Code Change Summary: New Informational Note 4 was added to provide additional guidance on Cybersecurity.

SME commentary: A new Informational Note was added beneath NEC^® 110.3(A)(8) as part of the 2026 Code revision cycle to provide guidance on how cybersecurity evaluations may be approached for network-connected electrical equipment. This update was driven by a public input from the National Electrical Manufacturers Association (NEMA), which recognized a growing need for consistent guidance on verifying cybersecurity features, particularly for equipment used in life safety functions such as fire alarm systems, emergency systems, access control, and similar systems that rely on digital communication networks that may be vulnerable for cyber-attacks or hacking.

The parent requirement, 110.3(A)(8), requires cybersecurity to be considered when judging network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality. Existing Informational note 3 references the UL 2900 series of standards for software cybersecurity for network-connectable products, which are standards intended to ensure that the network-connectable product (such as a fire alarm control unit, access control panel, or smart breaker) has been cybersecurity-tested and evaluated for things like secure software development lifecycle, known vulnerability scans, authentication, access control, and software update mechanisms.

UL 2900-1 and UL 2900-2-3, in particular, are used to certify that a product meets a defined cybersecurity baseline, especially for life safety and security signaling systems.

Until now, the NEC^® did not provide any direct guidance or reference geared towards installers, electrical contractors, system integrators, inspectors, and AHJs (Authorities Having Jurisdiction) who must inspect the system for code compliance.

The addition of Informational Note 4 changes that by referencing NEMA CY 70001, a technical guideline that outlines best practices and risk assessment protocols for connected infrastructure.

New Informational Note No. 4 states: See NEMA CY 70001, Cybersecurity Implementation Guidance for Connected Electrical Infrastructure, for recommendations on how to meet this requirement.

NEMA CY 70001 is intended for installers, inspectors, and AHJs who may be unfamiliar with cybersecurity compliance. It emphasizes the need for secure update practices, lifecycle management, and risk-based evaluation of system vulnerabilities. The intent of the document is not to create a mandatory checklist, but to offer a credible starting point for evaluating how systems are designed to resist unauthorized access, malware, or operational failure. With the increasing interconnectivity of life safety systems, this addition strengthens the NEC’s alignment with modern digital threats and helps ensure that life-critical electrical infrastructure can maintain its intended performance even in the face of cybersecurity risks.

By pointing to NEMA CY 70001 in the new informational note, the NEC^® helps raise awareness and encourages consistent practices for incorporating cybersecurity resilience for life safety equipment that connects to modern digital networks. This connection helps make sure that when equipment is evaluated, cybersecurity risks are part of the conversation and better aligned with today’s evolving threats.

Below is a preview of the NEC^®. See the actual NEC^® text at NFPA.ORG for the complete code section. Once there, click on their link to free access to the 2026 NEC^® edition of NFPA 70.

2023 Code Language:

Informational note 4 did not exist.

2026 Code Language:

110.3(A) Examination. In judging equipment, considerations such as the following shall be evaluated: (See the NEC^® for items 1-7)

(8) Cybersecurity for network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality.

N Informational Note No. 4: See NEMA CY 70001, Cybersecurity Implementation Guidance for Connected Electrical Infrastructure, for recommendations on how to meet this requirement.