The compliance environment for energy and critical infrastructure organizations changed significantly in early 2026. FERC approved five new reliability standards for inverter-based resources, updated the NERC CIP control center definition, finalized rules on virtualization, and introduced mandatory cybersecurity controls for low-impact BES Cyber Systems, all within weeks of one another. Simultaneously, EPA policy reversals on greenhouse gas and mercury emissions standards have introduced regulatory uncertainty that requires scenario-based planning, not simplification.
This report was written for cybersecurity, IT/OT, and procurement professionals who need to understand what changed, what is still in flux, and what actions their organizations should take now.
FERC IBR Reliability Standards — Five new NERC standards address inverter-based resource data sharing, model validation, and ride-through capability during grid disturbances. Large-scale IBR tripping during grid events has been identified as a systemic risk; these rules close that gap. Transmission owners, asset operators, and ISOs/RTOs all have new obligations.
CIP-002-8 Control Center Definition — FERC approved a revised definition closing longstanding ambiguity that allowed distributed control architectures, backup control centers, remote operations centers, and cloud-hosted SCADA or EMS platforms to avoid high-impact CIP classification. Prior classifications should not be assumed to remain valid.
Virtualization and Cloud Reliability Standards — Eleven updated CIP standards remove the compliance barrier that previously forced utilities to maintain outdated hardware. The shift from hardware-specific requirements to objective-based security criteria gives organizations flexibility to modernize — but requires compliance programs to be updated accordingly.
CIP-003-11 Low-Impact BES Cyber Systems — New mandatory controls for the largest and historically least-protected tier of the CIP asset population now require remote user authentication and intrusion detection for externally connected systems. Vendor remote access at smaller substations and remote facilities is identified as the most likely area of non-compliance.
EPA GHG Endangerment Finding Rescission — The EPA's February 2026 rescission removes underlying legal authority for federal GHG regulation but does not void existing rules. Litigation risk is material and Supreme Court review is anticipated. State programs — including RGGI, California Cap-and-Invest, and the Washington CCA — remain fully operative. Long-range capital planning assumptions must account for both rescission-upheld and rescission-overturned scenarios.
MATS 2024 Repeal — The EPA reverted to the original 2012 Mercury and Air Toxics Standards framework. The enhanced 2024 requirements — including tightened toxic metals limits and continuous emissions monitoring mandates — have been removed federally, but state air permits may independently require CEMS. Organizations should verify state-specific requirements before reducing monitoring infrastructure.
CISA ICS Advisories — CISA issued cybersecurity advisories covering Hitachi Energy substation platforms and Schneider Electric EcoStruxure software — systems that are core to substation automation, SCADA, and protection across the energy sector and critical manufacturing. Organizations should verify whether affected equipment is present in their OT environments and confirm patches or mitigations are applied, particularly where systems are remotely accessible.
U.S. House Energy Cybersecurity Legislation — H.R. 7272 (Pipeline Cybersecurity Preparedness Act) and H.R. 7305 (Energy Threat Analysis Center Act of 2026) both advanced through the House. Neither creates immediate new regulatory authority, but both signal sustained legislative investment in energy sector cyber resilience and federal-state-industry coordination.
California-Specific Developments — The CPUC is authorizing major transmission capital deployment in response to data center load growth, with Silicon Valley load forecasts doubling to 4,200 MW. The California Wildfire Fund structural reform report — due April 1, 2026 — is expected to trigger significant changes to liability standards and cost recovery mechanisms. CAISO's 2026–2027 Transmission Planning Process is expected to authorize additional large-scale transmission investment, with data center load projections of 1.8 GW by 2030 and 4.9 GW by 2040 now embedded in planning models.
This report is designed for compliance officers, cybersecurity leaders, IT/OT security professionals, and procurement teams at electric utilities, oil and gas operators, critical manufacturers, and federal agencies. It is written to be operationally useful — not a policy summary, but a compliance action guide organized around what your organization needs to assess, update, or monitor right now.
Download the April 2026 Regulatory Update to get clear guidance on every major development affecting your compliance posture this quarter.