Ashden Fein, Micaela McMurrough, Caleb Skeath, and John Webster Leslie of Covington and Burling write:
The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). According to an entry on the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions, released on September 4, 2025, CISA currently plans to publish the Final Rule sometime in May 2026, and it likely will not go into effect until sometime afterwards.
As discussed in a previous blog post, CIRCIA established two cyber incident reporting requirements that are broadly applicable to covered entities in one of the 16 U.S. critical infrastructure sectors. When the Final Rule goes into effect, covered entities will be required report covered cyber incidents within 72 hours of discovery and covered ransom payments within 24 hours. CISA published the Notice of Proposed Rulemaking (“Proposed Rule”) on April 4, 2024, and the statute requires CISA to publish the Final Rule within 18 months of the Proposed Rule. Accordingly, the Final Rule was previously expected to arrive by October 2025.
Source: Inside Privacy.