Chapter 4.3
Substation & Transmission Ownership, Operations & NERC Compliance
When your load is large enough to touch the transmission system, you stop being a customer of the grid and become a participant in it — and the decision of who owns the substation, who throws the switches, and whether you register as a NERC entity is the line between a facility the operator controls and one the utility and the regulator control for you.
What you'll decide here
- Whether the on-site substation and the line into it are utility-owned (rate-based, slower, capital-light to you, control surrendered) or customer-owned (capex-heavy, faster, fully controlled, and dragging NERC and O&M obligations with it).
- Who operates and maintains the HV yard after energization, and how switching across the point of interconnection (POI) is coordinated under a switching-and-tagging agreement so a customer breaker operation never surprises the transmission operator.
- Where the protection boundary sits, who sets the relays on each side of the POI, and how protection coordination is jointly studied so a fault clears at the right device without tripping the whole interconnection.
- Whether your facility meets the bright-line that pulls it into NERC registration as a Computational Load Entity (and into the CIP-002 → CIP-015 cluster), and if so, what a defensible compliance program actually has to produce.
- Which reliability-standard deliverables — TPL/PRC ride-through and protection, MOD-032/026/027 model and data submittals, EOP-004/PRC-004 event and disturbance reporting — your interconnection agreement and registration obligate you to, and on what cadence.
There is a voltage threshold above which a data center stops behaving like a building that consumes electricity and starts behaving like an element of the bulk power system. Below it, you are a load on a distribution feeder: the utility owns everything past your meter, your obligations are commercial, and the worst you can do to the grid is trip a recloser. Above it — connected at transmission voltage, drawing hundreds of megawatts that can move in milliseconds — you are a node the rest of the interconnection has to plan around. Chapter 4.2 got you the interconnection and the substation as a physical asset. This chapter is about the second set of consequences that asset triggers: who owns it, who runs it, who is liable when it misbehaves, and the compliance regime that, as of 2026, the North American regulator has decided large computational loads can no longer escape.
The forks in 4.3 are unusually expensive to re-decide because most of them are written into a thirty-year interconnection agreement (the LGIA/GIA) and a registration with the regulator, not into a procurement order you can re-cut next quarter. Get ownership wrong and you have either surrendered control of your own front door or signed up for an HV-operations competency you did not want to build. Get the compliance posture wrong and you discover, after energization, that you are an unregistered entity operating a Bulk Electric System asset — a finding no AI operator wants in front of a regional entity auditor.
The first fork: who owns the substation
The customer substation that steps transmission voltage (115 / 138 / 230 / 345 kV) down to your medium-voltage distribution can be owned by the utility, by you, or split at a defined ownership boundary inside the yard. This is the single decision in 4.3 that propagates into capex, schedule, control, and — critically — into whether NERC obligations land on the utility's balance sheet or yours. It is rarely a free choice: the host utility's tariff, the state commission, and the ISO interconnection rules constrain what is even on the menu. But where there is latitude, the tradeoff is sharp.
Utility-owned keeps the substation capital off your books and inside the utility's rate base, hands the HV-operations competency and the lion's share of the NERC exposure to an entity that already has it, and — its real cost — surrenders control of the schedule and the asset. You are now in a queue behind every other interconnection the utility is building, your energization date moves when their transformer order slips, and any change to the yard runs at utility speed and utility process. In a market where the power transformer is already the schedule-dominating long pole (≈128 weeks standard, ≈144 weeks for a GSU, and up to ~60 months in constrained markets), handing the procurement to a utility that batches and prioritizes across a portfolio can cost you the very months your time-to-power thesis depends on.
