Posted on April 8, 2026

  

Introduction

For years, many owners and operators of smaller inverter-based resources (IBRs)—solar, wind, battery storage, and fuel cell facilities—operated outside the reach of NERC’s mandatory reliability standards. That changed in September 2024, when FERC approved NERC’s petition to expand its registration criteria to capture a new class of generation resources designated as “Category 2” Generator Owners (GOs) and Generator Operators (GOPs).

  

This expansion targets non-BES inverter-based resources with an aggregate nameplate capacity of 20 MVA or greater, interconnected at 60 kV or above. The universal compliance effective date is May 15, 2026. For entities that have never operated under NERC’s compliance framework, the learning curve is steep, and the timeline is compressed. This article breaks down the registration criteria, the applicable standards, and the practical steps required to achieve compliance.

 

I. Why NERC Expanded Registration to Category 2

The expansion is a direct response to reliability events that exposed the systemic risk posed by unregistered IBRs. The 2022 Odessa Disturbance in Texas saw approximately 1,711 MW of solar generation trip offline from a single fault event—much of it from facilities that were not subject to NERC oversight at the time. Similar events at Blue Cut (2016) and San Fernando (2020) reinforced the same pattern: smaller IBR facilities, when aggregated, can have outsized impacts on grid stability.

  

The common thread across these events was that the tripping facilities were not registered with NERC and therefore had no obligation to meet ride-through performance standards, maintain protection coordination, or report disturbance data. NERC’s IBR Registration Initiative is designed to close that gap by bringing materially impactful IBRs under the reliability standards framework, regardless of whether they individually meet the traditional BES threshold.

 

II. Who Is Affected

The Category 2 registration criteria apply to owners and operators of inverter-based resource facilities that meet all of the following conditions:

• Capacity Threshold: Aggregate nameplate capacity of 20 MVA or greater at a single point of interconnection
• Configuration: Resources connected through a system designed primarily for delivering generation to a common point of connection (collector systems)
• Voltage Level: Interconnected to the transmission system at a voltage of 60 kV or above
• Current Registration Status: Not currently registered as a Generator Owner or Generator Operator under NERC’s existing BES criteria

 

Why It Matters: If your facility is between 20 MVA and 75 MVA aggregate nameplate and connected at 60 kV or higher, you almost certainly fall within the Category 2 criteria. The ERO Enterprise (NERC and the Regional Entities) has been conducting outreach to identify candidate facilities since May 2024. If you have not been contacted, that does not mean you are exempt—it means you should proactively engage your Regional Entity to confirm your status.

 

III. The Registration Timeline

NERC has structured the Category 2 registration process in defined phases:

The registration process itself can take 6–12 months, depending on documentation requirements, technical assessments, and coordination with your Regional Entity. Entities that wait until late 2025 to begin will face significant bottleneck risk as Regional Entities process large volumes of simultaneous registrations.

 

IV. What Compliance Looks Like for Category 2 Entities

Registration is the starting line, not the finish. Once registered, Category 2 GOs and GOPs become subject to a defined set of mandatory NERC Reliability Standards spanning both operational performance and cybersecurity domains.

   

Operational and Performance Standards

Newly registered Category 2 entities will need to comply with standards governing generator performance, protection settings, and disturbance response. Key standards include:

• PRC-029-1: Frequency and voltage ride-through performance requirements for IBRs. This is the direct regulatory response to the Odessa-type events—ensuring that IBRs remain connected during grid disturbances rather than tripping offline and compounding the problem.
• PRC-028-1: Disturbance monitoring and reporting obligations. Entities must have the instrumentation and processes in place to capture and report data from grid events.
• PRC-030-1: Corrective action plans following unexpected IBR tripping or performance deviations. When an event occurs, you must be able to identify what went wrong and implement fixes.
• PRC-024-4: Frequency and voltage protection settings coordination for generation resources.

  

For entities that have been operating without NERC oversight, these standards require real technical investment: validated protection settings, functional disturbance monitoring equipment, and documented corrective action processes. These are not documentation exercises—they require engineering validation.

   

NERC CIP Cybersecurity Standards

Perhaps the most consequential—and frequently underestimated—compliance obligation for new Category 2 registrants is the applicability of NERC CIP standards (CIP-002 through CIP-014). These standards govern the cybersecurity posture of BES Cyber Systems and require entities to implement controls for asset identification, electronic access, physical security, personnel training, incident response, recovery planning, and supply chain risk management.

  

Most Category 2 IBR facilities will likely classify their cyber assets as Low Impact BES Cyber Systems under CIP-002. While Low Impact requirements are less prescriptive than Medium or High, they are not trivial. At a minimum, entities must demonstrate compliance with CIP-003 (security management controls, including a documented cybersecurity policy) and CIP-012 (protection of communication links carrying real-time operational data between control centers).

  

Entities with facilities that meet the Medium or High Impact criteria under CIP-002’s Attachment 1 will face the full spectrum of CIP obligations: CIP-004 (personnel and training), CIP-005 (electronic security perimeters), CIP-006 (physical security), CIP-007 (systems security management), CIP-008 (incident reporting), CIP-009 (recovery plans), CIP-010 (configuration management), CIP-011 (information protection), and CIP-013 (supply chain risk management).

  

Why It Matters: Many IBR operators have never had to classify BES Cyber Systems or develop CIP compliance programs. The gap between “we have a firewall” and “we can demonstrate auditable compliance with CIP-005” is significant. NERC auditors evaluate compliance through structured RSAW (Reliability Standard Audit Worksheet) reviews that require specific, documented evidence—not general assertions about security posture.

 

V. Five Steps to Compliance Readiness

The following steps represent a practical roadmap for entities navigating Category 2 registration for the first time. Each step addresses a distinct compliance workstream and should be initiated concurrently, given the compressed timeline.

