The FAA Just Drew the New Line: What New Drone Regulations for Critical Infrastructure Mean for Operators

New drone regulations for critical infrastructure changed what actions energy and data center operators should take after a drone incursion.

Key Takeaways 

• Three federal instruments drove the shift: the 2025 Executive Order on airspace sovereignty, the FAA’s May 2026 UAFR fixed-site rule, and the joint CISA/FBI advisory on Chinese-manufactured UAS. 
• The bar moved from detection to a forensic answer — what the aircraft was, where it came from and who flew it. 
• No rule mandates a specific tool, but regulators, insurers and boards can now audit how an operator responds to an incursion. 
• The near-term move is documentation, not procurement: map your sites, add a forensic step to your incident-response plan and brief the board.

For a decade, the federal answer to a drone over a critical-infrastructure site was simple: detection is your job, federal authority handles the rest. That posture held while incursions numbered in the hundreds. It didn’t survive the surge at US power generation sites — and the rules are now moving to match.

The clearest signal is Executive Order 14305, “Restoring American Airspace Sovereignty,” issued in 2025, which directed the FAA to give critical-infrastructure operators a way to keep drones out of the airspace over their sites. The FAA’s answer is a proposed rule, published in May 2026 and open for public comment through July 6, which would let eligible facilities petition for a flight-restriction designation. Neither of these actions requires drone forensics, yet they signal how seriously the federal government now treats drones over critical infrastructure. Operators getting ahead of it are the ones already asking what happens after detection. 

What is the FAA’s May 2026 UAFR rule?

The FAA’s May 2026 UAFR (Unmanned Aircraft Fixed-Site Restrictions) proposed rule designates categories of fixed sites — including power generation, refineries and selected federal facilities — as eligible for restricted airspace protections and structured incident response expectations after an unmanned aircraft incursion. It is the first federal rule to name energy infrastructure categories by name in this context. 

The UAFR proposed rule does three operational things. First, it lists the fixed-site categories covered — drawing the perimeter of who the federal government considers an in-scope operator. Second, it sets out the expectations for how an operator handles an incursion at a covered site, including documentation and notification expectations. Third, it ties into the broader counter-UAS authority framework established by the 2025 Executive Order.

What the rule does not directly do is require any specific forensic tool or capability. It does not say “deploy enterprise drone forensics.” But it does establish the documented gap. If a covered site reports a critical infrastructure drone incursion and produces no record of what aircraft did the incursion, where it came from or who flew it, the operator now has a documented response — and a regulator, an insurer or a plaintiff’s counsel can audit that response. That audit is the load-bearing change. 

What does the 2025 Executive Order on airspace sovereignty actually require?

The 2025 Executive Order (EO) “Restoring American Airspace Sovereignty” directs federal agencies to expand counter-UAS authority, accelerate related rulemaking and prioritize critical-infrastructure airspace protection. It sets the policy direction — the FAA’s UAFR rule and CISA/FBI guidance that followed are the operational instruments. The EO is the upstream cause; the rules are downstream effects.

Executive Orders set direction for federal agencies; they do not directly bind private operators. The 2025 EO matters to energy and data center operators because it is the upstream cause of two downstream effects that do touch operations: the FAA UAFR rule (covered above) and the renewed federal posture that critical-infrastructure airspace is a national security priority rather than an aviation policy footnote.

The practical signal for general counsel and chief compliance officers: rulemaking accelerated. The next two years will produce more drone-related regulations touching critical infrastructure, not fewer. Building the forensic capability now is also building the documentation posture for rules that are yet to come.

What does the CISA/FBI advisory on Chinese-manufactured UAS say?

The joint CISA/FBI advisory on Chinese-manufactured unmanned aircraft systems identifies the elevated risk profile of certain foreign-manufactured platforms at critical infrastructure sites and recommends a posture of awareness, reporting and structured response. It is non-binding guidance — but insurers and boards cite it when assessing whether an operator’s posture is reasonable.

Most commercial drones flown in the United States today are manufactured in China. That fact is not, in itself, a finding. The CISA/FBI advisory does not ban these platforms or require operators to refuse them on premises. It simply establishes a federal government position: when one of these platforms appears uninvited at a critical infrastructure site, the operator is expected to be in a position to identify the platform, document the incursion and report it where appropriate.

Forensic extraction is how an operator establishes facts. Without forensics, the platform identity is whatever can be read off of the airframe — make, model, visible serial. With forensics, the platform identity includes firmware version, controller pairing, flight history and the metadata that lets a federal partner assess whether the incursion fits a known pattern.

How does this change what “adequate response” looks like?

