LEO$9.55▲ 0.15%GOOGL$352.51▼ 1.31%ETH$1,788.44▲ 0.26%WTI$84.81▼ 16.96%BRENT$85.40▼ 20.29%XRP$1.07▼ 0.56%TSLA$394.76▼ 3.19%BTC$62,758.00▼ 0.09%AAPL$317.31▲ 0.63%COIN$157.37▼ 1.07%MSTR$92.10▼ 2.68%NFLX$73.83▲ 0.63%XLM$0.1792▼ 2.20%FIGR_HELOC$1.03▲ 1.91%HYPE$63.73▼ 2.72%ZEC$509.50▼ 1.53%NVDA$203.53▼ 3.52%DOGE$0.0722▼ 0.09%XAU$4,027.40▲ 0.76%SOL$75.29▼ 1.29%TRX$0.3247▼ 1.72%BNB$570.44▲ 0.30%NATGAS$3.15▲ 7.14%AMZN$247.31▲ 0.80%META$656.73▼ 1.86%RAIN$0.0143▼ 0.32%MSFT$390.99▲ 1.53%WBT$55.09▲ 0.13%XAG$58.17▲ 0.92%USDS$0.9998▲ 0.01%LEO$9.55▲ 0.15%GOOGL$352.51▼ 1.31%ETH$1,788.44▲ 0.26%WTI$84.81▼ 16.96%BRENT$85.40▼ 20.29%XRP$1.07▼ 0.56%TSLA$394.76▼ 3.19%BTC$62,758.00▼ 0.09%AAPL$317.31▲ 0.63%COIN$157.37▼ 1.07%MSTR$92.10▼ 2.68%NFLX$73.83▲ 0.63%XLM$0.1792▼ 2.20%FIGR_HELOC$1.03▲ 1.91%HYPE$63.73▼ 2.72%ZEC$509.50▼ 1.53%NVDA$203.53▼ 3.52%DOGE$0.0722▼ 0.09%XAU$4,027.40▲ 0.76%SOL$75.29▼ 1.29%TRX$0.3247▼ 1.72%BNB$570.44▲ 0.30%NATGAS$3.15▲ 7.14%AMZN$247.31▲ 0.80%META$656.73▼ 1.86%RAIN$0.0143▼ 0.32%MSFT$390.99▲ 1.53%WBT$55.09▲ 0.13%XAG$58.17▲ 0.92%USDS$0.9998▲ 0.01%
Delayed

CISA’s 72-Hour Cyber Reporting Clock Has Started. Here Is What 300,000 Companies Now Have to Do.

The Cyber Incident Reporting for Critical Infrastructure Act — CIRCIA — passed Congress in March 2022 and directed the Cybersecurity and Infrastructure Security Agency to develop implementing regulations within 42 months. That statutory deadline produced two successive delays as CISA worked through the largest comment volume in the agency’s history: more than 260,000 submissions in response to the proposed rule, spanning trade associations, major critical infrastructure operators, cybersecurity vendors, legal practitioners, and foreign governments. The final rule arrived in May 2026, confirming the core timelines from the proposed rule: 72 hours to report a covered cyber incident, 24 hours to report a ransomware payment. The rule applies to entities across 16 federally designated critical infrastructure sectors that exceed the Small Business Administration size threshold. CISA estimates the compliance population at more than 300,000 entities.

The compliance obligations are now active. The 72-hour clock begins running from the moment a covered entity “reasonably believes” a covered cyber incident has occurred — a standard that has generated substantial commentary and will likely generate substantial litigation before its boundaries are fully established. What follows is a structured account of what the rule requires, where the operational friction is concentrated, and how CIRCIA interacts with the other reporting frameworks that enterprises are simultaneously obligated to satisfy.

What Counts as a Covered Cyber Incident

The final rule defines a covered cyber incident as one that meets one or more of three threshold criteria. The first is substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network. The second is a serious impact on the safety and resiliency of operational technology — systems that control physical infrastructure such as power generation, water treatment, or transportation. The third is disruption of business or industrial operations, including unauthorised access to systems that resulted in that disruption.

The “substantial” qualifier in the first criterion is the one that will produce the most interpretive uncertainty. CISA’s supporting documentation provides guidance: substantial loss of confidentiality encompasses data exfiltration of personal information, financial data, or intellectual property affecting a material volume of records. Substantial loss of availability encompasses outages affecting more than a de minimis number of users for more than a de minimis period. The thresholds are not quantified numerically — a decision CISA defended on the grounds that rigidity would produce under-reporting at the margins — which means the initial CIRCIA reports will include a significant population of borderline incidents where legal counsel advised erring toward disclosure rather than risk the later scrutiny of a non-report.

