Skip to main content
FAA Drone RegulationsIndustry News

The 10-Year Rule Finally Arrives: What the FAA’s New Drone Flight Restriction Framework Means for Commercial Operators

The 10-Year Rule Finally Arrives: What the FAA’s New Drone Flight Restriction Framework Means for Commercial Operators

A law passed in 2016 just became a real regulatory proposal in 2026.

If you fly commercially near power plants, refineries, chemical facilities, rail yards, or state prisons — this affects you directly. Here’s what you need to know.

The Story Behind the Story

Three weeks ago, the FAA issued two major UAS security NOTAMs in two days and launched a fast-track enforcement program in between. FDC 6/2824 created an invisible mobile asset restriction with no defined distances. FDC 6/3366 established full criminal enforcement for fixed national security locations. The DETER Program built a 10-day settlement pipeline sitting downstream of both.

Today’s development is different in kind, not just degree.

On May 6, 2026, the FAA published a Notice of Proposed Rulemaking that would establish an entirely new regulatory framework for UAS flight restrictions around fixed site facilities — a proposed new 14 CFR Part 74. Formal rulemaking. Notice and comment. Defined geometry. Published locations.

This is not a NOTAM. This is rulemaking. And the difference matters.

The FAA has been under congressional mandate to create exactly this kind of formal fixed-site restriction process since Section 2209 of the FAA Extension, Safety and Security Act of 2016 — nearly a decade ago. Executive Order 14305, signed June 2025, directed the FAA to publish this rule as soon as practicable. Today’s NPRM is the FAA fulfilling that directive.

Trending
Drone View of Construction Progress for Chicago’s First Multi-Story Warehouse at 1237 W. Division Street

What that means in plain terms: the NOTAM-based framework operators have been living under — invisible restrictions, no defined boundaries, no formal process — was always meant to be temporary. This NPRM is the FAA’s attempt to build the permanent architecture that should have existed years ago.

What the NPRM Proposes

The rule introduces a new airspace designation: the Unmanned Aircraft Flight Restriction (UAFR). There are two types.

Standard UAFR — Available to operators and proprietors of fixed site critical infrastructure across 16 designated sectors. Facilities apply to the FAA, demonstrate a safety or security need, go through public notice and comment, and if approved, receive a formally designated airspace restriction published in the Federal Register and FAA Order JO 7400.12. Key parameters:

  • Lateral boundary cannot exceed the applicant’s own property lines
  • Altitude ceiling capped at 400 feet AGL (with limited exceptions for tall structures)
  • Active continuously (year-round, 24/7) or part-time (up to 290 consecutive days per year)
  • Violations subject to civil enforcement under existing FAA penalty authority

Defined geometry. Published locations. Formal process. That’s a meaningful structural improvement over the current NOTAM approach.

Special UAFR — For federal security and intelligence agency facilities: DOD, DOE, DHS, DOJ, CIA — and certain facilities sponsored by those agencies. Key differences:

  • Five-year designation term
  • National Defense Airspace designation possible
  • Violations can carry criminal penalties under 49 U.S.C. § 46307
  • The FAA explicitly proposes to migrate existing Special Security Instruction NOTAMs — including those currently operating under FDC 6/3366 — into this framework over time

Neither type creates a physical barrier or authorizes facilities to jam, interfere with, or take down drones. That authority remains governed by separate federal law.

Who Can Apply

The NPRM limits eligibility to facilities that meet the federal definition of critical infrastructure under 42 U.S.C. 5195c(e) — specifically, systems and assets the FAA describes in the proposed rule as:

“So vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters.”

That is not a small category. The FAA coordinated with Sector Risk Management Agencies across all 16 critical infrastructure sectors under National Security Memorandum 22, including:

  • Chemical facilities
  • Energy (power generation, transmission, distribution, oil refineries, natural gas)
  • Commercial facilities (including amusement parks)
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Financial services
  • Food and agriculture
  • Healthcare and public health
  • Information technology
  • Nuclear reactors and waste
  • Transportation and rail
  • Water and wastewater systems
  • Government services and facilities (including state prisons)

Mobile, temporary, or virtual facilities are not eligible. This is strictly for permanent, fixed-location infrastructure.

