CIRCIA : Coming May 2026

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires critical infrastructure entities to report substantial cyber incidents within 72 hours and ransomware payments within 24 hours to CISA.

Key Aspects of the CIRCIA Rule:

Covered Entities: Organizations in 16 critical infrastructure sectors (e.g., Financial, Healthcare, Energy, Transportation) that meet specific size or impact criteria. CISA estimates that more than 300,000 entities will be covered by CIRCIA.

The act / proposed rule will cover any entity “larger than a small business”, which is generally defined as “having fewer than 500 employees or annual receipts less than $7.5M”

IAPP, https://iapp.org/news/a/the-clock-starts-soon-preparing-for-circia

Reporting Timelines:

72 Hours: For substantial cyber incidents (loss of integrity/availability, disruption of operations, unauthorized access).

A “substantial cyber incident” is defined in the proposed rule as causing any of the following:
Substantial loss of confidentiality, integrity or availability.
Serious impact on safety and resiliency of operational systems and processes.
Disruption of ability to engage in business or industrial operations or deliver goods or services.
Unauthorized access facilitated through or caused by a compromise of a provider or third party or a supply chain compromise.

IAPP, https://iapp.org/news/a/the-clock-starts-soon-preparing-for-circia

24 Hours: For ransom payments, even if the initial incident was not reported.

Supplemental Reports: Required within 24 hours if new or different information becomes available.

Purpose: Enables CISA to analyze trends, warn other potential victims, and provide assistance.
Record Retention: Covered entities must preserve data related to the incident.

Key Definitions and Scope:

Reasonable Belief: The 72-hour clock starts when the entity believes a covered incident occurred.

Third-Party Impact: Incidents at vendors or service providers that impact a covered entity are reportable.

The proposed CIRCIA regulation notes information submitted to CISA will be protected against onward disclosure and entities maintain legal privileges and protections.

Conversely, failure to comply by not submitting timely and fulsome CIRCIA reports or supplemental reports or responding to requests for information could result in penalties.

Knowingly and willfully making false or fraudulent statements or representations could be met with fines, imprisonment of up to five years or imprisonment up to eight years if the offense involves international or domestic terrorism.