The ransomware payment reporting requirement is simpler. Any covered entity that makes a payment to a ransomware threat actor — whether to recover data, restore operations, or prevent publication — must report that payment to CISA within 24 hours. The report must include available information about the attacker, the payment amount and mechanism, and the impact of the incident. Covered entities are not required to report a ransomware infection that they did not pay; only payments are captured by the 24-hour obligation, though the underlying incident is likely to be reportable under the 72-hour cyber incident reporting requirement independently.

The 300,000 Entity Population

The covered entity definition applies to any organisation that operates in one of the 16 critical infrastructure sectors designated under Presidential Policy Directive 21 and that exceeds SBA small business thresholds for its industry. The 16 sectors are: chemical, commercial facilities, communications, critical manufacturing, dams, defence industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, transportation systems, and water and wastewater systems.

The breadth of this list is significant. Commercial facilities — which includes real estate, retail, entertainment venues, and lodging — is a sector that contains a large number of entities that have not previously operated under federal cyber regulation. Financial services and healthcare have existing sector-specific cyber frameworks (the Gramm-Leach-Bliley Act, HIPAA, and various financial regulator guidance documents) that partially overlap with CIRCIA’s requirements. Information technology — which covers managed service providers, data centres, cloud service companies, and software vendors — is the sector with perhaps the highest density of CIRCIA-covered entities that also provide services to other covered entities, creating potential notification obligations that run in multiple directions simultaneously.

The healthcare sector faces particular complexity. The Health Insurance Portability and Accountability Act already requires breach notifications to affected individuals within 60 days and to the Department of Health and Human Services annually (or within 60 days for breaches affecting more than 500 individuals). CIRCIA’s 72-hour CISA reporting requirement runs concurrently with these obligations but is not harmonised with them in substance or timing. A healthcare entity experiencing a ransomware attack that results in exfiltration of patient records is simultaneously obligated to report to CISA within 72 hours, report the ransomware payment to CISA within 24 hours (if paid), notify affected individuals within 60 days under HIPAA, and report to HHS — potentially through a different portal using different incident descriptions and data fields.

The 72-Hour Clock in Practice

The operational challenge of a 72-hour reporting requirement is not primarily legal — it is logistical. A large enterprise experiencing a significant cyber incident is managing multiple simultaneous workstreams: containment, forensic investigation, stakeholder communication, legal privilege analysis, and operational restoration. The 72-hour window begins not at the time of discovery but at the time the entity “reasonably believes” a covered incident occurred. In practice, security teams often know a breach has occurred before they know its scope, nature, or whether it meets the threshold criteria for covered incident status.

The reasonable belief standard creates a practical tension. Filing a CIRCIA report before the incident’s full scope is understood means submitting information that may be materially incorrect — which CISA has addressed by allowing and explicitly encouraging supplemental reports as new information becomes available. The regulatory structure treats the initial report as a good-faith effort rather than a definitive account. But the incentive structure for legal counsel is often toward delay — waiting until the scope is understood reduces the risk of reputational harm from an overstated initial report. The 72-hour clock makes that delay strategy untenable for incidents that meet the reasonable belief standard, regardless of whether the final scope is known.

Law enforcement interactions add another layer. In the immediate aftermath of a significant cyber incident, covered entities frequently engage the FBI and potentially other federal law enforcement agencies. CISA has confirmed that CIRCIA reports are protected from civil litigation use and from Freedom of Information Act disclosure — protections that were central to industry lobbying during the rulemaking period. However, the interaction between CIRCIA reports and subsequent law enforcement investigations, SEC disclosure obligations for public companies, and state data breach notification requirements has not been fully litigated. Enterprises facing incidents in 2026 are operating in a compliance environment where the full interaction among these frameworks will be established through enforcement actions and court decisions over the coming years.

How CIRCIA Compares to NIS2

European critical infrastructure operators have been subject to the Network and Information Security Directive’s updated requirements — NIS2 — since October 2024. The parallel is instructive for multinational enterprises that are simultaneously managing CIRCIA and NIS2 compliance.

NIS2 uses a tiered reporting structure: an initial notification to the national competent authority within 24 hours of the time the incident was identified as significant, an intermediate report within 72 hours containing an initial assessment, and a final report within one month. The 24-hour initial notification under NIS2 is earlier than CIRCIA’s 72-hour window but requires less substantive information — it is designed to alert the authority that an incident may be reportable, not to provide a full account. CIRCIA’s 72-hour window collapses the initial and intermediate notifications into a single obligation that requires substantially more information at the point of first report.

