Office for Nuclear Regulation

Nuclear Industry Security Regulations Regulation 22 Dutyholder - frequently asked questions

Q. How do I get List N Accreditation?

A. List N accreditation is based on a supplier having a contract with a Contracting Authority (CA) that involves the possession or control of Sensitive Nuclear Information (SNI).  The CA will conduct their own assurance on the organisation and list the contractor on the List N portal.

Q. How do I access the List N Portal?

A. Access to the List N portal is provided through the CA entering the contact details of the primary contact for the supplier. This generates a link for that person to sign up to the portal where they can then provide further information as required.

Q. Our organisation only holds a laptop provided by the Contracting Authority so we do not hold any Sensitive Nuclear Information. Why are we being asked to provide this information?

A. Regulation 22(1) sets out that the Regulation applies to any person who has SNI in their possession or control, so a laptop accessing this information would fall under the legislation. The CA should establish their own process for assessing the risk relating to small holdings of SNI to determine which scenarios should fall under routine regulatory assurance activity. That process will be reviewed by ONR and is designed to prevent scenarios such as an employees home being routinely subject to List N assurance activity, though there may be limited occasions when that is appropriate.

Q. Why have does my organisation have a High Inherent Risk Profile level when we have numerous effective controls in place to mitigate the risk to SNI?

A. The inherent risk profile is based on the risk to the information without any controls in place. Essentially, the number of SNI documents you are holding (physically and electronically) and the classification level of them determines the inherent risk profile level. This provides proportionality to ONRs regulatory scope for Regulation 22 dutyholders.

Q. We have had a security breach and Sensitive Nuclear Information has been lost. What do we need to do?

A. Regulation 22 of Nuclear Industries Security Regulation requires you to notify ONR 'as soon as is practicable' and in any event within 24 hours of becoming aware of the event. If a written report cannot be provided within that time scale then a verbal report must be made, followed by a written report being made within 48 hours of the event becoming known to you. Further information is available here Notify ONR - Contact us  

Q. When will I receive the invoice for the ONR inspection?  

A. Invoices are sent following the close of that financial year (April). For example, if you had an inspection in May 2023, you would receive the invoice in April 2024.

Q. Is this process the same as the MOD Facility Security Cleance (previously refeered to as List X)?

A. Whilst there are similarities in the expectations for 'List N' and the Defence equivalent 'Facility Security Clearance' the two processes remain separate.