Back

Upcoming Federal Cyber Incident Reporting Rules Set for Implementation

Severity: Medium (Score: 42.9)

Sources: Eversheds-Sutherland, Fisherphillips

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is finalizing new federal rules under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which mandates that over 300,000 businesses across 16 critical infrastructure sectors report substantial cyber incidents within 72 hours and ransomware payments within 24 hours. The rules aim to transition from voluntary reporting to a formal enforcement regime, with potential civil penalties for non-compliance. Although the final rules were expected by May 2026, recent funding disruptions and staff shortages have delayed the timeline, raising concerns about the clarity and feasibility of the reporting obligations. Businesses are advised to prepare proactively to meet the stringent reporting deadlines once the rules are enacted. The proposed definitions and reporting thresholds have faced criticism from industry stakeholders, indicating that further adjustments may be necessary. CISA's expectations for compliance remain high despite the delays in rule finalization. Key Points: • CISA's new rules require reporting of cyber incidents within 72 hours and ransomware payments within 24 hours. • Over 300,000 entities across 16 critical infrastructure sectors will be affected by these regulations. • Delays in finalizing the rules may impact businesses' ability to comply effectively.

Key Entities

  • DDoS (attack_type)
  • Ransomware (attack_type)
  • Kingdom Of Saudi Arabia (country)
  • United States (country)
  • cisa.gov (domain)
  • Government (industry)
  • Healthcare (industry)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed