The CIRCIA 72-hour reporting rule represents the most significant federal cyber incident reporting mandate introduced in the United States in years. While the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March 2022, the practical obligations for businesses will not take effect until the final rule is published—currently expected in May 2026. That timeline may appear distant, but federal regulators are already moving. Throughout early 2026, the Cybersecurity and Infrastructure Security Agency (CISA) has been hosting sector-specific town halls to refine the rule before publication.

For organizations operating in regulated sectors—financial services, healthcare, legal services, insurance, and real estate among them—the message from Washington is clear: the expectation for rapid cyber incident disclosure is becoming standardized at the federal level. This article provides a compliance-focused breakdown of what the rule requires, who it affects, and why many organizations may be less prepared than they assume.

What CIRCIA Actually Requires

At its core, CIRCIA introduces two mandatory reporting timelines for organizations classified as “covered entities.” The first is a requirement to report certain cyber incidents to CISA within 72 hours of determining that a covered cyber incident has occurred. The second requires organizations to report ransomware payments within 24 hours of making the payment.

The legislation emerged in response to a wave of high-profile attacks on U.S. infrastructure, most notably the Colonial Pipeline ransomware incident in 2021. Policymakers concluded that the federal government lacked timely visibility into major cyber events affecting critical infrastructure. CIRCIA was designed to close that gap.

The statutory framework was signed into law in March 2022, but the operational reporting obligations only activate once CISA finalizes the implementing rule. That rule is currently scheduled for publication in May 2026 following the ongoing consultation process with industry.

Organizations seeking a detailed overview of the program can review the official federal guidance here: CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) overview. The scope of the rule is significant. CISA estimates that more than 300,000 entities may ultimately fall within its reporting requirements.

Who Is a Covered Entity

One of the most common misconceptions surrounding CIRCIA is that it primarily targets large energy companies or defense contractors. In reality, the law draws its scope from the 16 critical infrastructure sectors defined under Presidential Policy Directive 21. Those sectors extend well beyond traditional industrial targets.

They include financial services, healthcare and public health, information technology, communications, commercial facilities, transportation systems, and several other sectors deeply integrated into everyday economic activity. In practice, this means that many law firms, financial institutions, insurance providers, real estate organizations, and technology service providers may ultimately be classified as covered entities.

CISA has proposed that organizations exceeding Small Business Administration size standards for their industry will generally fall within the definition. However, the agency retains authority to refine this scope in the final rule. That flexibility is intentional. Policymakers want to ensure that entities whose disruption could have cascading economic consequences are not excluded simply because of their corporate structure.

The result is a regulatory perimeter that is broader than many executives realize. Organizations that do not traditionally view themselves as “critical infrastructure” may nonetheless be operating within the ecosystem that supports it.

What Qualifies as a “Covered Cyber Incident”

The law does not require reporting of every security event. Instead, CIRCIA focuses on incidents that reach a threshold of operational or security significance.

Under the proposed rule, a covered cyber incident generally involves events that cause substantial loss of confidentiality, integrity, or availability of information systems; significantly disrupt business operations; or involve unauthorized access to sensitive data. This distinction is important. Routine malware alerts, phishing attempts, or contained security events typically would not qualify.

However, incidents that disrupt services, impact critical systems, or expose sensitive information could meet the reporting threshold. The exact parameters are still being refined through the ongoing town hall consultation process. Industry feedback is expected to influence how narrowly or broadly the final rule defines “substantial” impact.

How CIRCIA Intersects With Existing Reporting Obligations

For compliance leaders, one of the most complex aspects of CIRCIA is not the rule itself but how it interacts with existing regulatory frameworks. A single cyber incident can trigger multiple reporting obligations simultaneously.

Publicly traded companies may be required to disclose material cyber incidents within four business days under the Securities and Exchange Commission’s cyber disclosure rule. Healthcare organizations must comply with HIPAA breach notification timelines. Defense contractors must follow DFARS 7012 reporting requirements. State-level breach notification laws introduce additional timelines and jurisdictional considerations.

