The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has spent four years in the rulemaking process. That process is now approaching its end. CISA has indicated a final rule is expected in May 2026 — within weeks — and the organisations covered by it are running out of time to build the internal processes, tooling, and governance structures that compliance will require. Recent disruptions to the rule’s stakeholder engagement programme, caused by a lapse in federal appropriations that cancelled planned town halls, have not altered the underlying timeline or requirements.
What the Rule Will Require
The core obligations established by the CIRCIA Notice of Proposed Rulemaking (NPRM) — published in April 2024 and not expected to change materially in the final rule — are:
72-hour incident reporting. Covered entities that experience a significant cyber incident must notify CISA within 72 hours of reasonably believing the incident has occurred. The clock starts at the point of determination, not at discovery. This means organisations need pre-built reporting workflows, designated reporting contacts, and a pre-agreed definition of what constitutes a “significant” incident under their specific circumstances.
24-hour ransomware payment reporting. Any covered entity that makes a ransomware payment must notify CISA within 24 hours. This is separate from, and shorter than, the incident reporting window. Organisations that have historically managed ransomware incidents quietly — paying to restore operations without notifying regulators — will no longer have that option.
The penalties for non-compliance include civil enforcement actions. False or fraudulent statements in a CIRCIA report carry criminal exposure of up to five years imprisonment, rising to eight years if the offence involves terrorism.
Who Is Covered
CIRCIA applies across all 16 critical infrastructure sectors as defined by Presidential Policy Directive 21. These include energy, water and wastewater, transportation, financial services, healthcare, communications, government facilities, defence industrial base, and information technology, among others. Smaller organisations within covered sectors may qualify for reduced-burden provisions, but the final scoping will be confirmed in the published rule.
Supply chain relationships matter here. Managed service providers, cloud providers, and technology vendors serving critical infrastructure organisations may face their own reporting obligations or contractual downstream obligations from covered customers.
Why Preparation Cannot Wait
The 72-hour clock is unforgiving. During a major incident, when security teams are consumed with containment and remediation, stopping to draft a regulatory notification to CISA is not a natural step. Organisations that have not rehearsed and documented this process before an incident occurs will struggle to meet the deadline under pressure.
The practical requirements of compliance include:
- Defined incident severity thresholds. Security teams need documented criteria for when an event crosses the threshold of “significant cyber incident.” Without this, every incident becomes a judgement call made under stress.
- A designated CISA reporting contact. CIRCIA will require a named individual responsible for submitting reports. This person needs to understand the process before an incident, not discover it during one.
- Legal and communications alignment. Ransomware payment decisions involve legal counsel, insurers, and executives. The 24-hour reporting window means these decisions must be made rapidly, requiring pre-agreed escalation paths and decision-making authority.
- Logging and evidence preservation. Reports to CISA must be factually accurate. Systems must be able to quickly produce timelines, indicators of compromise, and impact assessments. Insufficient logging is not only a security gap — it becomes a compliance gap when a report is due.
The Appropriations Complication
CISA was scheduled to hold a series of virtual town hall meetings in early 2026 to allow stakeholders a final opportunity to comment on the NPRM’s scope and burden. These were cancelled when a lapse in federal appropriations prevented the agency from holding scheduled events. The cancellations do not change the rule’s timeline, but they do mean the final rule may arrive with less industry input than originally intended on certain scoping questions.
CyberScoop has reported that the appropriations disruption may introduce minor delays, but the May 2026 target remains the working assumption. Organisations should plan on that basis.
Recommended Actions
- Complete a CIRCIA readiness assessment now. Identify gaps in your incident reporting process, logging capability, and incident severity classification criteria before the rule takes effect.
- Designate and train your CISA reporting contact. This individual should understand CIRCIA’s requirements, have access to the CISA reporting portal, and be reachable 24/7 during an incident.
- Review ransomware payment decision governance. Who in your organisation can authorise a ransomware payment? That person must know about the 24-hour reporting obligation before they ever face the decision.
- Engage legal counsel on supply chain obligations. If your organisation provides services to covered sectors, assess whether downstream contractual obligations will require you to report on their behalf or provide reporting-quality incident documentation.
- Conduct a tabletop exercise with the CIRCIA timeline built in. A ransomware exercise that includes a regulatory notification decision under a 24-hour constraint will surface process gaps that no checklist will catch.
CIRCIA represents the most significant shift in US critical infrastructure cyber incident governance in a decade. The organisations that treat compliance readiness as a project to complete before the rule publishes will be substantially better positioned than those that treat it as a response to having been notified.