The Cybersecurity and Infrastructure Security Agency (CISA) has extended the deadline for it to issue final rules about mandatory incident reporting for critical infrastructure entities. The original deadline of October 2025 was pushed by six months to May 2026.
Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), passed in 2022, critical infrastructure entities are required to report cybersecurity incidents and ransom payments to CISA.[1] The details of the reporting obligations were left to CISA to develop through applicable rules, but CIRCIA mandated specific reporting periods. The statute requires that CISA’s final rule must trigger a report within 72 hours from the time an entity reasonably believes a “substantial cyber incident” has occurred, or within 24 hours of making a ransom payment.
In September 2022, CISA published a Request for Information and it hosted a series of listening sessions with stakeholders. On March 27, 2024, two years after CIRCIA was passed, CISA announced its proposed rules and published a Notice of Proposed Rulemaking (NPRM) the following week. The NPRM contained proposed regulations for reporting about cyber incidents and ransom payments (which track CIRCIA’s reporting periods), as well as other aspects of the CIRCIA regulatory program. An open comment period was held to allow written comments to the NPRM.
The original deadline for CISA to finalize and publish the rules was rapidly approaching in October 2025. Given the amount of public comments, CISA gave itself another six months. This extension provides CISA much needed time to incorporate all of the feedback and to streamline the incident reporting requirements. Critical infrastructure entities also will get more time to comply because, under federal law, the rule will not go into effect for at least 30 days after it is published in the Federal Register.
In the meantime, CISA encourages covered entities to share information about unusual cyber activity and/or cyber incidents by contacting either report@cisa.gov or (888) 282-0870.
[1] Critical infrastructure entities are those in the following 16 sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater.
[View source.]