CIRCIA adds another layer to this already complex matrix. In theory, the rule was designed to harmonize federal reporting and create a centralized intake point for incident data. In practice, organizations will still need to manage overlapping timelines, reporting formats, and audiences.

This dynamic has already begun reshaping how companies approach cyber governance. For example, discussions around ransomware reporting obligations have expanded significantly in recent years, as explored in the related analysis on ransomware reporting and liability. CIRCIA builds on that trajectory by formalizing federal visibility into incident reporting.

The Operational Challenge: Can You Actually Meet a 72-Hour Window?

Legal mandates are only meaningful if organizations can operationalize them. And this is where the gap between policy and reality becomes most apparent.

To meet a 72-hour reporting deadline, a company must first detect the incident. It must then validate that the event meets the threshold of a covered cyber incident, collect the information required for the report, route the disclosure through legal and executive leadership, and submit the report to CISA.

Each of those steps introduces potential delays.

Legacy infrastructure often slows detection and forensic analysis, particularly in organizations where systems lack centralized logging or modern monitoring capabilities. These limitations are explored in greater detail in the discussion on legacy systems as a compliance liability, where outdated technology environments can significantly delay incident visibility.

Even when incidents are identified quickly, organizations often struggle with coordination. Legal teams need time to assess disclosure obligations. Compliance leaders must verify regulatory triggers. Executive leadership may require briefing before submitting reports to federal agencies.

All of that must occur within three days.

The 24-hour window for ransomware payment reporting is even more compressed. If an organization negotiates with threat actors and ultimately authorizes a payment, the timeline to report that decision begins immediately.

Enforcement, Penalties, and Subpoena Authority

CIRCIA does not rely solely on voluntary compliance. The law grants CISA enforcement mechanisms designed to compel reporting when organizations fail to meet their obligations.

If a covered entity does not submit a required incident report, CISA has the authority to issue subpoenas requesting the relevant information. Failure to comply with those subpoenas can lead to referral to the Department of Justice.

Beyond legal enforcement, non-compliance carries significant secondary consequences. Cyber insurance carriers may dispute claims if reporting obligations are not met. Regulators may question whether corporate leadership exercised adequate oversight of cyber risk. In severe cases, directors may face scrutiny regarding their governance responsibilities.

Cybersecurity oversight is increasingly treated as a board-level responsibility. As discussed in the broader context of AI governance and compliance, regulators are expanding expectations around executive accountability for emerging technology risks. Cyber reporting obligations are part of that larger governance shift.

How to Prepare Before the Final Rule Drops

While the final rule has not yet been published, organizations have a clear opportunity to prepare in advance.

The first step is determining whether the organization qualifies as a covered entity under the 16 critical infrastructure sectors and applicable size thresholds. Many companies assume they fall outside the rule’s scope when they are in fact deeply embedded in critical infrastructure supply chains.

The second step is evaluating whether current incident detection capabilities support a 72-hour reporting timeline. This requires visibility into log aggregation, incident response workflows, and escalation procedures across IT, legal, and compliance functions.

Third, organizations should establish a cross-functional reporting team. Effective incident reporting requires coordination between security operations, legal counsel, executive leadership, and compliance professionals.

Fourth, reporting obligations should be mapped into a unified regulatory matrix. CIRCIA, SEC disclosure rules, HIPAA breach notification, and state breach laws must be considered together rather than in isolation.

Finally, organizations should conduct tabletop exercises that simulate the 72-hour reporting constraint. These exercises reveal process bottlenecks that may not appear during routine security operations.

Conclusion

The CIRCIA 72-hour reporting rule signals a fundamental shift in how the United States government expects organizations to handle cyber incidents. What was once largely voluntary information sharing is evolving into a structured federal reporting regime.

For regulated industries, the implications extend beyond cybersecurity. Incident reporting now intersects with legal liability, regulatory oversight, insurance coverage, and board-level governance.

The organizations that adapt successfully will be those that treat CIRCIA not as a compliance exercise but as an operational readiness challenge. By the time the final rule takes effect in 2026, the expectation from regulators will be clear: if a major cyber incident occurs, the clock will already be ticking.