CISA Delays Mandatory Cyber Incident Reporting Rule to May 2026

The Cybersecurity and Infrastructure Security Agency announced in September 2025 that it would delay finalization of the Cyber Incident Reporting for Critical Infrastructure Act rules until May 2026, citing the volume of public comments received and the need to harmonize CIRCIA with other federal cyber reporting frameworks. CIRCIA, enacted in March 2022, required CISA to finalize regulations mandating that covered critical infrastructure entities report significant cyber incidents to the federal government within 72 hours and ransomware payments within 24 hours. The delay came after appropriations lapses forced postponement of town hall meetings scheduled for early 2026.