Cyber Incident Reporting Rule for Critical Infrastructure Delayed to 2026

The Cybersecurity and Infrastructure Security Agency (CISA) is developing new regulations for reporting cyber incidents and ransomware payments under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in March 2022. The proposed rules are intended to strengthen information sharing across critical infrastructure sectors.

CISA published a Notice of Proposed Rulemaking (NPRM) on April 4, 2024, outlining requirements for certain entities to report substantial cyber incidents within 72 hours and ransomware payments within 24 hours. The NPRM defines a substantial cyber incident as one involving major loss of confidentiality, integrity, or availability, serious operational effects, business disruption, or unauthorized access through third parties or supply chains.

According to the NPRM, covered entities would need to submit incident reports through a web-based CISA form. The rule requires organizations to conduct a preliminary analysis within hours to determine if a reportable incident has occurred, rather than waiting several days.

Entities must also provide supplemental reports within 24 hours when new substantial information becomes available, including details of any ransom payments made after the initial incident report. These requirements are designed to ensure timely updates as situations evolve.

What the numbers show

• The proposed rule covers over 300,000 entities in 16 sectors
• CISA estimates implementation costs at $2.6 billion over 11 years
• Cybercrime losses in the U.S. are estimated at over $450 billion in 2024

CISA originally planned to finalize the rule by October 2025, but publication has been postponed to May 2026. This delay pushes back the rule’s effective date beyond the new publication timeline.

Legal analyses confirmed the extension, noting that the deadline was moved by six months from the original schedule. The delay affects when covered entities will be required to comply with the new reporting obligations.

Until the final rule takes effect, CISA encourages organizations to voluntarily report cyber incidents. This approach is intended to improve situational awareness and preparedness ahead of mandatory compliance.

The proposed requirements would apply to organizations meeting Small Business Administration size standards across 16 designated critical infrastructure sectors. These sectors include energy, healthcare, financial services, and others considered vital to national security and public safety.

* This article is based on publicly available information at the time of writing.