NERC Compliance for Generator Owners and Operators

Every megawatt connected to the bulk power system comes with a set of obligations that have nothing to do with producing energy and everything to do with proving you can be trusted to operate on a shared grid. For Generator Owners (GOs) and Generator Operators (GOPs), those obligations live in the NERC Reliability Standards — a body of mandatory, federally enforceable requirements that govern how generation is designed, protected, modeled, maintained, secured, and reported.

These standards are not aspirational. They are enforceable. Violations can carry civil penalties exceeding a million dollars per violation, per day, and that is before the operational disruption, regulatory scrutiny, and reputational damage that follow a finding. Yet many asset owners — especially newer entrants in solar, wind, and battery storage — discover their compliance obligations late, treat them as a one-time paperwork exercise, or assume the EPC or O&M provider has it handled. None of those assumptions survive contact with a Regional Entity audit.



This article lays out what GO and GOP compliance actually requires, why the landscape has shifted dramatically for inverter-based resources, where compliance programs most often fail, and what a defensible program looks like from development through ongoing management.

Who carries the obligation: Generator Owner vs. Generator Operator

NERC registers entities by function. The two that matter most for a generating facility are the Generator Owner, which owns the generating equipment, and the Generator Operator, which operates it. A single organization may hold both registrations, or the functions may be split — for example, when an asset owner contracts operations to a third party. Either way, the registered entity is legally responsible for the compliance obligations attached to its functional registration, and that responsibility cannot be outsourced away. You can delegate the work; you cannot delegate the accountability.



That distinction matters because it shapes who must produce evidence for which standards, who interfaces with the Regional Entity, and who is on the hook when something is missing. A well-structured program is explicit about these boundaries from the outset, including how the GO and GOP coordinate on shared obligations and how evidence flows between the owner, the operator, and any O&M or engineering contractors.

The standards that apply — and the ones you still have to account for

The Reliability Standards are organized into families, and a typical Generator Owner will have obligations spanning most of them:

EOP (Emergency Preparedness and Operations)

event reporting, emergency operations, and cold-weather preparedness obligations that have grown sharply in recent years.

FAC (Facilities Design, Connections, and Maintenance) 

 facility interconnection requirements and, critically, facility ratings methodology and the identification of most-limiting elements.

MOD (Modeling, Data, and Analysis)

generator data, capability, and verification requirements that feed system planning models.

PRC (Protection and Control)

protection system maintenance programs, misoperation analysis, and the coordination and verification of relay settings.

VAR (Voltage and Reactive)

voltage and reactive control obligations.

BAL, IRO, TOP

, and others — balancing, interconnection reliability, and transmission operations data-sharing requirements that apply depending on facility type and region.

CIP (Critical Infrastructure Protection)

the cybersecurity standards, which for most renewable facilities apply at the low-impact level under CIP-002 and CIP-003.

What surprises many new registrants is that compliance is not only about the standards you must actively perform. A registered Generator Owner must also demonstrate that it has reviewed and considered every standard applicable to its function — including those for which it has no operational obligation because it lacks the relevant equipment or system. Auditors expect audit-ready attestations of non-applicability for those standards, not silence. A program that simply ignores the standards that "don't apply" has a hole in it, and that hole is exactly what a Regional Entity will probe.



Layered on top of the continent-wide standards are regional variances and criteria. A facility in the Western Interconnection inherits WECC-specific requirements; a facility in Texas inherits ERCOT and Texas Reliability Entity obligations, including standards such as BAL-001-TRE. These regional layers materially change a facility's scope, and they are a frequent source of gaps when a national checklist is applied to a facility without accounting for where it actually sits.

The inverter-based resource wave: why this is urgent now

For years, the GO and GOP compliance burden fell most heavily on conventional generation. That has changed. NERC's inverter-based resource (IBR) registration initiative has pulled a large population of solar, wind, and storage facilities into Generator Owner and Generator Operator registration — many for the first time. Under the new framework, resources that meet defined size and interconnection thresholds are required to register and to comply with the standards that come with that registration.

