US: Delays to cyber incident reporting rules


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Competition, Trade and Foreign Investment overview International Sanctions and Export Controls Construction and Engineering Corporate and M&A Corporate and M&A overview Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Venture Capital Corporate Crime Corporate Crime overview International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Cybersecurity Data Privacy Information Law Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Diversity, Pay and Discrimination Employee Benefits and Executive Compensation Employment Employment Litigation Financial Services Regulation Insurance Intellectual Property Litigation and Dispute Resolution Litigation and Dispute Resolution overview Commercial Litigation Construction Disputes Energy Disputes Financial Services Disputes and Investigations Fraud Procurement Disputes Real Estate Disputes Regulatory Investigations and Enforcement Private Client Private Client overview Family offices services Real Estate and Planning Real Estate and Planning overview Corporate Real Estate Real Estate Disputes Real Estate Finance Strategic Contracts Strategic Contracts overview Contract Modernization Outsourcing Strategic Partnerships Tax Industries Consumer Consumer overview Luxury Retail and Wholesale Energy Energy overview Hydrogen Financial Services Financial Services overview Corporate and Investment Banking Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Industrials Industrials overview Automotive Manufacturing and Industrial Engineering Life Sciences and Healthcare Real Estate Real Estate overview Real Estate Investment Technology & Digital Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity and inclusion Environmental sustainability Pro bono Reports Alumni News Careers Global careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Offices Czech Republic Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English US: Delays to cyber incident reporting rules Home Resources Insights Home Resources Insights US: Delays to cyber incident reporting rules US: Delays to cyber incident reporting rules What businesses can watch for and do now April 06, 2026 United States United States United States Why should I read this? The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will introduce mandatory US federal reporting of serious cyber incidents and ransomware payments affecting critical infrastructure. “Covered entities” operate in one of 16 US critical infrastructure sectors and meet sector‑specific criteria. They will have 72 hours to report cyber incidents and 24 hours to report ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). This marks a shift from voluntary engagement to a formal enforcement regime with potential civil penalties. Although the final rules are not yet in force, CISA has already made clear its expectations. If businesses delay preparation until the effective date, they may struggle to meet the short reporting deadlines and/or preserve the right data during a cyber incident. What’s happening with the rulemaking? CISA originally planned to finalize the CIRCIA rules around mid-2026. Early 2026 was meant to be a practical trial phase. CISA planned to use town hall meetings between March and April to, among other things, test how the rules would operate in practice and hear feedback on points such as definitions and reporting thresholds. But on March 25, 2026, CISA announced that funding constraints and staff shortages had led to the cancellation of the town halls and other activity. As a result, work needed to finalize the rules has been paused. CISA has indicated that new dates will be published once operations resume, but the delays make it more likely that the final rules (and the point when reporting becomes mandatory) will be delayed beyond mid-2026. Alongside this, industry feedback to the 2024 Notice of Proposed Rulemaking suggests considerable further work may be needed. Many stakeholders argued that the scope was too broad, certain definitions were unclear and reporting timelines were too rigid. There were also concerns around too many overlapping rules that could affect businesses’ ability to fix incidents. How does this fit into the wider policy picture? While the CIRCIA rules are being delayed, the US administration’s broader cyber strategy is still moving forward. Its March 2026 cyber strategy makes clear that one of its priorities is to protect critical infrastructure by focusing on genuinely serious cyber incidents (those that pose real risks to national security or essential services) and by enabling such infrastructure to recover quickly when incidents happen. The tension lies in the gap between what the government wants to achieve and how the proposed rules may work in practice. The aim is to strengthen national cyber resilience, but businesses are worried about the uncertainty around what they need to do and when. What can businesses do now? The key message is not to wait for perfect clarity. Threat levels remain high and regulatory expectations continue to build. But don’t let delays in rulemaking affect (or slow down) organizational responsibility. Preparing now puts businesses in a strong position, even though the final rules are still uncertain. Good preparation reduces both cyber risk and regulatory risk, whatever the final outcome. Key actions include the following: Check whether you’re likely to fall within CIRCIA’s scope, based on your sector and the proposed criteria. Check whether current systems and procedures would allow you to identify an incident, escalate it internally and decide whether to report it within 72 hours. Make sure incident response plans are updated to ensure relevant evidence and records can be preserved for the required period. Clarify who makes reporting decisions and how those decisions are recorded. Pay attention to cyber incidents affecting third parties and suppliers, and be clear about who is responsible for reporting when those incidents impact their own operations. Plan for more responsibility with less external support in the short term. Reporting remains voluntary for now, but CISA continues to encourage entities to report incidents to familiarize themselves with the process. Further reading The Cyber Incident Reporting for Critical Infrastructure Act of 2022 __________ If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work. The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Services Cybersecurity Data Privacy Data Privacy, Security and Technology Regulatory Investigations and Enforcement Industries Energy Financial Services Key contacts Michael Bahar Partner Washington, DC, United States Alexander F.L. Sand Partner Austin, United States Kirath Bharya Knowledge Lawyer United Kingdom Chris Bloomfield Senior Associate Washington, DC, United States Latest Insights legal updates Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts Tax NOLs in Cross-Border Structures Webinar legal updates EU Pay Transparency Directive legal updates Commercially connected - May 2026 Latest News client news Next stop, public ownership: Eversheds Sutherland advises DfT on GTR transition firm news Eversheds Sutherland strengthens restructuring offering with senior partner appointment firm news Eversheds Sutherland strengthens Commercial Advisory practice with technology partner hire client news Eversheds Sutherland advises Schroders Greencoat on acquisition of Dutch biomethane platform Latest Events virtual \| June 02, 2026 Spanish employment law training virtual \| June 09, 2026 UK employment law training virtual \| June 16, 2026 Nordic (Denmark, Finland, Norway and Sweden) employment law training virtual \| June 23, 2026 Introduction to Swiss employment law Tabs Label legal updates May 29, 2026 Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts May 29, 2026 Tax NOLs in Cross-Border Structures Webinar legal updates May 28, 2026 EU Pay Transparency Directive legal updates May 27, 2026 Commercially connected - May 2026 Legal notices Terms & conditions Privacy notice Cookies LinkedIn Facebook YouTube Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Offices © Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website. For information on Konexo please also see the Legal Notices page of this website.

