On May 23, 2025, President Trump signed a series of executive orders to dramatically expand U.S. nuclear power production, setting an aggressive goal of quadrupling domestic output over the next 25 years. At the signing, he declared “It’s time for nuclear.” These orders direct the federal government to reorganize the Nuclear Regulatory Commission (NRC) to accelerate project approvals, assess the feasibility of restarting shuttered nuclear plants, and identify new reactor sites on federal land, among other reforms.
Leading AI companies are driving the demand for nuclear energy solutions to support their expanding operations. The rapid adoption of generative AI is fueling an unprecedented surge in energy demand to power the data centers behind the technology. This growing need for reliable, low-carbon energy is prompting a revival of dormant nuclear projects and driving technological innovations by nuclear energy startups. The White House has signaled its support, with President Trump’s science and technology advisor, Michael Kratsios, highlighting that “[t]hese actions are critical to [America’s] continued dominance in AI and other emerging technologies.” As the world welcomes this potential “nuclear energy renaissance,” investors and operators must heed the concomitant cybersecurity risks. Safeguarding nuclear infrastructure from evolving cyber threats will be essential as the sector adapts to the demands of the AI era.
Growing demand for nuclear power
AI’s appetite for energy is evident in industry projections for data power consumption. By 2030, data centers in the United States are expected to consume 606 terawatt-hours (TWh) of electricity—more than quadruple the consumption of 147 TWh in 2023. (To put this in perspective, New York City’s entire electricity consumption is about 50 TWh per year.) This surge is driven by the growth in the size of AI models (with greater demand in the model training phase) and the growing appeal of AI tools (with greater demands for model inference), all requiring increasingly vast computational resources.
In response, AI companies are exploring nuclear power as a low-carbon, “always-on” solution to meet their energy demands globally. Several recent partnerships and proposals illustrate this trend of large tech companies striking deals with energy companies to purchase nuclear power for their data centers.1 In November, one company put forward a proposal in Washington that nuclear power should be one of five “pillars” of a blueprint for AI infrastructure. Venture funding for nuclear investments doubled to USD1.9 billion from 2023 to 2024, according to one market report. In sum, stakeholders across Silicon Valley and Washington see nuclear energy as part of the solution to AI’s power consumption bottleneck.
Global cybersecurity risks for nuclear energy
While the integration of nuclear power into the tech ecosystem offers clear opportunities, it also increases exposure to cybersecurity risks. Nuclear energy facilities are part of the critical infrastructure that faces heightened cyber threats, particularly in an era of geopolitical competition. Successive U.S. administrations’ cyber strategies have prioritized the defense of critical infrastructure, including the energy sector, as a key priority. Meanwhile, the EU is implementing and preparing to enforce the newly updated NIS 2 Directive, which seeks to boost cybersecurity levels across critical industries, including the energy sector.
In 2024, the U.S. government warned that state-sponsored actors from the People’s Republic of China had pre-positioned themselves in the IT environments of U.S. critical infrastructure systems, including in the energy sector. (Chinese officials later acknowledged China’s responsibility for those cyber attacks.) U.S. agencies have also issued warnings about North Korean state-sponsored groups targeting nuclear entities to obtain sensitive information to advance the regime’s nuclear program. Russian and Iranian state-linked actors have similarly targeted energy-sector critical infrastructure, according to the U.S. and allied governments. In 2024, the FBI cautioned that the “implementation of renewable energy and incentives for development of clean energy have created new targets and opportunities for cyber threat actors to disrupt and exploit for their own gain.”
Nuclear power facilities have repeatedly faced cyber attacks. In 2022, the U.S. Department of Justice (DOJ) charged Russian hackers for breaching the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas. Similar cyber attacks on nuclear power operators have spanned the globe, from the 2019 breach of the Kudankulam Nuclear Power Plant systems in Tamil Nadu, India, and the 2014 hack of the ROK’s Korea Hydro and Nuclear Power Company, to the 2016 breach of Germany’s Gundremmingen nuclear power plant and, most recently, the 2022 Russian attacks on Ukrainian state nuclear operator Energoatom. In addition, recent ransomware threat actors have targeted a Brazilian state-owned nuclear company and the Malaysian Nuclear Energy Agency. Other dark web access brokers and data leakers have recently alleged attacks on a Greek nuclear energy company, a U.K. nuclear and defense contractor, and the United Arab Emirates’ nuclear program.
