CISA delays mandatory cyber incident reporting rule to May 2026

CISA announced in September 2025 it was pushing the final rule to May 2026. The agency cited the need to reduce burdens on industry and harmonize reporting requirements with other federal agencies that have their own, overlapping cyber reporting rules.

The proposed rule would require companies in 16 critical infrastructure sectors to notify CISA within 72 hours of a substantial cyber incident and within 24 hours of making a ransomware payment. Companies that miss these deadlines face subpoenas and potential referral to the Justice Department.

CISA's own analysis projected the rule would cover over 316,000 entities submitting more than 200,000 reports per year. The total cost over 11 years: $2.6 billion, split roughly $1.4 billion on industry and $1.2 billion on government.

Industry trade groups—including from the financial, healthcare, and technology sectors—flooded CISA with 316 public comments. Many argued CISA defined 'covered entity' far more broadly than Congress intended, sweeping in businesses that were never meant to be covered.

CISA has been operating without a Senate-confirmed director since Jen Easterly departed in January 2025. Sean Plankey, Trump's initial nominee, withdrew before confirmation hearings. The lack of confirmed leadership has slowed regulatory work across the agency.

Other federal agencies—including the SEC, FCC, and Department of Health and Human Services—have their own cyber incident reporting requirements. CISA's delay is partly about trying to harmonize these overlapping regimes so companies don't have to file four separate reports after the same breach.

CISA scheduled virtual town halls for March 2026 to gather additional public input before publishing the final rule. This gives industry another formal opportunity to push for a narrower, less burdensome version of the law before it takes effect.