Why should I read this?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will introduce mandatory US federal reporting of serious cyber incidents and ransomware payments affecting critical infrastructure. “Covered entities” operate in one of 16 US critical infrastructure sectors and meet sector‑specific criteria. They will have 72 hours to report cyber incidents and 24 hours to report ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). This marks a shift from voluntary engagement to a formal enforcement regime with potential civil penalties.

Although the final rules are not yet in force, CISA has already made clear its expectations. If businesses delay preparation until the effective date, they may struggle to meet the short reporting deadlines and/or preserve the right data during a cyber incident.

What’s happening with the rulemaking?

CISA originally planned to finalize the CIRCIA rules around mid-2026. Early 2026 was meant to be a practical trial phase. CISA planned to use town hall meetings between March and April to, among other things, test how the rules would operate in practice and hear feedback on points such as definitions and reporting thresholds.

But on March 25, 2026, CISA announced that funding constraints and staff shortages had led to the cancellation of the town halls and other activity. As a result, work needed to finalize the rules has been paused. CISA has indicated that new dates will be published once operations resume, but the delays make it more likely that the final rules (and the point when reporting becomes mandatory) will be delayed beyond mid-2026.

Alongside this, industry feedback to the 2024 Notice of Proposed Rulemaking suggests considerable further work may be needed. Many stakeholders argued that the scope was too broad, certain definitions were unclear and reporting timelines were too rigid. There were also concerns around too many overlapping rules that could affect businesses’ ability to fix incidents.

How does this fit into the wider policy picture?

While the CIRCIA rules are being delayed, the US administration’s broader cyber strategy is still moving forward. Its March 2026 cyber strategy makes clear that one of its priorities is to protect critical infrastructure by focusing on genuinely serious cyber incidents (those that pose real risks to national security or essential services) and by enabling such infrastructure to recover quickly when incidents happen.

The tension lies in the gap between what the government wants to achieve and how the proposed rules may work in practice. The aim is to strengthen national cyber resilience, but businesses are worried about the uncertainty around what they need to do and when.

What can businesses do now?

The key message is not to wait for perfect clarity. Threat levels remain high and regulatory expectations continue to build. But don’t let delays in rulemaking affect (or slow down) organizational responsibility. Preparing now puts businesses in a strong position, even though the final rules are still uncertain. Good preparation reduces both cyber risk and regulatory risk, whatever the final outcome.

Key actions include the following:

Check whether you’re likely to fall within CIRCIA’s scope, based on your sector and the proposed criteria.
Check whether current systems and procedures would allow you to identify an incident, escalate it internally and decide whether to report it within 72 hours.
Make sure incident response plans are updated to ensure relevant evidence and records can be preserved for the required period.
Clarify who makes reporting decisions and how those decisions are recorded.
Pay attention to cyber incidents affecting third parties and suppliers, and be clear about who is responsible for reporting when those incidents impact their own operations.
Plan for more responsibility with less external support in the short term. Reporting remains voluntary for now, but CISA continues to encourage entities to report incidents to familiarize themselves with the process.

Further reading

The Cyber Incident Reporting for Critical Infrastructure Act of 2022

__________

If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.