For a financial services firm with operations in both the United States and the European Union, the combined obligation is: alert EU national authorities within 24 hours (NIS2 initial notification), file a CIRCIA report with CISA within 72 hours, file an intermediate NIS2 report within 72 hours, and satisfy sector-specific financial regulator reporting requirements (SEC for public companies, federal banking regulators for banks, FINRA for broker-dealers) within their respective timeframes. The incident response team managing a ransomware attack at hour 20 post-discovery is simultaneously preparing four separate regulatory submissions to at least three jurisdictions, while also managing containment and communicating with executive leadership.

The California Layer

California’s Privacy Protection Agency finalised parallel rules in 2026 requiring automated decision-making technology audits and cybersecurity risk assessments for companies that meet the California Consumer Privacy Act’s size thresholds — roughly, companies with more than $25 million in annual revenue, more than 50,000 California residents’ personal information processed annually, or more than half of revenue from selling California residents’ data. The cybersecurity risk assessment requirement is not directly a breach reporting obligation — it is a proactive assessment mandate — but it creates a documentation trail that becomes relevant in post-incident regulatory scrutiny.

The layered state-federal compliance burden is not new for companies that have been managing state data breach notification laws since the early 2000s. What is new is the complexity of federal reporting requirements being added to a pre-existing state compliance architecture. CIRCIA’s federal reporting is not preemptive — it does not replace state breach notification obligations, which exist in all 50 states with varying timelines and scope definitions. A CIRCIA report filed with CISA does not satisfy California’s data breach notification requirement for affected individuals. These are parallel, not sequential, obligations.

What Covered Entities Should Do Now

The compliance actions most directly required by the final rule are operational rather than strategic. Covered entities should review their incident classification framework to establish clear internal criteria for what constitutes a covered incident — criteria that can be applied at the scene, by the incident response team, without waiting for legal review, because the 72-hour clock does not accommodate lengthy internal deliberation. Those criteria should map directly to CISA’s regulatory language and should be tested in tabletop exercises before they are needed in a real event.

Cyber insurance policies should be reviewed for CIRCIA alignment. The standard cyber insurance claim process — notify the insurer, engage the insurer’s approved incident response vendor, receive approval before incurring significant response costs — has a timeline that was designed around state breach notification obligations and SEC disclosure timelines, not a 72-hour federal reporting requirement. Insurers who are primary incident response advisors in the immediate post-breach period need to understand that CISA reporting is a non-deferrable obligation and that their advice on breach scope and disclosure strategy cannot delay the CIRCIA filing without creating regulatory exposure.

The ransomware payment question is the one that concentrates the most legal and operational complexity. An enterprise that is negotiating a ransomware payment — a process that typically takes 24 to 72 hours itself, involving legal counsel, cyber insurance adjusters, ransomware negotiation specialists, and executive decision-makers — is simultaneously obligated to report the payment within 24 hours of making it. The reporting obligation does not inhibit payment (CIRCIA explicitly does not mandate or prohibit ransomware payments), but the 24-hour post-payment reporting clock creates pressure to have the reporting infrastructure and legal preparation in place before payment decisions are finalised. Companies that experience ransomware attacks and consider payment should treat CIRCIA compliance as a parallel workstream from the moment the ransom demand arrives, not an afterthought to be handled after the payment decision is made.

The final rule is the law. The 72-hour clock is running. The question for the 300,000 entities in scope is whether their incident response infrastructure was built for it. The threat environment CIRCIA is designed for has also evolved — AI-assisted vulnerability discovery is accelerating the pace at which critical infrastructure exposures are found and exploited, making the 72-hour reporting window and incident detection infrastructure a more urgent operational requirement than when CIRCIA was drafted in 2022.

 

Enforcement Reality: What the Reporting Clock Does Not Resolve

The 72-hour window is a mechanism. What it produces depends entirely on what happens afterward — and the record on regulatory enforcement in the cybersecurity space is not reassuring.

Here is the problem most CIRCIA coverage has not addressed directly: the requirement creates a paper trail, not an accountability structure. Companies will file incident reports. Regulators will receive them. And then — because CISA is primarily an advisory body, not a prosecutorial one — the follow-on action is neither automatic nor assured. The statute’s enforcement teeth sit primarily with sector-specific regulators (FERC for energy, the FRB and OCC for banking, the FCC for communications), and the coordination mechanism between CISA and those agencies is still being worked out in implementation guidance that has not yet been finalized.

