"The U.S. Cybersecurity and Infrastructure Security Agency ("CISA") plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 ("CIRCIA"). According to an entry on the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions, released on September 4, 2025, CISA currently plans to publish the Final Rule sometime in May 2026, and it likely will not go into effect until sometime afterwards."
"As discussed in a previous blog post, CIRCIA established two cyber incident reporting requirements that are broadly applicable to covered entities in one of the 16 U.S. critical infrastructure sectors. When the Final Rule goes into effect, covered entities will be required report covered cyber incidents within 72 hours of discovery and covered ransom payments within 24 hours. CISA published the Notice of Proposed Rulemaking ("Proposed Rule") on April 4, 2024,"
CISA plans to delay publication of the Final Rule implementing CIRCIA, with a Spring 2025 Unified Agenda entry dated September 4, 2025 indicating a May 2026 publication target and a later effective date. CIRCIA established two reporting requirements for covered entities within one of the 16 U.S. critical infrastructure sectors. Once in effect, covered entities must report covered cyber incidents within 72 hours of discovery and report covered ransom payments within 24 hours. CISA published the Notice of Proposed Rulemaking on April 4, 2024, and the statute required the Final Rule within 18 months of that Proposed Rule.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]