Description

CISA is expected to finalize the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) implementing regulations by May 2026. Once effective, critical infrastructure operators must report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.

Requirements

Monitor CIRCIA final rule publication
Assess applicability as covered critical infrastructure entity
Prepare 72-hour incident reporting procedures
Establish 24-hour ransomware payment reporting process
Train incident response team on CIRCIA requirements

Applicable To

Critical Infrastructure OperatorsEnergy SectorCommunications SectorFinancial ServicesHealthcare OrganizationsTransportation Sector

Penalty Information

⚠Civil enforcement by CISA including administrative subpoenas and potential contempt for non-compliance with reporting obligations.

days remaining

May 31, 2026

Share:X in @

Framework

CISA

Cybersecurity and Infrastructure Security Agency Requirements

Related CISA Deadlines

TSA Pipeline Cybersecurity Directive Expiration
May 2, 2026
CIRCIA Healthcare Sector Compliance Preparation
December 31, 2026

CIRCIA Final Rule Expected