The registration milestone for many of these resources has now passed, but registration is the beginning of the obligation, not the end of it. The harder work — building the program, generating the evidence, and demonstrating actual compliance — follows. And the clock is still running. A new set of ride-through standards, PRC-029 and PRC-030, establishes how inverter-based resources must perform through voltage and frequency disturbances, with compliance dates phasing in during late 2026 and into 2027. For a facility that registered recently and has not yet stood up a functioning program, that is a short runway to build something an auditor will accept.

There is also a hard sequencing lesson buried in this transition: a facility should not declare its Commercial Operation Date before its NERC compliance program is developed and actively in place. Energizing and declaring commercial operation ahead of the program does not pause the obligations — it simply means the entity is non-compliant from day one, with violations accruing against standards it has not yet operationalized. The right order is program first, COD second.

Compliance is a lifecycle, not a document

The single most expensive misconception in this space is that NERC compliance is a deliverable you produce once and file away. It is a continuous lifecycle with four distinct phases, each requiring different work.

Program development

This is the build: developing the operations-and-planning procedures, the low-impact CIP policies and plans, the Internal Compliance Program, and the technical-standards evidence that demonstrates the facility actually meets requirements like facility ratings (FAC-008) and protection system maintenance (PRC-005). It includes creating attestations for the standards that don't apply and conducting exercises such as a Cyber Security Incident Response Plan tabletop. Done well, this phase produces a complete, audit-ready evidence package and the documented program that governs it.

Registration

Submitting the registration request to the appropriate Regional Entity and coordinating with the Regional Entity, Transmission Owner, Transmission Operator, and Planning Coordinator as needed. This is a process-heavy phase where missteps create delays and downstream compliance exposure.

Ongoing managed compliance

This is where most programs quietly decay. Standards change. Data submittals come due on recurring cycles. NERC issues Alerts that demand a response. Self-certifications must be completed. Evidence must be generated, organized, and retained so it can be produced on demand. Someone has to act as the compliance program administrator, monitor regulatory developments, maintain the evidence repository, and keep the documentation current as the facility and the standards evolve. Without a dedicated owner of this function, a program that passed its first audit can fail its second.

Audits and enforcement

Periodic audits, spot checks, and — when something goes wrong — event-driven investigations and inquiries. Pre-audit preparation, including the development of Reliability Standard Audit Worksheets and responses to data requests, is its own discipline. So is responding to a self-reported or discovered violation with a credible mitigation plan.

The OT cybersecurity layer

For most renewable facilities, the CIP standards apply at the low-impact level, but "low impact" does not mean "low effort." CIP-002 requires categorizing the facility's BES Cyber Systems, and CIP-003 requires a suite of security management controls: a cyber security policy, electronic and physical access controls, a Cyber Security Incident Response Plan, transient cyber asset and removable media controls, and more — each backed by evidence.

Underneath the policy layer sits the real operational technology environment: the SCADA servers and workstations, firewalls, managed switches, remote terminal units, and cellular modems that actually run the site. Keeping that environment compliant is a managed-service discipline in its own right — ingesting and monitoring security event logs, managing firewall rulesets and access, patching and remediating vulnerabilities, maintaining known-good backups, controlling transient devices, running change management, and producing the periodic evidence (firewall ruleset audits, network diagram reviews, access reviews) that CIP-003 demands. The deliverable is not a one-time hardening exercise; it is a continuous evidence engine that demonstrates the OT environment is being actively managed and secured.



Treating NERC compliance and OT cybersecurity as two unrelated workstreams — handled by two different providers who don't talk to each other — is how seams form. And seams are where evidence falls through.

Where compliance programs go wrong

Across the industry, the failure modes are remarkably consistent:

• Declaring commercial operation before the program exists, accruing violations from the start.

• Treating compliance as one-time, with no owner for the ongoing managed function, so the program decays between audits.

• Ignoring non-applicable standards instead of documenting reviewed-and-considered attestations.

• Missing regional variances — applying a generic national scope to a facility with WECC, ERCOT, or other regional obligations.

• Thin technical evidence — having a policy that says protection systems are maintained, but no maintenance list, no settings coordination records, no facility ratings analysis to back it up.