Customer-owned inverts every term. You carry the capex (a transmission-class substation is tens of millions of dollars before the line), you own the procurement and can place the long-lead transformer order the day the design basis freezes, and you control the asset and its schedule outright. The price is that you have just become — or must contract for — a transmission operator and owner. The HV yard is now your switching, your maintenance, your relay settings, your spares, your qualified-worker program (Chapter 6.9), and, above the bright-line, your NERC registration. Most large self-build operators land on customer-owned for speed and control, then immediately sub-contract the O&M to a specialist because the competency is real, regulated, and unforgiving. The hybrid — utility owns up to a defined fence inside the yard, customer owns downstream — is common precisely because it lets each side hold the assets it is best equipped to operate and be registered for.
| Dimension | Utility-owned | Customer-owned | Split / hybrid |
|---|---|---|---|
| Capex to operator | Lowest — rate-based by utility; often a CIAC contribution | Highest — full transmission-class build on your balance sheet | Shared at the ownership fence; you fund your side |
| Schedule control | Utility-paced; you queue behind their portfolio | Yours — order the long-lead transformer on design freeze | Your side is yours; utility side still gates energization |
| Operational control of the yard | Utility operates and switches | You operate (usually via an O&M contractor) | Each owner operates to the fence; joint switching plan |
| NERC registration exposure | Largely the utility's (TO/TOP) | Yours if above the bright-line (CLE / TO / GO) | Allocated by which assets sit on which side of the fence |
| Spares, relays, maintenance burden | Utility's program | Yours — spare transformer strategy, relay settings, testing | Split by ownership; interfaces must be jointly maintained |
| Best fit | Capital-light operators; jurisdictions that mandate it | Speed-and-control self-builds at scale | Where the utility owns the line and you own the yard |
Operations across the point of interconnection
Whoever owns the yard, the POI is a seam two organizations operate across, and seams are where coordination failures live. The governing instrument is a switching-and-tagging (S&T) coordination agreement bolted onto the interconnection agreement: it names which party may operate which device, the notification and authorization sequence before any breaker or disconnect is moved, the clearance/hold-off (lockout-tagout) protocol that protects crews on either side, and the single point of contact (typically the Transmission Operator's control center) that authorizes operations affecting the bulk system. The consequence of skipping it is not theoretical — an uncoordinated customer-side switching operation can back-feed a line a utility crew believes is dead, or drop hundreds of megawatts the balancing authority did not see coming.
That second failure mode is the one 2026 made famous. When an AI campus's protection or controls trip the whole load offline on a remote disturbance, the balancing authority experiences an instantaneous, multi-hundred-megawatt loss it could not anticipate. Coordinated operations — telemetry to the TOP's control center, agreed switching sequences, and ride-through settings that keep the load connected through faults it should ride (Chapter 4.10) — are what turn an unpredictable lump of load into a node the operator can actually dispatch around. The O&M model has to make this explicit: 24/7 HV operations coverage, an on-call switching authority, and a documented interface with the utility's control room, whether you staff it or contract it.
Protection coordination across the boundary
Protection is where the ownership seam becomes an engineering problem with milliseconds of margin. A fault anywhere near the POI has to be cleared by the right device — the one closest to the fault — without cascading trips that take out the interconnection or strand the load. That requires a single, jointly-owned protection study that spans both sides of the boundary: relay coordination curves that selectively grade from the customer's MV feeders up through the main transformers to the utility's transmission line protection, with the customer's settings explicitly coordinated against the utility's so that selectivity holds and neither side trips for a fault the other should clear.
The fork is who sets and owns the relays on each side, and the answer follows ownership — but the coordination never does. Even with a clean ownership fence, the relay settings are coupled: the customer cannot change a main-transformer differential or a feeder overcurrent setting without re-checking coordination with the utility's line relays, and the utility cannot retune its line protection without confirming the customer still grades selectively beneath it. Modern practice runs this as a controlled, jointly-reviewed settings database with change-management on both sides; the discipline matters because a mis-graded setting does not announce itself until a fault arrives, and then it announces itself as either a needless wide-area trip or a failure to clear. This is also where the protection-and-ride-through standards bite (PRC-024/PRC-027 and the load-side analogues), and where a transmission-connected entity's relay program becomes auditable. → reactive/voltage and frequency behavior toward the POI in Chapter 4.10; grounding and the protection earthing basis in Chapter 4.11.
