CIRCIA Is Live: What the 72-Hour Reporting Rule Means for Your Organisation

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has moved from legislative framework to active obligation. CISA’s final rule, targeting May 2026 implementation, establishes legally binding incident reporting requirements for covered entities across sixteen critical infrastructure sectors — and introduces penalties for non-compliance that make the SEC’s 2023 cyber disclosure rules look lenient by comparison.

For CISOs who haven’t yet built CIRCIA into their incident response programmes, the window to do so before the first material incident is closing.

Who Is Covered

CIRCIA applies to “covered entities” operating in any of the sixteen critical infrastructure sectors designated by Presidential Policy Directive 21: energy, water, transportation, financial services, healthcare, communications, defence industrial base, emergency services, food and agriculture, government facilities, information technology, nuclear, chemical, commercial facilities, dams, and critical manufacturing.

The final rule’s definition of “covered entity” is broader than many organisations assumed. Size thresholds vary by sector — some sectors have no small entity exemption. Any organisation that considers itself part of critical infrastructure supply chains, provides services to covered sectors, or operates systems whose compromise would have downstream impact on critical services should assume coverage and consult counsel if uncertain.

The Core Obligations

72-hour reporting window for covered cyber incidents. A “covered cyber incident” is defined as a substantial cyber incident that leads to: a significant loss of confidentiality, integrity, or availability of an information system; a serious impact on the safety and resiliency of operational systems and processes; a disruption to business or industrial operations; or unauthorised access to a non-public information system.

The 72-hour clock begins when the organisation “reasonably believes” a covered cyber incident has occurred — not when the investigation is complete, not when attribution is confirmed, and not when the full scope is understood. CISA has been explicit: initial reports are expected to be incomplete. The obligation is to report promptly with what is known, and update as the investigation progresses.

24-hour reporting for ransomware payments. Any ransomware payment made by a covered entity must be reported to CISA within 24 hours of payment. This applies regardless of whether the underlying incident met the threshold for a covered cyber incident report. The ransomware payment report and the incident report are separate obligations that may both apply simultaneously.

Supplemental reports. Covered entities must file supplemental reports when substantial new information becomes available, including updated scope, attribution indicators, or ransom payment details. CISA can also request additional information.

What the Initial Report Must Contain

CISA’s final rule specifies the required contents of an initial CIRCIA report. CISOs should ensure their IR team can compile this information rapidly:

• Company identity and contact information for the reporting individual
• Date and time the incident was discovered
• Date range of the incident (if known)
• Location of the attack — systems, networks, facilities affected
• Description of the incident type (ransomware, data exfiltration, destructive attack, etc.)
• Sectors affected and estimated impact
• Indicators of compromise (IP addresses, malware hashes, domain names) if known
• Whether any federal systems or contracts are involved
• Whether ransom was demanded, and if paid, the amount and payment method

The report is submitted through CISA’s secure reporting portal. CISA has committed to treating CIRCIA reports as protected information — they are not subject to FOIA requests, cannot be used as evidence in litigation against the reporting entity, and cannot be shared with other federal agencies without CISA’s authorisation. This protection was a significant legislative concession designed to encourage honest, early reporting rather than delayed, defensive reporting shaped by liability concerns.

Interaction with Existing Reporting Obligations

CIRCIA does not eliminate existing reporting obligations — it adds to them. CISOs operating in regulated sectors face a complex matrix of overlapping requirements:

SEC material incident disclosure (for public companies): 4 business days after determining materiality. The SEC and CIRCIA clocks run independently. An incident that triggers CIRCIA’s 72-hour window may or may not also trigger SEC materiality — but if it does, the SEC clock may expire before or after the CIRCIA deadline depending on timing.

HIPAA breach notification: 60 days for breaches affecting 500+ individuals. Healthcare entities covered by both HIPAA and CIRCIA must manage both timelines.

GDPR/UK GDPR: 72 hours for personal data breaches, reported to the supervisory authority. For organisations with both US critical infrastructure operations and EU/UK data processing, the CIRCIA and GDPR 72-hour windows run concurrently but report to different authorities.

State breach notification laws: Timelines vary from immediate (Florida) to 90 days (some states), and notifications go to affected individuals, state AGs, and regulators separately from federal obligations.

The practical implication: organisations covered by multiple frameworks need a single incident classification workflow that determines, at incident discovery, which regulatory clocks are running and to whom reports go.

What You Need in Place Before the Next Incident

A formal incident classification procedure. The 72-hour clock begins at “reasonable belief” of a covered incident. Your IR team needs a documented decision framework — applied within hours of initial detection — that assesses whether an incident meets CIRCIA’s coverage thresholds. This should not be a legal decision made after the fact; it needs to be an operational decision made by IR leadership during initial triage.

Pre-registered CISA reporting portal access. CIRCIA reports are submitted through cisa.gov’s secure reporting system. Registering your organisation and establishing authorised contacts before an incident is far preferable to doing it during one. Designate at least two individuals with portal access and document the credentials in your IR runbooks.

Legal and communications alignment. The CIRCIA report’s protected status does not automatically protect all communications about an incident. Attorney-client privilege and work product protections still apply to internal communications; the CIRCIA submission itself is specifically protected. Your legal team should brief the CISO and IR leads on what can be communicated where, and to whom, during an active incident.

Ransomware payment policy. If your organisation would consider making a ransomware payment, document that decision process and the 24-hour CIRCIA reporting obligation explicitly. Payment authorisation workflows should include the CISA notification step as a mandatory, non-delegatable action within the payment process — not an afterthought.

Tabletop exercises including regulatory notification. Most IR tabletops focus on technical containment and recovery. Extend your scenario-based exercises to include the regulatory notification workflow: who makes the classification call, who drafts the CISA report, how the legal review is expedited under a 72-hour constraint, and how concurrent obligations (SEC, HIPAA, GDPR) are managed simultaneously.

CIRCIA represents the most significant expansion of federal cyber incident reporting obligations since the SEC’s 2023 rules. Unlike the SEC framework, which applies broadly to public company materiality, CIRCIA targets the systems that underpin essential services — and the penalty and enforcement framework reflects that priority. The time to establish CIRCIA readiness is now, not during the next incident.