Small modular reactors are the most credible new path to firm, carbon-free power in a generation — and the hardest part isn't building them. It's getting through the NRC. This guide walks the SMR licensing and design approval process from the regulator's side: what design certification and standard design approval actually mean, why NuScale Power's path took the better part of a decade, what the 2026 Part 53 rule changes for advanced reactors, and where cybersecurity now sits inside the approval process. It's written for the utility executive, energy-sector CISO, or SMR program director who has to plan around real regulatory timelines and the security requirements that come baked into them. No hype about a nuclear renaissance — just how the approval machinery works and what it demands.
What is an SMR, and why does the licensing path matter so much?
A small modular reactor is exactly what the name says: a nuclear reactor small enough to be factory-built in modules and shipped to site, typically generating a fraction of a large nuclear power plant's output. NuScale's power module produces 77 megawatts electric in its uprated design; a conventional large nuclear reactor runs ten times that. The pitch is compelling — a simplified design, passive safety systems, smaller footprint, and the ability to add capacity in increments rather than betting a utility's balance sheet on a single multi-billion-dollar build. For data centers, industrial process heat, and grids retiring coal, the SMR is the clean energy option that can actually be sited where the demand is.

[INLINE IMAGE 1 — Adobe Stock #2049183357: cutaway diagram of a small modular nuclear reactor showing internal components. Suggested alt: "A small modular reactor is factory-built in modules and shipped to site."]
But none of that matters until the design clears the U.S. Nuclear Regulatory Commission. SMRs are still nuclear power reactors, and the NRC regulates them with the same mandate it applies to any nuclear facility: reasonable assurance of adequate protection of public health and safety. The licensing path is the gate every SMR has to pass, and it is long, evidence-heavy, and expensive. Understanding it isn't optional for anyone planning an SMR deployment — the regulatory timeline drives the project timeline, full stop.
This is why the approval process deserves the attention. A utility evaluating SMR technology is really evaluating two things at once: the reactor design itself, and how far along that design is in the NRC pipeline. A certified design can be referenced immediately; a design still in review carries years of regulatory risk. The gap between those two states is the difference between a project you can finance and one you can only hope for.
How does the NRC design approval process actually work?
The NRC offers a few distinct regulatory products, and the distinction matters. Design certification is the full rulemaking — the NRC reviews a reactor design, the Commission votes, and the certified design gets published in the Federal Register where any utility can reference it when applying to build. Standard design approval (SDA) is a determination by NRC staff that a design meets the agency's applicable design requirements; it's a major milestone that lets the design be referenced in a license application, though it isn't the final rulemaking. Both feed into the licensing of an actual plant, which happens through a combined license or construction permit tied to a specific site.

The review itself is exhaustive. When NuScale submitted its first SMR design certification application, it ran to roughly 12,000 pages and was backed by more than two million pages of supporting documents for regulatory audits. NRC staff work through every safety system, the reactor design, the plant design, and the engineering and design basis for each claimed safety feature. The process is deliberately meticulous — the entire point is to prevent accidents before a single reactor is built, which is why the design review takes years rather than months.
It's also a two-step reality that trips up planning. Getting a design approved is not the same as getting permission to build. Even with NRC design approval in hand, a utility, an SMR developer, or a project partner still has to apply for the combined license or construction permit to put reactors on a specific site — and the NRC says that process can take 30 months or longer at present. The design approval clears the technology; the site license clears the project. Both have to happen, and both take time.
Why did NuScale's NRC approval take so long?
NuScale Power's timeline is the case study, because it's the only SMR to complete the full path. The NRC accepted NuScale's design certification application in 2017–2018, issued its final technical review in August 2020, and the Commission voted to certify the design on July 29, 2022 — making the NuScale power module the first SMR certified by the NRC and just the seventh reactor design ever cleared for use in the United States. The final rule took effect in February 2023. From application acceptance to certification ran roughly five years; the full arc from early engagement stretched closer to seven.
That length wasn't bureaucratic drag for its own sake. The NRC had decades of experience with large light-water reactors but no template for certifying a small modular reactor, so the review built the playbook as it went. NuScale's design helped its own case here — it's an advanced light-water SMR running on conventional low-enriched uranium rather than the scarcer high-assay low-enriched uranium some advanced reactor designs require, which kept it on regulatory ground the NRC already understood. Even so, first-of-a-kind review of any new nuclear technology is inherently slow.
NuScale then went back for more. The company submitted a second standard design approval application on January 1, 2023, this time for an uprated 77-MWe module — a total plant output of 462 MWe across a six-module configuration. The NRC approved that US460 design in May 2025 after a review of under two years, completed ahead of schedule and under budget. The contrast is the real lesson: the first approval took years because everything was new; the second moved far faster because the foundation existed. More than $600 million in Department of Energy support since 2014 underwrote much of that design and licensing work, a reminder that SMR development in the U.S. has leaned heavily on federal funding to clear the regulatory bar.