NERC registration: the bright-line that pulls you in
For most of the cloud era, large data centers escaped NERC's functional registry because they were loads, and NERC's mandatory standards were written around generators, transmission owners, and balancing authorities — the entities that operate the Bulk Electric System (BES). In 2026 that gap closed. NERC opened Project 2026-02 (Computational Loads), issued draft registry criteria for a new functional class — the Computational Load Entity (CLE) — and backed it with a rare Level 3 Essential Actions Alert, the first time it has used its highest alert tier to address load. The proposed bright-line is specific: an entity hosting ≥1 MW of IT-equipment load as part of an aggregate connected load of ≥20 MW at a single point of interconnection at ≥60 kV becomes a registered CLE. Essentially every transmission-connected AI campus clears it.
Registration is the trigger, not the obligation. Once you are a registered entity touching the BES, the door opens to the standards that apply to your functions — and if you own transmission assets (the customer-owned-substation fork above), you may also carry Transmission Owner/Operator obligations, and if you run on-site generation that can serve the grid, Generator Owner/Operator ones (Chapter 4.8). The cybersecurity weight lands through the CIP-002 → CIP-015 cluster: CIP-002 (now CIP-002-8, FERC-approved in 2026) is the gateway — it makes you categorize your BES Cyber Systems as high/medium/low impact against the bright-line criteria in its Attachment 1 — and that categorization determines how much of the rest of the family (CIP-003 through CIP-013 governance, access, ports, patching, recovery, supply chain; CIP-014 physical security of critical substations; and the newest, CIP-015 internal network security monitoring) applies and at what depth. This is the canonical home for the CIP cluster as it applies to large loads; the broader security architecture lives in Part 11 (Chapter 11.11).
| Standard | What it governs | Why it reaches an AI campus | 2026 status / note |
|---|---|---|---|
| CIP-002 | Categorize BES Cyber Systems (high/medium/low) | The gateway — sets how much of the rest applies | CIP-002-8 FERC-approved 2026; Attachment 1 bright-lines |
| CIP-003 → 011 | Security mgmt, personnel, access, ports, patching, recovery, info protection | Standard controls on the cyber assets that operate BES-facing equipment | Mature; depth scales with impact rating |
| CIP-013 | Supply-chain risk management for BES Cyber Systems | Procurement controls on the OT/control stack | In force; ties to hardware provenance (Ch. 11.3) |
| CIP-014 | Physical security of critical transmission substations | Your HV yard can be a critical substation | Risk-assessment + protection plan if in scope |
| CIP-015 | Internal network security monitoring (INSM) inside the ESP | Detect lateral movement past the perimeter | Effective Sep 2, 2025; phased compliance to 2028/2030 |
The reliability obligations of a transmission-connected entity
Cyber (CIP) is one half of the registration weight; the operations-and-planning (O&P) standards are the other, and for a load they are newer and less settled. The pattern is that a transmission-connected entity has to feed the grid's planning and operating processes the data those processes need, behave the way the planners assumed it would, and report it when it doesn't. Named explicitly, the deliverables cluster into three families.
Ride-through and protection (TPL / PRC). TPL-001 is the transmission planning standard the planner runs to prove the system survives credible contingencies — and your facility is now a contingency in their case, which is exactly why your ride-through and trip settings became their business. The PRC family governs protection: PRC-024-class ride-through envelopes (voltage and frequency the equipment must tolerate without disconnecting), PRC-027 protection-coordination, and PRC-004 misoperation analysis. For an AI campus the practical obligation is to engineer the facility so it stays connected through the disturbances the planning case assumes it rides, and to coordinate its protection so it neither trips needlessly nor fails to clear. → the engineering of ride-through, reactive support, and frequency response toward the POI is built out in Chapter 4.10.
