The Cyber Incident Reporting for Critical Infrastructure Act — CIRCIA — passed Congress in March 2022 and directed the Cybersecurity and Infrastructure Security Agency to develop implementing regulations within 42 months. That statutory deadline produced two successive delays as CISA worked through the largest comment volume in the agency’s history: more than 260,000 submissions in response to the proposed rule, spanning trade associations, major critical infrastructure operators, cybersecurity vendors, legal practitioners, and foreign governments. The final rule arrived in May 2026, confirming the core timelines from the proposed rule: 72 hours to report a covered cyber incident, 24 hours to report a ransomware payment. The rule applies to entities across 16 federally designated critical infrastructure sectors that exceed the Small Business Administration size threshold. CISA estimates the compliance population at more than 300,000 entities.
The compliance obligations are now active. The 72-hour clock begins running from the moment a covered entity “reasonably believes” a covered cyber incident has occurred — a standard that has generated substantial commentary and will likely generate substantial litigation before its boundaries are fully established. What follows is a structured account of what the rule requires, where the operational friction is concentrated, and how CIRCIA interacts with the other reporting frameworks that enterprises are simultaneously obligated to satisfy.
What Counts as a Covered Cyber Incident
The final rule defines a covered cyber incident as one that meets one or more of three threshold criteria. The first is substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network. The second is a serious impact on the safety and resiliency of operational technology — systems that control physical infrastructure such as power generation, water treatment, or transportation. The third is disruption of business or industrial operations, including unauthorised access to systems that resulted in that disruption.
The “substantial” qualifier in the first criterion is the one that will produce the most interpretive uncertainty. CISA’s supporting documentation provides guidance: substantial loss of confidentiality encompasses data exfiltration of personal information, financial data, or intellectual property affecting a material volume of records. Substantial loss of availability encompasses outages affecting more than a de minimis number of users for more than a de minimis period. The thresholds are not quantified numerically — a decision CISA defended on the grounds that rigidity would produce under-reporting at the margins — which means the initial CIRCIA reports will include a significant population of borderline incidents where legal counsel advised erring toward disclosure rather than risk the later scrutiny of a non-report.
The ransomware payment reporting requirement is simpler. Any covered entity that makes a payment to a ransomware threat actor — whether to recover data, restore operations, or prevent publication — must report that payment to CISA within 24 hours. The report must include available information about the attacker, the payment amount and mechanism, and the impact of the incident. Covered entities are not required to report a ransomware infection that they did not pay; only payments are captured by the 24-hour obligation, though the underlying incident is likely to be reportable under the 72-hour cyber incident reporting requirement independently.
The 300,000 Entity Population
The covered entity definition applies to any organisation that operates in one of the 16 critical infrastructure sectors designated under Presidential Policy Directive 21 and that exceeds SBA small business thresholds for its industry. The 16 sectors are: chemical, commercial facilities, communications, critical manufacturing, dams, defence industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, transportation systems, and water and wastewater systems.
The breadth of this list is significant. Commercial facilities — which includes real estate, retail, entertainment venues, and lodging — is a sector that contains a large number of entities that have not previously operated under federal cyber regulation. Financial services and healthcare have existing sector-specific cyber frameworks (the Gramm-Leach-Bliley Act, HIPAA, and various financial regulator guidance documents) that partially overlap with CIRCIA’s requirements. Information technology — which covers managed service providers, data centres, cloud service companies, and software vendors — is the sector with perhaps the highest density of CIRCIA-covered entities that also provide services to other covered entities, creating potential notification obligations that run in multiple directions simultaneously.
The healthcare sector faces particular complexity. The Health Insurance Portability and Accountability Act already requires breach notifications to affected individuals within 60 days and to the Department of Health and Human Services annually (or within 60 days for breaches affecting more than 500 individuals). CIRCIA’s 72-hour CISA reporting requirement runs concurrently with these obligations but is not harmonised with them in substance or timing. A healthcare entity experiencing a ransomware attack that results in exfiltration of patient records is simultaneously obligated to report to CISA within 72 hours, report the ransomware payment to CISA within 24 hours (if paid), notify affected individuals within 60 days under HIPAA, and report to HHS — potentially through a different portal using different incident descriptions and data fields.
The 72-Hour Clock in Practice
The operational challenge of a 72-hour reporting requirement is not primarily legal — it is logistical. A large enterprise experiencing a significant cyber incident is managing multiple simultaneous workstreams: containment, forensic investigation, stakeholder communication, legal privilege analysis, and operational restoration. The 72-hour window begins not at the time of discovery but at the time the entity “reasonably believes” a covered incident occurred. In practice, security teams often know a breach has occurred before they know its scope, nature, or whether it meets the threshold criteria for covered incident status.
The reasonable belief standard creates a practical tension. Filing a CIRCIA report before the incident’s full scope is understood means submitting information that may be materially incorrect — which CISA has addressed by allowing and explicitly encouraging supplemental reports as new information becomes available. The regulatory structure treats the initial report as a good-faith effort rather than a definitive account. But the incentive structure for legal counsel is often toward delay — waiting until the scope is understood reduces the risk of reputational harm from an overstated initial report. The 72-hour clock makes that delay strategy untenable for incidents that meet the reasonable belief standard, regardless of whether the final scope is known.
Law enforcement interactions add another layer. In the immediate aftermath of a significant cyber incident, covered entities frequently engage the FBI and potentially other federal law enforcement agencies. CISA has confirmed that CIRCIA reports are protected from civil litigation use and from Freedom of Information Act disclosure — protections that were central to industry lobbying during the rulemaking period. However, the interaction between CIRCIA reports and subsequent law enforcement investigations, SEC disclosure obligations for public companies, and state data breach notification requirements has not been fully litigated. Enterprises facing incidents in 2026 are operating in a compliance environment where the full interaction among these frameworks will be established through enforcement actions and court decisions over the coming years.
How CIRCIA Compares to NIS2
European critical infrastructure operators have been subject to the Network and Information Security Directive’s updated requirements — NIS2 — since October 2024. The parallel is instructive for multinational enterprises that are simultaneously managing CIRCIA and NIS2 compliance.
NIS2 uses a tiered reporting structure: an initial notification to the national competent authority within 24 hours of the time the incident was identified as significant, an intermediate report within 72 hours containing an initial assessment, and a final report within one month. The 24-hour initial notification under NIS2 is earlier than CIRCIA’s 72-hour window but requires less substantive information — it is designed to alert the authority that an incident may be reportable, not to provide a full account. CIRCIA’s 72-hour window collapses the initial and intermediate notifications into a single obligation that requires substantially more information at the point of first report.
For a financial services firm with operations in both the United States and the European Union, the combined obligation is: alert EU national authorities within 24 hours (NIS2 initial notification), file a CIRCIA report with CISA within 72 hours, file an intermediate NIS2 report within 72 hours, and satisfy sector-specific financial regulator reporting requirements (SEC for public companies, federal banking regulators for banks, FINRA for broker-dealers) within their respective timeframes. The incident response team managing a ransomware attack at hour 20 post-discovery is simultaneously preparing four separate regulatory submissions to at least three jurisdictions, while also managing containment and communicating with executive leadership.
The California Layer
California’s Privacy Protection Agency finalised parallel rules in 2026 requiring automated decision-making technology audits and cybersecurity risk assessments for companies that meet the California Consumer Privacy Act’s size thresholds — roughly, companies with more than $25 million in annual revenue, more than 50,000 California residents’ personal information processed annually, or more than half of revenue from selling California residents’ data. The cybersecurity risk assessment requirement is not directly a breach reporting obligation — it is a proactive assessment mandate — but it creates a documentation trail that becomes relevant in post-incident regulatory scrutiny.
The layered state-federal compliance burden is not new for companies that have been managing state data breach notification laws since the early 2000s. What is new is the complexity of federal reporting requirements being added to a pre-existing state compliance architecture. CIRCIA’s federal reporting is not preemptive — it does not replace state breach notification obligations, which exist in all 50 states with varying timelines and scope definitions. A CIRCIA report filed with CISA does not satisfy California’s data breach notification requirement for affected individuals. These are parallel, not sequential, obligations.
What Covered Entities Should Do Now
The compliance actions most directly required by the final rule are operational rather than strategic. Covered entities should review their incident classification framework to establish clear internal criteria for what constitutes a covered incident — criteria that can be applied at the scene, by the incident response team, without waiting for legal review, because the 72-hour clock does not accommodate lengthy internal deliberation. Those criteria should map directly to CISA’s regulatory language and should be tested in tabletop exercises before they are needed in a real event.
Cyber insurance policies should be reviewed for CIRCIA alignment. The standard cyber insurance claim process — notify the insurer, engage the insurer’s approved incident response vendor, receive approval before incurring significant response costs — has a timeline that was designed around state breach notification obligations and SEC disclosure timelines, not a 72-hour federal reporting requirement. Insurers who are primary incident response advisors in the immediate post-breach period need to understand that CISA reporting is a non-deferrable obligation and that their advice on breach scope and disclosure strategy cannot delay the CIRCIA filing without creating regulatory exposure.
The ransomware payment question is the one that concentrates the most legal and operational complexity. An enterprise that is negotiating a ransomware payment — a process that typically takes 24 to 72 hours itself, involving legal counsel, cyber insurance adjusters, ransomware negotiation specialists, and executive decision-makers — is simultaneously obligated to report the payment within 24 hours of making it. The reporting obligation does not inhibit payment (CIRCIA explicitly does not mandate or prohibit ransomware payments), but the 24-hour post-payment reporting clock creates pressure to have the reporting infrastructure and legal preparation in place before payment decisions are finalised. Companies that experience ransomware attacks and consider payment should treat CIRCIA compliance as a parallel workstream from the moment the ransom demand arrives, not an afterthought to be handled after the payment decision is made.
The final rule is the law. The 72-hour clock is running. The question for the 300,000 entities in scope is whether their incident response infrastructure was built for it.