To qualify, a facility must also demonstrate:

  1. Existing physical security measures (restricted access, security personnel, monitoring)
  2. Documented vulnerability to drone threats
  3. A UAS security and incident response plan
  4. Remote ID receiver capability deployed at or near the facility

That last requirement is notable. The FAA is requiring eligible facilities to install passive RF equipment capable of receiving Remote ID broadcasts from drones operating nearby. This is a new infrastructure requirement for facility operators — not just drone operators.

Why the FAA Thinks This Is Necessary

The NPRM dedicates significant space to documented incidents driving the rule. Some of them are specific enough to be worth reading in full.

In July 2020, officials recovered an unmanned aircraft trailing a thick copper wire near a Pennsylvania electrical substation. Security partners concluded the operator had modified the aircraft to deliberately trigger a short circuit — an apparent targeted attack on energy infrastructure.

On the prison contraband front, the scale of the problem is striking. The NPRM cites documented prosecutions across Georgia, Ohio, California, and multiple other states, culminating in this:

“In April 2024 the Georgia Governor announced the arrest of around 150 people in an alleged ‘multi-State’ criminal enterprise using drones to smuggle drugs, guns, cellphones and other contraband in Georgia prisons.”

These aren’t theoretical scenarios. They’re the documented incident record that Congress and the FAA are responding to.

The NPRM also cites a 2022 CNN report of multiple drones flying over Louisiana chemical facilities at night — flagged as potential espionage — and a 2021 incident in which a drone operator photographing a Louisiana pipeline was located by law enforcement on the ground.

The pattern the FAA is describing is not random hobbyists. It’s a documented, multi-sector threat picture that has been building for years without a formal regulatory response.

What This Means for Part 107 Operators

Here’s the critical question — and the answer is nuanced.

The UAFR does not ban all drone operations. The proposed rule explicitly carves out access for operators under Parts 91, 107, 108, 135, and 137. The FAA’s own framing of this access framework is worth quoting directly:

“This approach balances the security of sensitive sites with the public’s right to navigate the national airspace system by restricting access to operators who have met a higher bar for safety and security.”

That language matters. The FAA is explicitly acknowledging that certificated commercial operators — Part 107 holders who broadcast Remote ID and operate under established safety requirements — are in a different category from the threat actors driving this rule. You are not the problem this rule is solving.

To access a UAFR under the proposed framework, operators must:

  1. Broadcast Remote ID in compliance with 14 CFR Part 89
  2. Transit the UAFR in the shortest practicable time
  3. Provide advance notification to the facility’s designated site manager

Contracted inspection operators — those conducting facade surveys, roof assessments, or infrastructure inspections at eligible facilities — are not categorically locked out. But the access framework puts a real procedural burden on the operator. You need to coordinate with the facility, demonstrate your credentials, and transit efficiently.

For Special UAFRs, the bar is higher: you would need both FAA Administrator approval and explicit permission from the federal agency responsible for the site.

The bottom line: know your client’s facility type before you quote a job. If they’re in one of the 16 covered sectors and eventually obtain a UAFR, your operational workflow changes.

What’s Still Missing

The NPRM addresses fixed site facilities. It does not address the mobile asset problem — the invisible, moving restriction created by FDC 6/2824 covering DOD, DOE, DHS, and DOJ vehicle convoys. That remains entirely outside this framework, governed only by advisory NOTAM language with no defined proximity standard and no published locations.

The NPRM also does not resolve the real-time visibility problem for currently active NOTAMs. Operators flying in urban environments today still have no flight planning tool that shows them where covered assets are operating at any given moment. The UAFR framework, once implemented, addresses fixed sites — but the moving target problem remains unsolved.

And the NOTAMs remain in effect while this rulemaking plays out. That process will take months at minimum — more likely over a year before a final rule. Nothing about the current compliance environment changes today.

The FAA’s Honest Assessment

Give the FAA credit for candor on this one. The NPRM contains an unusually direct acknowledgment of what this rule can and cannot do:

“There are limitations to the effectiveness of this proposed rule because a UAFR would not necessarily deter operators who willfully disregard their responsibilities and obligations for operating in the NAS from operating in close proximity to the fixed site facilities in question. Nor would the rule necessarily deter operators with malicious intent.”

Read that carefully. The FAA is saying plainly that a UAFR is not a security system. It will not stop a determined bad actor.

What it will do is something more specific and more useful: give law enforcement a tool to act. The NPRM addresses this directly:

“When responding to reports of unmanned aircraft, law enforcement officials currently can find it challenging to distinguish between compliant operators and those who mean to do harm.”