Model and data submittals (MOD-032 / MOD-026 / MOD-027). The planner and coordinator cannot study a facility they cannot model. MOD-032 is the umbrella that obligates you to submit steady-state, dynamics, and short-circuit modeling data to your Transmission Planner and Planning Coordinator on their schedule and in their format; MOD-026 and MOD-027 govern the verification of dynamic models for the reactive-control and active-power/frequency-control behavior of your equipment where applicable. The consequence of treating these as a formality is that a bad or missing model means the planner studies the wrong machine — and the first time anyone discovers the mismatch is during an event your model said couldn't happen.
Event and disturbance reporting (EOP-004 / PRC-004). When something does happen, you report it. EOP-004 mandates reporting of qualifying events (load loss above thresholds, equipment damage, system events) to NERC and the relevant authorities on a defined timeline; PRC-004 obligates analysis and correction of protection-system misoperations. For a CLE whose failure mode is exactly the synchronized multi-hundred-megawatt trip, these are not paperwork — they are the feedback loop by which the regulator learns whether your facility is a reliable grid actor or a recurring disturbance source. The large-load interconnection study deliverables that feed all of this — the steady-state, dynamic, and short-circuit studies the ISO runs before granting service — are the front end of the same obligation set, treated as a siting/queue problem in Chapter 3.2.
Deep dive: building the compliance program a CLE registration actually requires
Registration is a status; a compliance program is the machinery that keeps the status from becoming a liability. For a newly-registered CLE, the program has to produce, on an ongoing and auditable basis, several things that did not exist when the facility was "just a load." First, a registered-functions matrix: an honest mapping of which NERC functions you actually perform (CLE; possibly TO/TOP if you own transmission assets; possibly GO/GOP if your on-site generation can serve the grid) and therefore which standards apply — over-registering buys needless audit surface, under-registering is a finding.
Second, the CIP-002 categorization and its evidence: a defensible identification of BES Cyber Systems and their high/medium/low impact rating, because every downstream CIP requirement inherits its depth from that single judgment, and the categorization is the first thing an auditor tests. Third, an O&P evidence pipeline: the recurring MOD-032 data submittals, the verified MOD-026/027 dynamic models, the TPL/PRC ride-through and protection-coordination studies, and the EOP-004/PRC-004 reporting and misoperation-analysis workflow — each with a named owner, a cadence, and retained evidence, because NERC compliance is proven by records, not assertions.
Fourth, a switching, tagging, and operations interface with the Transmission Operator that is documented and exercised, not improvised. Fifth, the self-report and mitigation discipline: the regional entity expects you to find and report your own gaps and mitigate them, and a mature self-reporting posture is, counterintuitively, the cheapest way to stay out of serious enforcement. The recurring mistake is to treat all of this as a post-energization afterthought; by then the LGIA is signed, the ownership fence is fixed, and the obligations are already running. The cheap time to build the program is while the interconnection agreement is still being negotiated — because that is when the ownership and operating boundaries that determine the entire scope are still on the table.
Putting the forks together
The three forks in this chapter are not independent — they chain. The ownership decision sets where the assets sit; where the assets sit sets the operations and protection seam you have to coordinate across; and the assets you own plus the load you draw set whether you clear the bright-line into registration and which functional obligations follow. An operator who chooses customer-owned for speed has, in the same stroke, chosen to own the HV-operations interface and to register as a CLE (and likely a TO) — and should price all three together, not discover them sequentially. An operator who lets the utility own the yard has bought down the obligation but bought into the utility's schedule and lost the ability to fix protection or operations interfaces on its own timeline.
The through-line back to the rest of Part 4 is that 4.3 is the institutional layer over the physical one. The substation, transformer, and MV distribution are engineered in Chapter 4.2 and Chapter 4.4; the grid-interactive behavior those institutions now mandate is engineered in Chapter 4.10; the protection earthing and grounding basis in Chapter 4.11; and the metering and electrical-operations layer that produces the evidence in Chapter 4.12. What 4.3 adds is the recognition that, above the bright-line, none of that engineering is purely yours to decide — you share it, by agreement and by regulation, with the grid you have joined.