• Disconnected cyber and compliance programs, where CIP evidence and the actual OT environment drift apart.

• No plan for change — being caught flat-footed when a standard is revised or a new one (like the IBR ride-through requirements) comes into force.



None of these are exotic. They are the predictable result of underestimating what a living compliance program requires.

What a defensible program looks like

A program that holds up has a few hallmarks. It is built before commercial operation, not after. It pairs documented procedures with real technical evidence for every in-scope standard, and audit-ready attestations for every out-of-scope one. It includes an Internal Compliance Program — not required by the standards, but the clearest demonstration to a regulator that the entity is managing compliance deliberately rather than reactively. It maintains a single, organized evidence repository. It assigns clear ownership of the ongoing administrative function: submittals, self-certifications, Alert responses, document control, and regulatory monitoring. And it draws an honest line between the predictable, fixed-scope work and the genuinely unpredictable work — audits, investigations, major standard changes, non-routine engineering — so the unpredictable work is resourced when it arises rather than assumed away.

The strongest commercial structure mirrors that reality: a fixed-price program build, a recurring managed-compliance service for the steady-state administration, and a time-and-materials lane for the episodic, high-effort work. That structure is transparent, comparable, and aligned with how the obligations actually behave over a facility's life.

How Keentel Engineering helps Generator Owners and Operators

Keentel Engineering works with Generator Owners and Operators across solar, wind, and storage to build and run NERC compliance programs that stand up to scrutiny — and to keep the operational technology underneath them secure and audit-ready. Our work spans the full lifecycle:

NERC GO/GOP program development



We develop the operations-and-planning procedures, low-impact CIP documentation, Internal Compliance Program, and the audit-ready attestations that together form a complete program — and we prepare and submit the registration request to the appropriate Regional Entity, coordinating with the Transmission Owner, Transmission Operator, and Planning Coordinator along the way.

Technical standards evidence

We build the engineering evidence that proves compliance, not just claims it — facility ratings analysis for FAC-008, protection system maintenance lists and settings coordination for the PRC standards, and the supporting documentation regulators expect to see.

CIP and incident response

We develop the low-impact CIP policies and plans, assemble the CIP evidence package, and conduct Cyber Security Incident Response Plan tabletop exercises so the plan is tested before it's ever needed.

Ongoing Managed Compliance Services

We act as the compliance program administrator on an ongoing basis — coordinating periodic data submittals, responding to NERC Alerts, leading self-certifications, maintaining the evidence repository, monitoring regulatory developments, and keeping documentation current as standards and facilities change.

OT/SCADA cybersecurity managed service

We run the operational technology environment as a continuous evidence engine: log monitoring and alerting, firewall and access management, patch and vulnerability management, backups, change management, and the recurring CIP-003 audits and reporting that demonstrate the environment is actively secured.

Regional and inverter-based resource expertise

We support the regional layers that trip up generic programs — including Texas and ERCOT requirements such as PUCT Emergency Operations Plans and BAL-001-TRE, and IEEE 2800-2022 conformance reviews — and we help inverter-based resources get ahead of the new ride-through standards now phasing into enforcement.

Because we deliver NERC compliance and OT cybersecurity under one roof, there are no seams between the program and the environment it governs — one accountable partner for the obligations that span the Generator Owner, the Generator Operator, and the operational technology that connects them.

The bottom line

NERC compliance for Generator Owners and Operators is not a binder you produce and forget. It is a program you build correctly, register on the right timeline, and manage continuously — through standard changes, audits, and a rapidly evolving set of expectations for inverter-based resources. The cost of doing it well is modest next to the cost of doing it poorly: penalties measured in millions, audits that expose years of accumulated gaps, and the operational risk of running on a grid you can't prove you belong on.

The facilities that come through the IBR transition cleanly will be the ones that treated compliance as an engineering discipline from the start — and that had a partner accountable for keeping it true over time.

FAQs

Registration & applicability

Standards & scope

Timing & process

Inverter-based resources

Ongoing management, audits & penalties

OT cybersecurity

Working with Keentel Engineering