With the entry into force of the Amendment to the Convention on the Physical Protection of Nuclear Material (CPPNM/A), the legal bedrock for physical protection has been extended to cover civilian nuclear material in domestic use, storage and transport as well as civilian nuclear facilities. The newly-added Fundamental Principles of Physical Protection (Fundamental Principles) not only include concrete actions like establishing national legislation and a competent regulatory authority, but also concepts that depend on the State’s specific requirements. For instance, the Fundamental Principles call for States to ensure that all organizations involved in physical protection give “due priority” to a strong and enduring nuclear security culture. Although the responsibility to implement and maintain the physical protection regime remains under national responsibility, the Fundamental Principles also recognize the important role of the licensee who ultimately is responsible for physical protection at the facility level or during transport. While it is laudable to invoke such concepts as nuclear security culture in a legally binding international instrument, it raises questions about its effective implementation: how would industry operationalize and demonstrate to the relevant competent authority that this has been met? The paper presents a case for the development of a nuclear security governance template that could serve as a framework to demonstrate commitment to and implementation of the Fundamental Principles by licensees. The paper argues that good corporate governance supports key elements of physical protection including security culture. It also emphasizes that good corporate governance cannot be solely externally imposed by a State through the regulatory framework. Rather, it must be internalized and prioritized within an organization as an essential element of operations.