 

1. Confirm Your Registration Status

Start by definitively establishing whether your facilities meet the Category 2 criteria. Review your aggregate nameplate capacity at each point of interconnection, confirm your interconnection voltage, and assess whether your collector system configuration meets NERC’s definition. If you are uncertain, contact your Regional Entity directly. Do not rely on the assumption that you would have been contacted during Phase 1 outreach—the identification process is ongoing, and some facilities may not have been captured.

 

Key Actions: Review interconnection agreements for nameplate and voltage data. Cross-reference against NERC’s published Category 2 criteria. Engage your Regional Entity to confirm or clarify registration applicability.

  

2. Conduct a BES Cyber System Impact Assessment

Before you can build a CIP compliance program, you need to know what you are protecting. Perform a thorough CIP-002 categorization of all cyber assets associated with your IBR facilities. This means identifying every cyber asset that, if compromised, could affect the reliable operation of your generation resources—SCADA systems, inverter control platforms, communications networks, protective relay systems, and remote access points.

  

For most Category 2 facilities, the result will be a Low Impact classification. But the categorization exercise itself is non-trivial: it requires a defensible methodology, documentation of the analysis, and an asset inventory that can withstand audit scrutiny. Misclassification—either over or under—creates compliance risk.

 

Key Actions: Inventory all cyber assets at each facility. Apply CIP-002 Attachment 1 criteria to determine impact classification. Document the categorization methodology and maintain it for audit evidence.

 

3. Develop Your CIP Compliance Program

Even at the Low Impact level, you will need documented policies, an asset inventory, security awareness training, and evidence of compliance. NERC auditors expect structured, auditable evidence packages—not ad hoc procedures or verbal explanations.

  

The most common failure mode for first-time registrants is treating compliance as a documentation exercise completed shortly before an audit. Effective compliance programs are built into daily operations: access controls are enforced in real time, patch management cycles are tracked systematically, and incident response procedures are tested through exercises. Without documentation to demonstrate your compliance, it effectively did not happen.

  

Key Actions: Develop CIP policies and procedures aligned with your impact classification. Implement evidence collection processes from day one. Establish a compliance calendar with internal review milestones.

  

4. Validate Operational Standards Readiness

Beyond CIP, evaluate your facility’s ability to meet the performance and protection standards that will apply upon registration. Ride-through settings must be validated against PRC-029 requirements. Disturbance monitoring equipment must be installed, configured, and tested to meet PRC-028 data capture requirements. Protection settings must be coordinated per PRC-024 to prevent the exact type of cascading trips that triggered the Category 2 expansion in the first place.

  

This is an engineering workstream, not a paperwork exercise. It requires coordination between your operations team, your OEM, and potentially your Transmission Operator to validate that protection settings are appropriate for the system conditions at your point of interconnection.

  

Key Actions: Validate ride-through settings against PRC-029 curves. Confirm disturbance monitoring equipment meets PRC-028 requirements. Coordinate protection settings with your TO and document the analysis.

 

5. Build Audit Readiness from Day One

Audit readiness is not a one-time task—it is an ongoing operational discipline. NERC audits are conducted using RSAWs (Reliability Standard Audit Worksheets) that map each requirement to specific evidence expectations. Entities that understand this structure from the beginning build their compliance programs around it, making audit preparation a byproduct of normal operations rather than a scramble.

  

Maintain a centralized repository for all compliance-related documents, including policies, procedures, logs, and corrective action records. Assign clear roles and responsibilities for each standard area. Conduct periodic self-assessments using the same RSAW-based methodology that auditors employ—this is the most reliable way to identify gaps before they become findings.

  

Key Actions: Establish a centralized evidence repository. Assign compliance ownership by standard area. Conduct internal mock audits using RSAW frameworks. Train designated subject matter experts on audit communication and evidence presentation.

  

For a deeper look at building a full compliance program — from Day 1 analysis through internal controls, mock audits, and compliance culture — see our guide: IBR Registration and Compliance Program Development: A Comprehensive Guide

 

VI. The Cost of Inaction

Failure to register by the May 15, 2026 effective date is itself a compliance violation. Beyond that, unregistered entities that experience a reliability event—such as an unexpected generation trip during a grid disturbance—face heightened regulatory scrutiny and potential enforcement action. NERC’s enforcement history demonstrates that ignorance of registration obligations is not treated as a mitigating factor.

  

The regulatory environment has shifted decisively. The Odessa Disturbance and subsequent events have made IBR reliability a top priority for NERC, FERC, and the Regional Entities. Entities that delay will find themselves building compliance programs under time pressure, competing for limited consultant and engineering resources, and operating with less margin for error in an enforcement environment that is actively tightening.

   

Conclusion

The Category 2 registration expansion represents a fundamental shift in the regulatory landscape for IBR owners and operators. Facilities that previously had no NERC obligations will soon be subject to the same standards framework that governs the largest generation assets on the grid. The timeline is aggressive, the compliance requirements are substantive, and the consequences of non-compliance are real.

  

Start now. Confirm your registration status, assess your cyber assets, and begin building the compliance infrastructure that will carry you through registration, through your first audit, and into sustained operational compliance. The entities that treat this as a strategic priority—rather than a last-minute exercise—will be the ones best positioned when May 2026 arrives.

  

Regulatory Energy Partners works with utilities, independent power producers, and infrastructure operators to navigate NERC compliance—from initial registration through audit readiness and beyond. Our team includes former regulators and experienced practitioners who have supported entities through first-time registration and initial audit cycles. To discuss how Category 2 registration affects your operations, contact us at [email protected] or visit repenergy.us.