CISA Plans to Finalize Cyber Incident Reporting Regulations in September 2026
Time 3 Minute Read

The Cybersecurity and Infrastructure Security Agency (“CISA”) continues to finalize regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), with a final rule expected in September 2026. As previously reported, the rule will require covered critical infrastructure entities to report covered cyber incidents to CISA within 72 hours and ransom payments within 24 hours.

Background on CIRCIA                                                     

CIRCIA was signed into law in March 2022 and directs CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments. Reporting under CIRCIA is intended to allow CISA to rapidly deploy resources and assistance to victims of cyberattacks, analyze incoming reports across sectors to identify trends, and share that information with network defenders so they can take steps to protect themselves from similar incidents.

CISA published a Notice of Proposed Rulemaking (“NPRM”) in April 2024, setting out proposed sector-based and size-based criteria for determining which entities qualify as "covered entities," along with the scope of reportable incidents and the content required in incident and ransom payment reports.

Where the Rulemaking Stands

CISA missed CIRCIA's statutory deadline to finalize the rule by October 2025. CISA subsequently set an internal target of May 2026, citing the volume of comments received on the NPRM and a stated intent to streamline the rule's requirements.

To gather further input before finalizing the rule, CISA announced in February 2026 that it would hold a series of sector-specific and general town hall meetings. Those sessions, originally scheduled for March and April 2026, were postponed due to a lapse in Department of Homeland Security appropriations. CISA rescheduled the meetings for June 15 through 18, 2026, and more than 1,200 stakeholders participated across four days of sessions.

A recent preview of the updated 2026 “Unified Agenda of Federal Regulatory and Deregulatory Actions” indicated that a final rule can be expected in September 2026.

Practical Considerations

With a final rule now expected in the fall, organizations that may fall within CIRCIA's scope should use the intervening months to assess their likely coverage under the NPRM's proposed criteria, review internal incident response and reporting plans for alignment with CIRCIA's reporting requirements, and monitor CISA's CIRCIA webpage for further developments as the rule moves toward finalization.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page