CISA delays mandatory cyber incident reporting rule to May 2026
🔒Digital Rights🛡️National Security
Congress passed CIRCIA in 2022 after ransomware attacks crippled Colonial Pipeline, JBS Foods, and dozens of hospitals. The law gave CISA three years to write rules requiring critical infrastructure companies to report major cyber incidents to the government. The deadline was set for October 2025.
CISA announced in September 2025 it was pushing the final rule to May 2026. The agency cited the need to reduce burdens on industry and harmonize reporting requirements with other federal agencies that have their own, overlapping cyber reporting rules.
The proposed rule would require companies in 16 critical infrastructure sectors to notify CISA within 72 hours of a substantial cyber incident and within 24 hours of making a ransomware payment. Companies that miss these deadlines face subpoenas and potential referral to the Justice Department.
CISA's own analysis projected the rule would cover over 316,000 entities submitting more than 200,000 reports per year. The total cost over 11 years: $2.6 billion, split roughly $1.4 billion on industry and $1.2 billion on government.
Industry trade groups—including from the financial, healthcare, and technology sectors—flooded CISA with 316 public comments. Many argued CISA defined 'covered entity' far more broadly than Congress intended, sweeping in businesses that were never meant to be covered.
CISA has been operating without a Senate-confirmed director since Jen Easterly departed in January 2025. Sean Plankey, Trump's initial nominee, withdrew before confirmation hearings. The lack of confirmed leadership has slowed regulatory work across the agency.
Other federal agencies—including the SEC, FCC, and Department of Health and Human Services—have their own cyber incident reporting requirements. CISA's delay is partly about trying to harmonize these overlapping regimes so companies don't have to file four separate reports after the same breach.
CISA scheduled virtual town halls for March 2026 to gather additional public input before publishing the final rule. This gives industry another formal opportunity to push for a narrower, less burdensome version of the law before it takes effect.
🔒Digital Rights🛡️National Security
People, bills, and sources
Jen Easterly
Former CISA Director (departed January 20, 2025)
Sean Plankey
Trump's initial CISA director nominee (2025)
Brendan Carr
FCC Chairman (2025)
Gary Peters
Senate Homeland Security Committee Ranking Member (D-MI)
Paul Abbate
Former FBI Deputy Director; led FBI cyber division during CIRCIA drafting
What you can do
1
civic action
Contact your senators about CIRCIA implementation
The CIRCIA delay means thousands of cyberattacks on critical infrastructure will go unreported to the federal government, limiting the government's ability to detect attack patterns and warn other potential targets. Your senators on the Homeland Security Committee vote on CISA's budget and oversight.
My name is [name] and I'm a constituent from [city, state]. I'm calling about the CIRCIA cyber reporting rule delay. CISA pushed mandatory incident reporting from October 2025 to May 2026 under industry pressure. I want Senator [name] to support strong final rules requiring 72-hour reporting from all 16 critical infrastructure sectors, without carve-outs that let companies hide breaches.
2
policy engagement
Submit public comments on the final CIRCIA rule
CISA's town halls in March 2026 are formal opportunities to weigh in on the rule before it's finalized. Members of the public, not just corporations, can submit comments through the Federal Register process. Your comment gets the same consideration as a corporate lobbyist's.
I'm submitting a public comment on the CIRCIA rulemaking. As a member of the public who depends on critical infrastructure—hospitals, water systems, and the electrical grid—I urge CISA to finalize a rule that requires mandatory 72-hour reporting from all 16 sectors without narrowing the definition of covered entities based on industry lobbying.
3
personal action
Check if your employer or industry is subject to CIRCIA reporting
If you work in energy, healthcare, finance, transportation, water, or any of the other 16 critical infrastructure sectors, your organization may need to comply with the final CIRCIA rule when it takes effect. Check CISA's sector pages to understand what reporting obligations apply.
Visit CISA's website and find the page for your industry sector. The final rule will require reporting within 72 hours of a substantial breach. Companies that miss deadlines face subpoenas and referral to the Justice Department.