Before 2025, an adequate response to an enterprise drone incursion at most energy and data center sites ended at detection, scene security and law enforcement handoff. After 2026, adequate response includes a forensic answer: the aircraft type, where it came from, who flew it what it captured. The three federal actions listed above raised the bar — even though they each contain no explicit requirement.

Two groups make “adequate response” enforceable in practice, even when the rules do not directly require a forensic capability. 
Insurers are the first. Carriers writing physical security and cyber physical convergence policies for energy and data center operators are revising underwriting questions. The questions are not yet uniform across the market, yet the direction is consistent: carriers want to know what happens after detection. “We rely on local law enforcement” is not a sufficient answer. 

Boards are the second. The NACD 2026 Director’s Handbook on Cyber Risk Oversight names physical cyber convergence — including drone incursions affecting operations — as an area of board oversight. In oversight reviews, directors are increasingly asking what the operator has and can produce after an incursion. “A photograph of the drone” is no longer a complete answer.

Is drone data admissible in court under these new rules?

Drone data is admissable in court when extracted with a forensically sound methodology. The new federal actions do not change the admissibility standards — Daubert at the federal level, Frye in some state courts. They strengthen the expectation that operators preserve admissible evidence. Field-deployed extraction with cryptographic hashing and audit trails meets the existing standards, the same standards mobile forensics has met for two decades.

Admissibility is not a new conversation. The Daubert standard has governed federal digital evidence since 1993; Frye still applies in a handful of states. What has changed is the volume of cases in which drone evidence is the central artifact. The expectation that operators preserve admissible evidence — not just file a report — is rising in parallel with the regulatory floor.

A practical implication for general counsel is that the forensic methodology and the tool that implements it matter as much as the underlying data. A flight log pulled in a forensically sound way, with hashes recorded and chain of custody documented, is evidence. The same flight log pulled by someone who powered the drone on, browsed files and then took notes is, at best, a weakened version of the same artifact.

What should operators do in the next 90 days?

Three steps move the regulatory exposure: map your sites against the FAA UAFR fixed-site categories, review your incident-response plan for a documented forensic step after a drone incursion and prepare a board-level readout that names the three federal instruments. Your team does  not need to deploy a new capability tomorrow, but it should be top of mind  that the regulatory awareness is in writing today.

The 90-day move is  a documentation decision and these three deliverables move the exposure: 

• Site mapping — Identify which sites fall under the FAA UAFR fixed-site categories. For energy operators, the rule names the categories explicitly. For data center operators, the rule does not name the sector — yet — but the insurer and board pressure is arriving on the same timeline. 
• Incident response plan review — Does your plan have a forensic step after a drone incursion, or does it end at “contact local law enforcement”? If it ends there, write in the next step. 
• Board readout preparation — A one-page summary of the 2025 EO, the FAA UAFR proposed rule, and the CISA/FBI advisory, with a paragraph explaining what your organization has done — or will do — in response. 

All three are foundationaland none require a tool purchase. All three position your organization for what comes next.

FAQ

Does the FAA proposed UAFR rule apply to data centers?

Not directly. The May 2026 UAFR rule names power generation, refineries, and selected federal facilities by category. Data centers are not named. However, the insurer and board pressure that flows from the same federal direction is arriving for data-center operators on a slightly later timeline. The operational expectations are converging — even where the rule does not. 

Is my business required to deploy drone forensics by law?

No federal rule requires a specific forensic tool. The regulatory instruments described here change what “adequate response” looks like, and they create the documentation a regulator, insurer, or director can audit. The shift is from explicit requirement to documented expectation — which often turns out to be more durable than a one-time compliance check. 

How is this different from existing counter-UAS authority?

Counter-UAS authority addresses what federal agencies can do — interdict, mitigate, neutralize. The instruments here address what the operator owes after an incursion, regardless of whether federal interdiction was available or used. The two regimes are complementary: counter-UAS is upstream, forensic response is downstream. 

What if our insurer hasn’t asked these questions yet?

Renewal cycles are the carrier’s update opportunity. Many carriers are revising physical-security and cyber-physical convergence underwriting language now, with questions expected to surface at the next major-renewal milestone. Build the forensic posture before the questionnaire arrives, not after. 

Does this apply to incursions by law-enforcement or government drones?

The same forensic methodology applies to any incursion, regardless of operator. In practice, government-operator incursions at critical-infrastructure sites are coordinated in advance; uncoordinated incursions — including by unidentified parties — are the population the rules and forensic response are calibrated for.

Where can I read the rules directly?

The 2025 Executive Order is published in the Federal Register. The FAA UAFR Notice of Proposed Rulemaking (NPRM) is available through FAA.gov and the Federal Register. The CISA/FBI advisory is published on CISA’s official site. Cellebrite is not the source of these instruments — operators should consult original federal sources for the binding text.