provisions

Definition of former Regulations

122 For the purposes of section 123, former Regulations means the Nuclear Security Regulations as they read immediately before the day on which these Regulations come into force.

Nuclear facility

123 (1) The former Regulations continue to apply

• (a) with respect to a high-security site for which, on the day on which these Regulations come into force, there is a licence in force under the Act, for one year after that day; and
• (b) with respect to a nuclear facility referred to in subsection 2(1) that is not a high-security site for which, on the day on which these Regulations come into force, there is a licence in force under the Act, for two years after that day.

Existing authorization or clearance

(2) If a person has been granted a clearance or issued an authorization under the former Regulations, that clearance or authorization remains valid until the expiry of the term for which it was granted or issued, and during that term the person may continue to access any area or information and carry out any duties and responsibilities that the clearance or authorization permitted them to access or carry out under the former Regulations.

Site access security clearance

(3) If a person has been granted a site access security clearance under the former Regulations that is valid on the day on which these Regulations come into force and that, to maintain the person’s access to the nuclear facility, must be replaced by a site access status granted under the Regulations, the licensee that granted the clearance may, before the term of the clearance expires, extend the term of the clearance to any term not exceeding 10 years.

Repeal

124 The Nuclear Security Regulations ^{footnote 26} are repealed.

Coming Into Force

Registration

125 These Regulations come into force on the day on which they are registered.

SCHEDULE

(Section 1)

Category I, II and III Nuclear Material

Item	Column 1 Nuclear Substance	Column 2 Form	Column 3 Quantity (Category I) table g1 note 1	Column 4 Quantity (Category II) table g1 note 1	Column 5 Quantity (Category III) table g1 note 1 table g1 note 5
1	Plutonium table g1 note 2	Unirradiated table g1 note 3	2 kg or more	Less than 2 kg, but more than 500 g	500 g or less, but more than 15 g
2	Uranium 235	Unirradiated table g1 note 3  — uranium enriched to 20% 235U or more	5 kg or more	Less than 5 kg, but more than 1 kg	1 kg or less, but more than 15 g
3	Uranium 235	Unirradiated table g1 note 3  — uranium enriched to 10% 235U or more, but less than 20% 235U	N/A	10 kg or more	Less than 10 kg, but more than 1 kg
4	Uranium 235	Unirradiated table g1 note 3  — uranium enriched above natural, but less than 10% 235U	N/A	N/A	10 kg or more
5	Uranium 233	Unirradiated table g1 note 3	2 kg or more	Less than 2 kg, but more than 500 g	500 g or less, but more than 15 g
6	Fuel consisting of depleted or natural uranium, thorium or low-enriched fuel (less than 10% fissile content) table g1 note 4	Irradiated	N/A	More than 500 g of plutonium	500 g or less, but more than 15 g of plutonium
Table g1 note(s) Table g1 note 1 The quantities listed refer to the aggregate of each kind of nuclear substance located at a facility, excluding the following (which are considered separate quantities): (a) any quantity of the nuclear substance that is not within 1 000 m of another quantity of the nuclear substance; and (b) any quantity of the nuclear substance that is located in a locked building or a similarly resistant structure. Return to table g1 note 1 referrer Table g1 note 2 All plutonium except that with isotopic concentration exceeding 80% in plutonium 238. Return to table g1 note 2 referrer Table g1 note 3 Material not irradiated in a reactor or material irradiated in a reactor but with a radiation level equal to or less than 1 Gy/h at 1 m unshielded. Return to table g1 note 3 referrer Table g1 note 4 Other fuel that by virtue of its original fissile content is classified as Category I or II before irradiation may be reduced one category level while the radiation level from the fuel exceeds 1 Gy/h at 1 m unshielded, if the Commission is provided with written confirmation of the radiation level. Return to table g1 note 4 referrer Table g1 note 5 NOTE: Quantities less than the quantities set out in column 5 for Category III nuclear material and any quantities of natural uranium, depleted uranium and thorium should be protected at least in accordance with the requirements of paragraphs 12(1)(c), (g), (h) and (j) of the General Nuclear Safety and Control Regulations. Return to table g1 note 5 referrer

Terms of use and Privacy notice

Terms of use

It is your responsibility to ensure that the comments you provide do not:

• contain personal information
• contain protected or classified information of the Government of Canada
• express or incite discrimination on the basis of race, sex, religion, sexual orientation or against any other group protected under the Canadian Human Rights Act or the Canadian Charter of Rights and Freedoms
• contain hateful, defamatory, or obscene language
• contain threatening, violent, intimidating or harassing language
• contain language contrary to any federal, provincial or territorial laws of Canada
• constitute impersonation, advertising or spam
• encourage or incite any criminal activity
• contain a language other than English or French
• otherwise violate this notice

The federal institution managing the proposed regulatory change retains the right to review and remove personal information, hate speech, or other information deemed inappropriate for public posting as listed above.

Confidential Business Information should only be posted in the specific Confidential Business Information text box. In general, Confidential Business Information includes information that (i) is not publicly available, (ii) is treated in a confidential manner by the person to whose business the information relates, and (iii) has actual or potential economic value to the person or their competitors because it is not publicly available and whose disclosure would result in financial loss to the person or a material gain to their competitors. Comments that you provide in the Confidential Business Information section that satisfy this description will not be made publicly available. The federal institution managing the proposed regulatory change retains the right to post the comment publicly if it is not deemed to be Confidential Business Information.

Your comments will be posted on the Canada Gazette website for public review. However, you have the right to submit your comments anonymously. If you choose to remain anonymous, your comments will be made public and attributed to an anonymous individual. No other information about you will be made publicly available.

Comments will remain posted on the Canada Gazette website for at least 10 years.

Please note that public email is not secure, if the attachment you wish to send contains sensitive information, please contact the departmental email to discuss ways in which you can transmit sensitive information.

Privacy notice

The information you provide is collected under the authority of the Financial Administration Act, the Department of Public Works and Government Services Act, the Canada–United States–Mexico Agreement Implementation Act,and applicable regulators’ enabling statutes for the purpose of collecting comments related to the proposed regulatory changes. Your comments and documents are collected for the purpose of increasing transparency in the regulatory process and making Government more accessible to Canadians.

Personal information submitted is collected, used, disclosed, retained, and protected from unauthorized persons and/or agencies pursuant to the provisions of the Privacy Act and the Privacy Regulations. Individual names that are submitted will not be posted online but will be kept for contact if needed. The names of organizations that submit comments will be posted online.

Submitted information, including personal information, will be accessible to Public Services and Procurement Canada, who is responsible for the Canada Gazette webpage, and the federal institution managing the proposed regulatory change.

You have the right of access to and correction of your personal information. To seek access or correction of your personal information, contact the Access to Information and Privacy (ATIP) Office of the federal institution managing the proposed regulatory change.

You have the right to file a complaint to the Privacy Commission of Canada regarding any federal institution’s handling of your personal information.

The personal information provided is included in Personal Information Bank PSU 938 Outreach Activities. Individuals requesting access to their personal information under the Privacy Act should submit their request to the appropriate regulator with sufficient information for that federal institution to retrieve their personal information. For individuals who choose to submit comments anonymously, requests for their information may not be reasonably retrievable by the government institution.