Finally, public anxieties surrounding the use of nuclear power should not be overlooked. Although incidents involving nuclear power have been relatively isolated, especially when compared to the damages associated with non-nuclear energy sources, the threat looms large in the public consciousness. Accordingly, the expectation for nuclear energy is that the margin for error is zero. Stakeholders investing in this area must commit to seriously securing that infrastructure.
Navigating nuclear cybersecurity regulations
Nuclear energy facility operators should proactively manage their cybersecurity compliance in light of the evolving ecosystem of regulations. In the United States, the NRC currently conducts inspections and requires nuclear power plant operators to submit cybersecurity plans for approval under 10 CFR § 73.54, and provides additional guidance in Regulatory Guide 5.71, Revision 1. These rules require each licensee to provide “high assurance” that its systems are adequately protected against cyber attacks and to implement defense-in-depth protective architecture. Licensees must report cyber incidents to the NRC by telephone within very short timeframes— as little as one hour following the discovery of an attack. The NRC is also developing new regulations for fuel cycle facilities to enhance protection against cyber threats. It remains to be seen how the NRC’s cybersecurity requirements will change under President Trump’s recent reorganization and staffing reductions at the independent agency.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has proposed a rule to implement the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). If adopted, this rule will require owners and operators of commercial nuclear power reactors and fuel cycle facilities to report cybersecurity incidents within specified timeframes and to retain related records for at least two years thereafter. These requirements remain in the formal agency rule-making process, and future changes are possible depending on the administration’s policy priorities.
One of President Trump’s recent nuclear power orders directs the Department of Energy (DOE) to designate AI data centers located at, or operated in coordination with, DOE facilities as “critical defense facilities.” The order also directs the DOE to fast-track the siting and operation of new nuclear reactors at DOE sites to power AI and other critical infrastructure. Nuclear power and AI data center operators should be aware that DOE contractors—including those in government-owned, contractor-operated (GO-CO) systems—must comply with National Institute of Standards and Technology-aligned requirements outlined in DOE Order 205.1D. Contractors must ensure that all contractors and subcontractors are aware of and comply with these requirements.
Regulators have shown a willingness to penalize nuclear companies for failing to meet cybersecurity standards. In October 2024, the U.K.’s Office of Nuclear Regulation fined a nuclear decommissioning company, Sellafield Ltd, over USD440,000. This fine was based on noncompliance with cyber requirements and was not connected to a cyber attack. The U.K. government has also announced plans to introduce the Cyber Security and Resilience Bill later in 2025, which aims to strengthen the security of the U.K.’s critical infrastructure.
Path forward
Navigating the intersection of cybersecurity law and nuclear energy will be critical in the era of AI-driven energy demands. By addressing cybersecurity risks proactively, nuclear stakeholders can help ensure the safe and reliable integration of nuclear power into the AI ecosystem and safeguard the advancement of the digital economy.
Footnote
. See, e.g., Spencer Kimball, Constellation Energy to restart Three Mile Island nuclear plant, sell the power to Microsoft for AI, CNBC (September 20, 2024), https://www.cnbc.com/2024/09/20/constellation-energy-to-restart-three-mile-island-and-sell-the-power-to-microsoft.html; Malcom Moore, Google orders small modular nuclear reactors for its data centres, FIN. TIMES (October 14, 2024), https://www.ft.com/content/29eaf03f-4970-40da-ae7c-c8b3283069da; Jamie Smyth, Amazon buys stake in nuclear energy developer in push to power data centres, FIN. TIMES (October 16, 2024), https://www.ft.com/content/00776191-b010-4104-add4-8dc430386911; Will Wade, Meta Seeks New Nuclear Reactors to Run US Data Centers, BLOOMBERG (December 3, 2024), https://www.bloomberg.com/news/articles/2024-12-03/meta-seeks-new-nuclear-reactors-to-run-us-data-centers; Peter Wells and Hannah Murphy, Meta agrees 20-year deal to buy output from Illinois nuclear plant, FIN. TIMES (June 3, 2025), https://www.ft.com/content/8f216db5-2d1c-4097-b106-0f7a9388f293; see also Jamie Smyth, Nuclear reactor groups raise USD1.5bn amid race to power AI boom, FIN. TIMES (February 19, 2025), https://www.ft.com/content/2d84198e-7eeb-4154-bbf2-9a469b0cc700.
