Congress Extends CISA 2015 Through September 2026

Congress has renewed the Cybersecurity Information Sharing Act of 2015 (CISA 2015) until September 30, 2026, as part of the spending bill signed by the president yesterday, February 3, 2026. The renewal comes as welcome news to companies that rely on CISA 2015 to share information about cyber threats with the government. Even so, the recent string of short-term renewals and occasional lapses makes it difficult for companies to know whether they can rely on CISA 2015 and develop plans for lawful cybersecurity information sharing long term.

CISA 2015 was enacted to, among other things, facilitate public and private-sector sharing of information related to cyber threats and defensive measures. The law provides broad liability and other legal protections for companies that share information in compliance with the law's requirements. CISA 2015 was enacted with a 10-year sunset provision, and the law sunset on September 30, 2025, during the extended government shutdown. The law remained sunset until November 12, 2025, when Congress passed a temporary renewal effective only until January 30, 2026. The law again sunset for several days during the most recent partial government shutdown. 

At least for now, companies that rely on CISA 2015 are stuck with another short-term renewal and an uncertain future for the law. Companies should revisit their information sharing relationships and agreements and determine whether other legal bases exist for sharing cybersecurity information in the absence of CISA 2015. We discussed CISA 2015, renewal efforts, and considerations for sharing cybersecurity information without the statute's protections in a prior blog post.

DWT's Privacy & Security team will continue to monitor developments related to CISA 2015.