- Date released: 17 June 2026
- Request number: FOI202605011
- Release of information under: FOIA
Information requested
I am writing to make a freedom of information request under the FoI act. Please can the ONR provide:
- How many "initial notifications” the ONR received, as laid out in the ONR's guidance, from civil nuclear license holders relating to security breaches during the whole of 2024, 2025, and up to the latest date possible in 2026?
- How many INF1 reports the ONR received from civil nuclear license holders relating to security breaches during the whole of 2024, 2025 and up to the latest date possible in 2026?
- Of these – both any "initial notifications" and any INF1 reports – how many were related to cyber security threats or attacks?
- Please provide any, if not all, of the following details relating to these reported incidents: the nuclear license holder, the nuclear license site concerned, the date, and a brief description of the final outcome of the incident.
Our response
We confirm that under s.1 of the FOIA, we hold some of the information you have requested. Please see below for a response to each of your questions in turn.
How many "initial notifications” the ONR received, as laid out in the ONR's guidance, from civil nuclear license holders relating to security breaches during the whole of 2024, 2025, and up to the latest date possible in 2026?
Under the Nuclear Industries Security Regulations (NISR) 2003 all operators of civil nuclear licenced sites are required to have a site security plan approved by ONR. Where certain events or matters occur on these sites, such as failure to comply with some aspect of that plan, the operator is legally required to formally report it in accordance with Regulation 10 of NISR 2003.
This is done through an initial notification and subsequent submission of an Incident Notification Form 1 (INF 1). Records of initial notifications are not held therefore we do not hold the information requested. However, there is a process in place to ensure that notifications are followed up, as required under NISR 2003. This must be done formally by submitting an INF1 form. The response to question 2 therefore provides the correlation between initial notifications and INF1s.
How many INF1 reports the ONR received from civil nuclear license holders relating to security breaches during the whole of 2024, 2025 and up to the latest date possible in 2026?
Please see FOI response: ONR inspections and incidents. Table 6 shows incidents reported to ONR between 1 January 2019 and 8 August 2025.
An information request for an update of table 6 been submitted to ONR, including the full year data for 2025 and the data for 2026 so far. This is due to be published before the 30 June 2026 on our website. We are therefore refusing this element of your request under s.22 of the FOIA, information intended for future publication.
As this is a qualified exemption, we are required to balance the public interest between disclosure and non-disclosure. ONR is committed to being an open and transparent regulator however it is not in the public’s interest for early disclosure. This would disrupt the publication process, cause disproportionate staff burden, and undermine the value of the information by releasing it without its proper context or final quality assurance. The public interest in waiting outweighs the need for disclosure.
Questions 3 and 4
With regards to questions 3 and 4, we are withholding this information under s. 24 of the FOIA, safeguarding national security. S.24 sets out the exemption from the right to know where the information requested is required for the purposes of safeguarding national security. It works to protect national security, which includes protection of potential targets. It allows a public authority not to disclose information if it considers releasing the information would make the UK or its citizens more vulnerable to a national security threat. As this is a qualified exemption, we are required to balance the public interest between disclosure and non-disclosure. We have therefore applied the Public Interest Test, as set out below.
Factors for disclosure
- We are committed to being an open and transparent regulator. We will use openness and transparency to achieve our objective of developing and maintaining stakeholder trust in ONR as an effective independent regulator; and,
- Issues related to the nuclear industry are subject to close scrutiny and debate, there is a public interest in information related to cyber security threats or attacks and the release of such information. The information may provide reassurance to the public about the safety and security of nuclear licenced sites.
Factors against disclosure
- Information that relates to the purposes of safeguarding national security and which may be of use to terrorists and other hostile actors is exempt from disclosure;
- Disclosure of information related to the number of cyber-attacks that have been detected would be of value to an adversary by indicating the number of attacks that have not been detected, thus providing intelligence that the attack methodology used was effective in evading detection;
- The provision of details relating to incidents, nuclear licence holders, the nuclear licence site concerned, date, and a brief description of the final outcome of the incident would not be in the public interest as release of this information into the public domain could be used by an adversary to target specific nuclear sites;
- Paragraph 13 of s.24(1) makes it clear that there need be no evidence that an attack is imminent for this exemption to be applied; and,
- Adversaries or hostile actors can be highly motivated and may go to great lengths to gather separate pieces of intelligence to attempt to expose vulnerabilities.
Conclusion
After careful consideration of the factors set out above, the interests of national security should be given significant weight against disclosure and outweigh the need for openness in terms of the specific information that you have requested.
Exemption(s) applied
s.22 and s.24
Public Interest Test (PIT)
Yes