The May 2026 CIRCIA Deadline: How to prepare for 72-hour reporting

What is CIRCIA? A 2026 regulatory refresher

CIRCIA is a major piece of legislation targeted at the U.S. critical infrastructure sector.

Congress introduced the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2021, calling for new requirements for critical infrastructure sectors to report cybersecurity and ransomware incidents to the Cybersecurity and Infrastructure Security Agency (CISA), an agency of the Department of Homeland Security (DHS). After CIRCIA was rolled into the Consolidated Appropriations Act, 2022, it was signed into law in March 2022.

While the law was signed in 2022, final regulations establishing exactly how and when to report are being finalized right now in early 2026.

Rising ransomware threats: The context for CIRCIA

Why is CIRCIA necessary? According to the Internet Crimes Complaint Center (IC3), the FBI’s central hub for reporting cybercrimes, the number of ransomware incidents in the U.S. doubled between 2001 and 2021, before shooting up 82% between 2019 and 2021.

More recently, the IC3 Annual Report 2025 (released April 2026) found that losses from cyber-enabled crime, i.e., any illegal activity that assisted using cyber-related means, reached $20.877 billion in 2025, a staggering 26% increase from the previous year.

Ransomware continues to drive the surge. IC3 received 3,611 ransomware reports, up from the 3,156 (2024) and 2,825 received (2023).

However, the volume of attacks isn’t the only story; the breadth and velocity of ransomware threats stand out, as well. IC3 identified 63 new ransomware variants in 2025.

More alarming still, critical infrastructure sectors like healthcare and public health, manufacturing, financial services and government facilities were most impacted by these new variants. And the choice wasn’t random. Cybercriminals purposely target critical infrastructure organizations with a low tolerance for operational downtime in the hopes of quick payouts.

This strategic targeting of vital services is exactly why voluntary reporting is no longer sufficient, leading to the mandatory mandates found in CIRCIA.

CIRCIA implementation timeline: When is the deadline?

When will the CIRCIA reporting requirements go into effect?

Well, some U.S. laws call for the delegation of rulemaking responsibilities to a specialist department or agency in the federal government. In the case of CIRCIA, Congress passed that duty to CISA, tasking the agency with developing and issuing detailed regulations for critical infrastructure entities that align with the intent of the law.

Since passage, CISA has collaborated with various agencies and industry to hammer out the details of the requirements. The CIRCIA NPRM (Notice of Proposed Rulemaking), published in April 2024, officially opened a 90-day public comment period.

Fast forward to today. While CISA has been targeting May 2026 for the final rule's release, recent federal appropriations disruptions and a partial government shutdown forced the postponement of crucial stakeholder town halls.

As a result, CISA has indicated that a further delay past the May 2026 target is increasingly likely as the agency works to reschedule these sessions. Nevertheless, core reporting obligations are not expected to change.

Global incident reporting standards vs. CIRCIA

The U.S. isn’t the only country with a robust critical infrastructure sector vulnerable to increasingly sophisticated (and numerous) cyberattacks. Peers in advanced economies have established similar reporting windows for their critical entities. By aligning with these global best practices, CIRCIA ensures that U.S. critical infrastructure is part of a unified defense against increasingly borderless cyber-enabled crime

• Australia Security of Critical Infrastructure Act (SOCI): Mandates reporting within 12 hours for incidents with significant impact and within 72 hours for incidents having a relevant impact.
• EU Directive on Resilience of Critical Entities (CER): Requires reporting within 24 hours of any incident that disrupts or could disrupt the provision of essential services.
• U.K. Cyber Security and Resilience Bill: Following recent expansions; Mandates initial notification within 24 hours and full reporting within 72 hours of harmful cyber breaches.

CIRCIA covered entities: Does your organization qualify?

To determine if an entity will be affected by CIRCIA as a covered entity, CISA outlines two major types of criteria:

• Size-based: Factoring in the consequences that a disruption to the entity could cause to national security, economic security or public health and safety.
• Sector-based: Independent of size; identifying whether the entity owns or operates critical infrastructure.

Track 1: Size-based compliance criteria

For the size-based category, CIRCIA reporting requirements will likely only apply to larger entities, excluding most smaller organizations.

To determine size, CIRCIA is using the U.S. Small Business Administration’s (SBA) small business standard. This standard is based on either the number of employees or annual revenue, ranging from 100 to 1,500 employees or $2.25M to $47M in revenue, depending on the sector.

Other size-based criteria include:

• Risk: The likelihood that an entity may be the target of a malicious cyber actor, especially those using the 63 new variants identified in the latest IC3 report.
• Impact: How disruption would ripple through national or economic security.

Track 2: Sector-specific requirements

As mentioned above, CIRCIA will also apply to all entities that operate within a critical infrastructure sector. For its sector-based criteria, CISA proposes that all entities operating within 13 of the 16 sectors that fit detailed sector-specific attributes, listed in the NPRM, should be required to report cyberattack and ransomware attacks.

The 13 sectors CISA proposes to evaluate in this manner are:

• Core infrastructure and utilities: Energy, water and wastewater systems and nuclear reactors, materials and waste.
• Essential public services: Healthcare and public health, emergency services and government facilities.
• Manufacturing and industrial: Critical manufacturing, chemical and defense industrial base.
• Technology and finance: Information technology, communications and financial services.
• Logistics: Transportation systems.

For the remaining sectors, commercial facilities, dams and food and agriculture, CISA currently relies on size-based criteria. However, because the agency may revert to sector-based criteria in the final rule, organizations in these fields should not wait for the May 2026 announcement to begin auditing their reporting capabilities.

