NERC and the regional entities had reduced their backlog of compliance cases by almost 50% by the end of 2025, the ERO said in the annual report of its Organization Registration and Certification Program and Compliance Monitoring and Enforcement Program.
The ERO Enterprise had 2,601 open violations at the end of 2025, according to the report, down from the 2,996 at the end of 2024, as reported in the 2024 ORCP and CMEP annual report. More than 80% of open cases were first reported within the past three years, NERC said; by contrast, 92% of the open cases at the end of 2024 were fewer than three years old.
The annual ORCP and CMEP report is intended to help NERC and the REs track their progress achieving goals across the four focus areas identified in the ERO’s long-term strategy:
-
- Energy: Help stakeholders and policymakers address existing risks to grid reliability and prepare for emerging risks.
- Security: Enhance the security posture of the industry through existing cyber and physical security programs.
- Engagement: Ensure stakeholders and policymakers have access to accurate and trustworthy information from the ERO Enterprise.
- Agility and sustainability: Coordinate team activities effectively while delivering value for stakeholders and capturing cost efficiencies when practical.
NERC wrote in the report that 1,054 of its open violations at the end of 2025 were reported the same year. This represents a slight decline from the previous year, when 1,162 of the open violations at year’s end were reported in 2024, but it does not include the violations that were processed the same year, which represented 38% of the total in 2025. The previous year’s report did not include this figure.
NERC’s Critical Infrastructure Protection standards once again accounted for the largest number of violations reported to the ERO in 2025. The most-reported standard was CIP-010-4 (Cybersecurity — configuration change management and vulnerability assessments), with 245 violation reports received — more than the top three most-reported operations and planning (O&P) standards combined.
CIP standards also were the top three most represented standards for moderate-risk violations, with 40 infringements reported for CIP-007-6 (Cybersecurity — system security management), 20 for CIP-010-4 and 17 for CIP-003-8 (Cybersecurity — security management controls). On the other hand, the only three serious-risk violations reported in 2025 concerned the O&P standards IRO-001-4 (Reliability coordination — responsibilities), PRC-023-6 (Transmission relay loadability) and TOP-001-6 (Transmission operations).
The report also provided an update on NERC’s processing of minimal-risk violations, which the ERO identified as a key performance metric in a June 2025 filing following up on its five-year performance assessment. (See NERC Details Performance Metrics in FERC Filing.)
NERC wrote that it and the REs have worked to improve processing efficiency by streamlining the reporting template for compliance exceptions (CEs) — which allow minimal-risk violations to be processed without penalty and without affecting future violation penalties — along with updating the registered entity self-report and mitigation plan user guide and training.
About 83% of noncompliance reports processed in 2025 were handled as CEs, NERC wrote, with another 14% disposed under the Find, Fix, Track and Report (FFT) program, another option for addressing minimal-risk violations. Like the CE program, FFT requires registered entities to mitigate the noncompliance and make the facts and circumstances of the incident available for review by NERC and appropriate governmental authorities.
Of the remaining violations processed in 2025, 35 were covered by NERC’s monthly spreadsheet notice of penalty and 23 in a notice of penalty. In all, NERC processed 1,945 violations in 2025, 281 more than the year before.