What is the state of the broader SMR pipeline in 2026?
NuScale is first, but it isn't alone. As of 2026, it remains the only SMR with full NRC design approval, but a real pipeline sits behind it. GE Hitachi's BWRX-300 — another light-water design — is the most advanced new-build, with construction underway at sites that referenced its design. TerraPower's Natrium, a sodium fast reactor, has a construction permit application under active NRC review and is the most advanced non-light-water entrant. X-energy's Xe-100, Kairos Power's designs, Holtec's SMR-300, and Oklo's Aurora round out a field in various stages of NRC review or pre-application engagement.
The technology split shapes the timelines. Light-water SMR designs — NuScale, BWRX-300, Holtec — carry a regulatory advantage because the NRC has decades of experience with the technology and a body of precedent to lean on. Non-light-water designs — sodium fast reactors, high-temperature gas reactors, molten salt concepts — face longer review timelines because the NRC is evaluating physics and safety systems it has less history with. That's not a knock on the technology; it's a statement about regulatory familiarity, and it's why the first wave of new-build U.S. SMR deployment realistically reaches operation in the 2029–2032 window.
The honest read for a utility is that patience is required. The SMR projects furthest along are the light-water designs riding established precedent, while the more novel advanced nuclear reactors carry more regulatory uncertainty and longer horizons. Both matter to the energy transition, but they don't arrive on the same schedule, and treating them as interchangeable in a capacity plan is a mistake. The pipeline is real; the timelines are long; the technology choice drives both.
How does cybersecurity factor into SMR design and licensing?
This is the part most SMR coverage skips, and it's where the regulatory picture gets genuinely modern. Nuclear cybersecurity isn't an afterthought bolted on after licensing — it's codified into the approval process. The NRC's core cyber rule, 10 CFR 73.54, "Protection of Digital Computer and Communication Systems and Networks," requires every power reactor licensee to protect the digital systems tied to safety, security, and emergency preparedness from cyberattacks, and to submit a cybersecurity plan for NRC review and approval. Regulatory Guide 5.71 and the industry's NEI 08-09 template lay out how licensees achieve the "high assurance" of protection the rule demands. A cyberattack is treated as part of the design basis threat the plant must defend against — not a hypothetical, a requirement.

For SMRs the stakes are sharper because the designs are more digital. Modern SMRs lean on digital instrumentation and control to a degree older analog plants never did, which expands the attack surface the cybersecurity program has to cover. Critical digital assets — the systems that, if compromised, would impair safety or security functions — have to be identified and protected, and when a design relies on digital safety system features to meet a cyber provision, those features get reviewed by the NRC as part of the design certification or combined license application itself. Cybersecurity is, in other words, inside the design approval, not adjacent to it.
The architecture problem here mirrors what every critical-infrastructure operator faces as operational and information technology converge, and the governance and segmentation discipline is the same. The patterns we lay out in our analysis of IT/OT convergence and cybersecurity in critical infrastructure apply directly to an SMR's digital control environment, and building a defensible cyber program against the NRC's high-assurance standard is exactly the kind of work our cybersecurity consulting services are built to support for energy-sector clients.
What does the 2026 Part 53 rule change for advanced reactors?
The biggest regulatory shift in years landed in 2026. The NRC's new 10 CFR Part 53 — the risk-informed, technology-inclusive regulatory framework for advanced reactors — became effective April 29, 2026, created in response to the Nuclear Energy Innovation and Modernization Act. The existing licensing framework grew up around large light-water reactors, which is precisely why non-light-water SMR designs faced such long reviews. Part 53 builds an alternative path designed to accommodate reactor technologies that don't fit the light-water mold, using a risk-informed and performance-based approach rather than prescriptive light-water assumptions.
Crucially, Part 53 rewrote the security provisions too. It adds new technology-inclusive requirements across physical security, cybersecurity, and access authorization for commercial nuclear plants — including a new 73.110, "Technology-inclusive requirements for protection of digital computer and communication systems and networks," that parallels the existing 73.54 cyber rule but is built to flex across diverse advanced reactor designs. For an SMR developer choosing a licensing pathway, this matters: a non-light-water design that once faced an ill-fitting regulatory framework now has a consequence-based, technology-neutral option that scales security requirements to the actual risk a given design presents.
The practical effect is a potentially shorter, cleaner path for advanced nuclear technologies — though "potentially" is the operative word. Part 53 is new, the implementing regulatory guides are still maturing, and no advanced reactor has yet completed a full license under it. The framework promises to compress timelines for the non-light-water designs that needed it most, but the first applications through it will, like NuScale's first certification, partly build the playbook as they go. Utilities planning around Part 53 should treat it as a real improvement with unproven execution.
Who supports SMR development, and why does federal backing matter?
SMR development in the United States has been a public-private partnership from the start, and the public half is not incidental. The Department of Energy has poured more than $600 million since 2014 into the design, licensing, and siting of NuScale's SMR plant alone, and DOE support spans a broader portfolio of domestic SMR concepts. That funding underwrites the staggering cost of first-of-a-kind regulatory review — the multi-year, multi-million-page NRC engagements that no single developer could easily finance against an uncertain payoff. Without federal backing, the SMR licensing pipeline as it exists today wouldn't.
The support extends beyond money. National laboratories supply the technical depth the NRC draws on for advanced reactor review, universities feed the cybersecurity and engineering expertise behind rules like the proposed 73.110, and DOE demonstration programs give SMR designs real sites to prove against. Internationally, the picture rhymes — Canada's nuclear regulator has run its own SMR initiatives and pre-licensing reviews, and bodies like the OECD Nuclear Energy Agency coordinate the kind of cross-border regulatory thinking that helps SMR developers navigate multiple jurisdictions. SMRs are, increasingly, a globally coordinated bet.
For a utility, the takeaway is that federal and institutional support is part of the risk calculus. An SMR design backed by DOE funding and deep national-lab engagement carries less execution risk than one going it alone, and the regulatory pathway — whether the established Part 50/52 route or the new Part 53 framework — is smoother where that institutional weight is behind it. The reliability of an SMR project isn't only about the reactor technology; it's about the ecosystem of regulatory, financial, and technical support standing behind the design.
What should a utility evaluating SMRs actually plan around?
Start with regulatory maturity, because it dominates the timeline. A utility evaluating SMR technology should weight where a design sits in the NRC pipeline as heavily as the reactor's technical specs. A certified or design-approved reactor — NuScale today — can be referenced in a combined license application now; a design still in review adds years of regulatory exposure before a project can even break ground. Map your energy needs against that reality: if you need firm capacity by 2030, the light-water designs with NRC approval are the realistic candidates, not the advanced reactors still early in review.

Then plan the security program early, not late. Because cybersecurity is embedded in the licensing process under 10 CFR 73.54 and now Part 53's 73.110, the cyber plan, critical-digital-asset identification, and the supporting controls aren't post-construction paperwork — they're part of what the NRC reviews. Treating nuclear cybersecurity as a day-one design input rather than a licensing-stage scramble is what keeps an SMR project on schedule. The supply chain feeding an SMR's digital systems needs the same scrutiny, which is where disciplined supply chain risk management intersects directly with the licensing requirements.
Finally, account for the full project arc and the existing nuclear infrastructure you can lean on. Design approval clears the technology; the combined license clears the site; construction and commissioning follow — a multi-year sequence even after a design is approved. Utilities with existing nuclear infrastructure, trained staff, and established NRC relationships move faster than newcomers, and SMRs sited alongside or in place of retiring plants can reuse grid connections and workforce. The reactor design is the headline, but the reliability of the deployment rests on planning the regulatory, security, and infrastructure pieces together from the outset. If your team is building that plan, talk to us about the cybersecurity and regulatory-readiness side of an SMR program.
Key Things to Remember
- The NRC licensing path drives the SMR timeline, not construction. A small modular reactor is still a nuclear reactor, regulated for full public safety, and the approval process is long, evidence-heavy, and expensive.
- Design approval and a build license are two separate steps. Design certification or standard design approval clears the technology; a combined license or construction permit (30+ months) clears a specific site. Both are required.
- NuScale Power is the proof of concept — and the cautionary timeline. It's the only SMR with full NRC approval (certified July 2022, US460 SDA May 2025). The first approval took ~7 years; the second under two, because the precedent existed.
- The pipeline is real but staggered. Light-water designs (NuScale, BWRX-300, Holtec) move faster on NRC precedent; non-light-water advanced reactors (Natrium, Xe-100, Aurora) face longer reviews. First new-build US SMRs realistically hit operation 2029–2032.
- Cybersecurity is inside the licensing process. 10 CFR 73.54, RG 5.71, and NEI 08-09 require a high-assurance cyber program; a cyberattack is part of the design basis threat. SMRs' digital instrumentation and control widen the attack surface the NRC reviews.
- Part 53 changed the game in 2026. Effective April 29, 2026, the technology-inclusive framework — including the new 73.110 cyber requirements — gives non-light-water designs a risk-informed alternative path, though execution is still unproven.
- Federal backing is part of the risk calculus. DOE has put $600M+ into NuScale's design and licensing alone; national-lab and DOE support materially de-risks an SMR project's regulatory pathway.
- Plan regulatory maturity, security, and infrastructure together. Weight where a design sits in the NRC pipeline as heavily as its specs, build the cyber program as a day-one input, and lean on existing nuclear infrastructure where you can.