This matters because the incentive structure around incident reporting has a structural defect. Organizations that self-report promptly and completely will face scrutiny. Organizations that delay, underreport scope, or mischaracterize the incident type have that delay exposed only if an independent investigation occurs — which most minor incidents will never trigger. The result is a compliance-driven reporting culture rather than an accountability-driven one: companies file to satisfy the requirement, not because the filing generates meaningful oversight.

The comparison to point-in-time security audits is instructive. An audit produces a finding at a moment in time; the threat surface shifts the next day. CIRCIA produces a report at the moment of detected incident; the actual exposure window, the dwell time, the lateral movement that preceded detection — all of that precedes the clock. The 72-hour requirement governs disclosure, not the actual security posture that made disclosure necessary.

None of this makes CIRCIA wrong. It makes it incomplete. The companies that treat CIRCIA compliance as a genuine improvement to their incident response architecture — rather than a reporting obligation to manage — will be in a materially different position when the next significant incident occurs. Institutional accountability, as a historical pattern, accrues to the organizations that build the infrastructure the regulation assumes exists, not the ones that retrofit it the minimum necessary to file on time.

Sources

The Accountability Architecture of 72-Hour Reporting: What CIRCIA Actually Demands from Organizations

Tufekci’s central argument about technology and institutional accountability is that market incentives alone cannot produce the disclosure behaviour that the public interest requires. Before CIRCIA, the incentive structure for cyber incident reporting was perversely misaligned: the cost of disclosure — regulatory scrutiny, customer trust damage, litigation exposure — was visible and immediate; the cost of silence — systemic underinvestment in incident response capacity, sector-wide vulnerability to known attack patterns that go unreported — was diffuse and delayed. CIRCIA inverts this by making silence the riskier choice for the 300,000-plus organizations now subject to mandatory reporting.

The 72-hour window is not arbitrary. It corresponds to the incident response lifecycle: the point at which an organisation’s internal team has typically developed an initial understanding of scope — systems affected, likely initial access vector, whether the incident is ongoing. Requiring reporting at this point forces organisations to maintain incident response capacity capable of rapid assessment and structured external communication. That is not a bureaucratic requirement — it is an institutional capability-building mandate dressed in compliance language.

the GDPR parallel in mandatory breach notification is instructive. The EU’s mandatory breach notification regime was initially resisted as an unworkable compliance burden. What it produced was the industrialisation of breach response: organisations invested in incident response tooling, retained forensic firms on standby, and built internal communications playbooks because the cost of being unprepared for mandatory reporting exceeded the cost of preparation. CIRCIA will produce the same industrialisation in critical infrastructure operators, at scale and on a faster timeline. the cybersecurity vendor consolidation driven partly by reporting-infrastructure demand is the vendor-market consequence: organisations need integrated visibility across their entire environment to produce accurate 72-hour reports, which drives demand for consolidated security platforms over point solutions.

The accountability architecture question Tufekci would ask is: who does this information flow to, and what happens with it? CISA’s mandate is not simply to collect incident reports — it is to aggregate patterns across the critical infrastructure sector and use that aggregated signal to improve collective defense. how verifiable credibility infrastructure converts individual claims into sector-wide accountability signals — the same logic CIRCIA applies to cyber incident data. Individual organisations reporting incidents creates an information commons that benefits the entire sector, even though the cost of reporting falls on individual organisations. That is a textbook case for mandatory disclosure: private cost, collective benefit, voluntary compliance insufficient.

the attribution challenge in cyber incidents — correctly identifying the initial access vector and responsible actor within 72 hours — is precisely what makes the reporting requirement valuable as a capability standard. Organisations that cannot attribute an incident within 72 hours do not have adequate incident response infrastructure. The reporting requirement forces the capability investment. the gap between what organisations announce and what they actually disclose — the difference between what organisations say about their security posture and what they actually disclose when an incident occurs — is the information asymmetry that mandatory reporting is designed to close. CIRCIA’s 72-hour window is a forcing function for honesty at the moment when honesty is most institutionally costly.

Carl A.
As Marketing Lead and General Manager for VaaSBlock Philippines, Carl brings extensive experience from various major Web3 projects, including Net Marble, Immortal Game, and Salad Ventures. His expertise in Marketing, Growth Strategies, and Team Leadership has positioned him as a key driver of VaaSBlock’s global expansion and its mission to set new standards in blockchain credibility.

Carl oversees VaaSBlock’s operations in the Philippines, where a significant portion of the team is based, and is spearheading plans for further growth in the region. His strategic vision and dedication to fostering trust and innovation in the Web3 ecosystem play a pivotal role in VaaSBlock’s success.

Home » CISA’s 72-Hour Cyber Reporting Clock Has Started. Here Is What 300,000 Companies Now Have to Do.