CISA Delays Cyber Incident Reporting Rules Until May 2026

The Cybersecurity & Infrastructure Security Agency (CISA) has delayed publication of its cyber incident reporting rule for critical infrastructure operators. According to an entry on the Office of Management and Budget's (OMB) regulatory agenda, publication of the final rule is now expected in May 2026. The rule, which implements provisions of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, was previously expected to be published in October 2025 based on deadlines set forth in CIRCIA.

We analyzed CIRCIA in depth when it was enacted in 2022. CIRCIA and the CISA rule will require critical infrastructure operators to notify CISA within 72 hours of discovering a "covered cyber incident" and within 24 hours of making a ransom payment in response to a ransomware attack. CIRCIA granted rulemaking authority to CISA, including to define key terms such as "covered entity" and "covered cyber incident" based on factors and considerations listed in the statute.

As we discussed in a prior post, CISA's proposed rule drew significant criticism from industry and lawmakers. Some have argued that the proposed rule exceeds congressional intent in substantial ways, including by defining "covered entities" much more broadly than was intended in CIRCIA. Under CISA's proposal, the rule would apply to any entity operating in one of 16 critical infrastructure sectors that exceeds a Small Business Administration (SBA) small business size standard. CISA has estimated that the rule would apply to more than 300,000 entities. Other criticisms have focused on the breadth of "covered cyber incidents" and the proposed rule's detailed requirements for the contents of incident reports. Lawmakers have called for CISA to reengage with industry on these criticisms, and CISA may plan to use the delay to consider substantially revising its rule.

DWT's privacy and security practice group actively advises clients on compliance with cybersecurity reporting requirements across all industries and sectors. We will continue tracking CISA's development of its cyber incident notification rule.