CIRCIA 72-hour reporting & data preservation rules

The crux of the law is mandatory reporting for covered entities. While the final rule may introduce minor administrative shifts, the core reporting window and preservation mandates are set:

• For cyber incidents: Covered entities must report any covered cyber incidents to CISA within 72 hours from the time the entity reasonably believes the incident occurred. However, CISA may waive the 72-hour report if you’ve already reported the incident to another federal agency, like the SEC or FBI, under a substantially similar agreement.
• For ransomware incidents: Covered entities must report to CISA within 24 hours of the time a ransom payment has been made.
• Data preservation: To support federal investigations, covered entities must maintain incident-related data, including logs, forensic artifacts and response documentation, for at least two years.

Covered cyber incidents: A deeper dive

But what are covered cyber incidents? These are substantial cyber incidents experienced by a covered entity. To qualify, the incident must lead to:

• Significant loss: A substantial loss of confidentiality, integrity or availability of the entity’s information system or network.
• Meaningful impact: A serious impact on the safety and resiliency of the entity’s operational systems and processes.
• Quantifiable disruption: A disruption of the entity’s ability to engage in business or industrial operations or deliver goods or services.
• Unpermitted access: Unauthorized access to the entity’s information system or network, facilitated through or caused by either a compromise of a Cloud Service Provider (CSP), Managed Service Provider (MSP) or other third-party data hosting provider or supply-chain compromise.

What is generally not covered as a cyber incident?

To help organizations focus on true threats, CISA has clarified that certain activities do not trigger the 72-hour clock:

• Authorized activities: Substantial cyber incidents do not include lawfully authorized activities conducted by a U.S. federal, state, local, tribal or territorial (SLTT) government entity.
• "Noise" and unsuccessful attempts: To avoid overwhelming the system, CISA generally excludes routine pings, port scans and unsuccessful "door-knocking" attempts that do not result in unauthorized access or disruption.
• Substantially similar reporting: Under the final rule, if you have already reported the required information to another federal agency (like the FBI or SEC) under a formal CIRCIA agreement, you may be exempt from filing a separate report to CISA.

Action plan: How to prepare for the May 2026 deadline

With the final rule expected as soon as May 2026, your organization must use this window to solidify its compliance posture. To take your efforts to the next level, we recommend these guidelines:

• Verify your status: If you work in one of the 16 critical infrastructure sectors listed above, read the NPRM to see if your organization matches the sector-specific attributes. This way, it will be easier to determine your organization’s applicability once the Final Rule is published.
• Start voluntary reporting: If you work in a critical infrastructure sector, CISA already recommends that you voluntarily report all cyber incidents and ransomware incidents. This makes it possible for the agency to deliver assistance, identify trends and share information with in-network agencies to prevent other entities from being similarly victimized.
• Audit cyber resilience workflows: Perform a comprehensive review of your organization’s cybersecurity protocol and related workflows. You can only report a covered incident once you’ve detected it. However, preventing incidents from occurring in the first place is the safest bet for compliance.
• Test your speed: Review your organization’s cybersecurity incident reporting protocol to ensure your detection workflows are optimized to establish a reasonable belief of an incident as quickly as possible (a legal threshold), as this is what officially starts the 72-hour clock. This way, when you identify that a covered cyber incident or ransomware incident has occurred, your response teams are prepared to document and submit reports to CISA. Conduct a tabletop exercise specifically testing the 72-hour clock.
• Keep on top of the news: If your organization submitted comments to CISA, review the NPRM to see how your comments are being considered. CISA includes many references to comments it has received throughout the NPRM as well as feedback from the final stakeholder town halls conducted in early 2026.
• Implement a single source of truth: With a 72-hour reporting window and a two-year record-keeping requirement, manually managing logs and email threads is no longer a viable compliance strategy.

Leveraging digital software for automated CIRCIA compliance

Historically, many critical infrastructure organizations have relied on antiquated legacy tools like Excel spreadsheets and Word documents to manage resilience. However, these tools introduce significant risks:

• Fragmentation: Siloed tools lack the coordination required for rapid reporting.
• Visibility gaps: Teams cannot assess response progress in real time.
• Manual burden: High potential for human error and labor redundancies.
• Compliance failure: These challenges increase the risk of missing a mandatory reporting window.

While CISA finishes rulemaking, organizations can take a step toward compliance by seeking out security management software that helps establish a reasonable belief of an incident quickly, ensuring the 72-hour clock is met every time.

• Automated notifications: Send accurate reports to CISA and other agencies within the 72-hour and 24-hour windows.
• Preserve critical data: Ensure long-term compliance with the mandatory two-year data preservation requirement by automatically archiving all incident logs, forensic notes, and communication history in a secure, searchable environment.
• Deploy in seconds: Launch consistent recovery strategies and checklists the moment an incident is detected.

Conclusion: Securing the future of U.S. critical infrastructure

Finally, attacks on critical infrastructure are on the sharp uptick. So too are compliance obligations, with legislation like CIRCIA obligating entities in the sector to notify CISA when they’ve been victims of security incidents.

While CISA finishes rulemaking, these organizations can take a step toward compliance by seeking out security management software to help ensure updates are shared with the regulator in a timely manner to meet reporting obligations.

What other digital capabilities can help your organization meet the 72-hour reporting clock and strengthen resilience to comply with CIRCIA? Check out our Buyer’s Guide to Critical Infrastructure Protection Software to discover how to automate your compliance workflows today.