That is the actual problem this rule solves. Not the threat itself — the ability to respond to the threat. A UAFR creates a clear legal line: compliant operators stay outside or follow the access protocol; everyone else is presumptively unauthorized. That gives law enforcement grounds to act that don’t currently exist for most fixed-site facilities.

For Part 107 operators, this framing is important. The rule is designed to help distinguish you from bad actors — not to treat you as one.

The Cost Picture

The FAA estimates that with over 9,000 eligible facilities potentially obtaining UAFRs, annualized compliance costs would run between $21 million and $31 million — covering both applicant costs and government review costs.

The expected benefits — avoided fatalities, injuries, property damage, and operational disruptions — are harder to quantify, but the FAA’s scenario analysis covers disruptions to power grids, chemical releases, and prison contraband operations as the primary risk categories driving the rule.

How to Comment — And Why It Matters

Public comments are due July 6, 2026. Docket: FAA-2026-4558.

Submit three ways:

  • Online: regulations.gov — search docket FAA-2026-4558
  • By mail: Docket Operations, U.S. Department of Transportation, 1200 New Jersey Avenue SE, Room W58-213, Washington, DC 20590
  • By fax: (202) 493-2251

Questions: Michelle Ferritto, FAA Office of Rulemaking — [email protected] or (844) 359-6982.

The FAA is specifically seeking input on:

  • Whether the 400 ft AGL ceiling is appropriate
  • Whether UAFR lateral boundaries should extend beyond property lines (and under what circumstances)
  • What UAS operations should be permitted through UAFRs
  • What information operators should need to provide to demonstrate they are not a security threat
  • Remote ID receiver standards and whether stricter broadcast requirements should apply within UAFRs
  • Whether Remote ID data retention requirements should be mandated for facilities
  • The economic impact on commercial operators

As a Part 107 certificated commercial operator, your comments carry real weight. Write clearly, cite specific operational scenarios, and submit before the deadline.

What Smart Operators Should Do Right Now

1. Audit your client list. If you regularly fly at or near energy, chemical, rail, or other critical infrastructure facilities, start understanding whether those clients will likely pursue a UAFR. The application process is not automatic — facilities must apply and demonstrate need — but eligible facilities with existing security programs are strong candidates.

2. Update your pre-flight workflow. The proposed access provisions require advance notification to a facility’s site manager. Build that coordination step into your standard operating procedure now.

3. Verify your Remote ID compliance. Any operator who wants access rights through a UAFR must broadcast Remote ID per Part 89. If you’re not fully compliant, there is no gray area once these restrictions go into effect.

4. File a comment. The FAA is asking substantive questions about how contracted Part 107 operators should be treated. A well-reasoned comment from a working operator carries weight. 61 days. Use them.

5. Watch the Special UAFR list. Once existing 99.7 SSIs are migrated into the Special UAFR framework, there will be a published, publicly accessible database of restricted sites. Monitor that list as it develops.

The Full Picture

Taken together, the regulatory framework that has emerged since April 15 tells a coherent story.

FDC 6/2824 softened the mobile asset advisory — no hard distances, no National Defense Airspace, but no defined proximity standard either. FDC 6/3366 maintained full criminal enforcement for fixed national security locations, added CIA coverage, and runs through April 2028. The DETER Program created a fast-track settlement pipeline for violations of both, with a 10-day clock and permanent waiver of appeal rights. And today’s NPRM proposes the permanent formal framework meant to eventually replace the NOTAM patchwork — for fixed sites at least.

Section 2209 has been a known unknown in the commercial drone industry for nearly 10 years. Operators, facilities, and attorneys have been waiting for the FAA to define the rules of engagement near critical infrastructure. That definition is now — finally — taking shape.

This is not the end of commercial drone operations near industrial sites. It is the beginning of a more structured, more legally defined operating environment. Operators who understand the framework and build their workflows around it will be better positioned than those who treat this as just another regulatory footnote.

The comment deadline is July 6. That’s 61 days. Use them.

Ted Parisot is Co-Founder and Managing Member of Helios Visions, a Chicago-based aerial intelligence firm specializing in AEC aerial operations, facade inspection, photogrammetry, and reality capture. He holds FAA Part 107 Certificate and serves as Chair of the GTIA IoT Advisory Council.

Docket: FAA-2026-4558 | Submit comments at regulations.gov | Contact: [email protected]